samba - Nov 2021 - Using samba-tool to join a linux file server to the domain doesn't appear to work

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Patrick Goetz via samba
> Verzonden: donderdag 4 november 2021 17:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Using samba-tool to join a linux file 
> server to the domain doesn't appear to work
> 
> 
> 
> On 11/4/21 11:09, Rowland Penny via samba wrote:
> > On Thu, 2021-11-04 at 11:00 -0500, Patrick Goetz via samba wrote:
> >>
> >> On 11/4/21 10:49, cn--- via samba wrote:
> >>> Am 04.11.21 um 16:43 schrieb Patrick Goetz via samba:
> >>>> While you're looking at this, would it be possible to
add code to
> >>>> add
> >>>> a PTR record as well as the A record?  This would match
the
> >>>> behavior
> >>>> for Windows AD controllers.
> >>>
> >>> The default on Windows does not create the PTR. Usually 
> you have to
> >>> set
> >>> up a GPO that the clients update their PTR.
> >>>
> >>
> >> I have no idea, but I checked with one of my colleagues who is a
> >> Windows
> >> guru/domain admin, and he insisted that both an A and PTR 
> record are
> >> created for the domain member when you join the (Windows server)
> >> domain.
> > 
> > He has probably inherited a domain that has a GPO set to do this (or
> > something similar), Windows does not, out of the box, create reverse
> > records.
> >
> 
> Several people have mentioned that this can be done via GPO, 
> but I can't 
> fathom what kind of GPO this be.  Where would it be applied? 
> Is there a  special GPO template for things like this?

As said, make sure your servers have a A and PTR record. 
PC's, only A record is suffient, but if you need it, you can add the PTR by
GPO.

> 
> 
> >>
> >> The caveat to this is the AD domain at my university is an
> >> unbelievable mess that they've tinkered with for over a
decade.
> > 
> > You just described all places of learning, they all appear to be a
> > mess, probably because all teachers think they know everything and
> > usually know nothing.
> > 
> >>   Imagine a book
> >> written by 100 monkeys, each with their own typewriter with pages
> >> assembled by an inebriated octopus, and you won't be too far
off.
> > 
> > Sounds about right.
> > 
> >>
> >>> I would also like this to happen automatically but by default
the
> >>> reverse zone is not created in a Samba AD. I don't know
about
> >>> Windows
> >>> there but I doubt it done there.
> > 
> > Windows will work without a reverse zone, so it isn't created by
> > default, but as they have found out, everything else that 
> > Windows works with will not.
Small correction here, windows "does" attempt to register PTR records
(by default).

And yes, Windows will work without reverse zone, but from a windows point of
view,
a reverse zone is offent created after/at the DHCP is setup. 

The main reason its not created by default, no computer can determin the subnet.
I can have my pc's in (*example) 192.168.1.0/16 while the servers use
192.168.0.0/24

But by default, DNS clients configured to perform dynamic DNS 
registration will attempt to register PTR resource record 
only if they successfully registered the corresponding A resource record.

Its in de default Windows template.
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DNSClient::DNS_RegisterReverseLookup

Simple way to verify if windows got all info correct. 
Run : CMD
Type: ipconfig , look at these values, these must match with the primary dns
domain of the AD-DC.

 Primary Dns Suffix  . . . . . . . : your.primarydns.domain.tld	<<< its
all about this one.
 DNS Suffix Search List. . . . . . : your.primarydns.domain.tld *
 Connection-specific DNS Suffix  . : your.primarydns.domain.tld *

That makes sure the A record gets in the right zone. 

(* these can be different, but i suggest start here, complex enough already. ) 



Greetz, 

Louis

On 11/5/21 04:21, L.P.H. van Belle via samba wrote:
>   
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Patrick Goetz via samba
>> Verzonden: donderdag 4 november 2021 17:55
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Using samba-tool to join a linux file
>> server to the domain doesn't appear to work
>>
>>
>>
>> On 11/4/21 11:09, Rowland Penny via samba wrote:
>>> On Thu, 2021-11-04 at 11:00 -0500, Patrick Goetz via samba wrote:
>>>>
>>>> On 11/4/21 10:49, cn--- via samba wrote:
>>>>> Am 04.11.21 um 16:43 schrieb Patrick Goetz via samba:
>>>>>> While you're looking at this, would it be possible
to add code to
>>>>>> add
>>>>>> a PTR record as well as the A record?  This would match
the
>>>>>> behavior
>>>>>> for Windows AD controllers.
>>>>>
>>>>> The default on Windows does not create the PTR. Usually
>> you have to
>>>>> set
>>>>> up a GPO that the clients update their PTR.
>>>>>
>>>>
>>>> I have no idea, but I checked with one of my colleagues who is
a
>>>> Windows
>>>> guru/domain admin, and he insisted that both an A and PTR
>> record are
>>>> created for the domain member when you join the (Windows
server)
>>>> domain.
>>>
>>> He has probably inherited a domain that has a GPO set to do this
(or
>>> something similar), Windows does not, out of the box, create
reverse
>>> records.
>>>
>>
>> Several people have mentioned that this can be done via GPO,
>> but I can't
>> fathom what kind of GPO this be.  Where would it be applied?
>> Is there a  special GPO template for things like this?
> 
> 
> As said, make sure your servers have a A and PTR record.
> PC's, only A record is suffient, but if you need it, you can add the
PTR by GPO.
> 
> 
>>
>>
>>>>
>>>> The caveat to this is the AD domain at my university is an
>>>> unbelievable mess that they've tinkered with for over a
decade.
>>>
>>> You just described all places of learning, they all appear to be a
>>> mess, probably because all teachers think they know everything and
>>> usually know nothing.
>>>
>>>>    Imagine a book
>>>> written by 100 monkeys, each with their own typewriter with
pages
>>>> assembled by an inebriated octopus, and you won't be too
far off.
>>>
>>> Sounds about right.
>>>
>>>>
>>>>> I would also like this to happen automatically but by
default the
>>>>> reverse zone is not created in a Samba AD. I don't know
about
>>>>> Windows
>>>>> there but I doubt it done there.
>>>
>>> Windows will work without a reverse zone, so it isn't created
by
>>> default, but as they have found out, everything else that
>>> Windows works with will not.
> 
> Small correction here, windows "does" attempt to register PTR
records (by default).
> 
> And yes, Windows will work without reverse zone, but from a windows point
of view,
> a reverse zone is offent created after/at the DHCP is setup.
> 
> The main reason its not created by default, no computer can determin the
subnet.
> I can have my pc's in (*example) 192.168.1.0/16 while the servers use
192.168.0.0/24

Louis, I'm not following this. I can see how DHCP assignments can be an 
issue in a multi-subnet environment, but if I'm assigning a static IP 
address to the host:

   atomsmasher.ea.linuxcs.com. IN A 192.168.1.82

the PTR record is just the reverse of that:

   82.1.168.192.in-addr.arpa. IN PTR atomsmasher.ea.linuxcs.com

no subnets involved?

> 
> But by default, DNS clients configured to perform dynamic DNS
> registration will attempt to register PTR resource record
> only if they successfully registered the corresponding A resource record.
> 
> Its in de default Windows template.
>
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DNSClient::DNS_RegisterReverseLookup
> 
> Simple way to verify if windows got all info correct.
> Run : CMD
> Type: ipconfig , look at these values, these must match with the primary
dns domain of the AD-DC.
> 
>   Primary Dns Suffix  . . . . . . . : your.primarydns.domain.tld
<<< its all about this one.
>   DNS Suffix Search List. . . . . . : your.primarydns.domain.tld *
>   Connection-specific DNS Suffix  . : your.primarydns.domain.tld *
> 
> That makes sure the A record gets in the right zone.
> 
> (* these can be different, but i suggest start here, complex enough
already. )
> 
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
>