Dario Lesca
2022-Mar-12 14:19 UTC
[Samba] samba_dlz: add another A record for domain (@ record)
On my network the record A for @ (domain.loc) point to another server (192.168.1.20), different from my Samba DC (192.168.1.100), the name server of my lan. Then on DC I have add the record A of www and also the A record for the domain.loc (@) to web server with this command: sudo samba-tool dns add s-addc.domain.loc domain.loc www A '192.168.1.20' sudo samba-tool dns add s-addc.domain.loc domain.loc @ A '192.168.1.20' Then I remove the original and wrong record A for @ with: sudo samba-tool dns delete s-addc.domain.loc domain.loc @ A 192.168.1.100 But after few minutes the record A for @ with ADDC IP is readded. mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: starting transaction on zone domain.loc mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: allowing update of signer=S-ADDC\$\@DOMAIN.LOC name=domain.loc tcpaddr=192.168.1.100 type=A key=1136067071.sig-s-addc.domain.loc/160/0 mar 12 09:57:38 s-addc.domain.loc named[3365517]: client @0x7f7470ffc6d0 192.168.1.100#49343/key S-ADDC\$\@DOMAIN.LOC: updating zone 'domain.loc/NONE': adding an RR at 'domain.loc' A 192.168.1.100 mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: added rdataset domain.loc 'domain.loc. 900 IN A 192.168.1.100' mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: subtracted rdataset domain.loc 'domain.loc. 3600 IN SOA s-addc.domain.loc. hostmaster.domain.loc. 25091 900 600 86400 3600' mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: added rdataset domain.loc 'domain.loc. 3600 IN SOA s-addc.domain.loc. hostmaster.domain.loc. 25092 900 600 86400 3600' mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: committed transaction on zone domain.loc mar 12 09:57:38 s-addc.domain.loc named[3365517]: validating in-addr.arpa/SOA: got insecure response; parent indicates it should be secure Why this happened? it's possible to avoid this automatism?? Or I must delete it via crond every few-1 minutes this record? Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 35 Workstation)
Rowland Penny
2022-Mar-12 14:48 UTC
[Samba] samba_dlz: add another A record for domain (@ record)
On Sat, 2022-03-12 at 15:19 +0100, Dario Lesca via samba wrote:> On my network the record A for @ (domain.loc) point to another server > (192.168.1.20), different from my Samba DC (192.168.1.100), the name > server of my lan. > > Then on DC I have add the record A of www and also the A record for > the > domain.loc (@) to web server with this command: > > sudo samba-tool dns add s-addc.domain.loc domain.loc www A > '192.168.1.20' > sudo samba-tool dns add s-addc.domain.loc domain.loc @ A > '192.168.1.20' > > Then I remove the original and wrong record A for @ with: > > sudo samba-tool dns delete s-addc.domain.loc domain.loc @ A > 192.168.1.100 > > But after few minutes the record A for @ with ADDC IP is readded. > > mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: starting > transaction on zone domain.loc > mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: allowing > update of signer=S-ADDC\$\@DOMAIN.LOC name=domain.loc > tcpaddr=192.168.1.100 type=A key=1136067071.sig-s- > addc.domain.loc/160/0 > mar 12 09:57:38 s-addc.domain.loc named[3365517]: client > @0x7f7470ffc6d0 192.168.1.100#49343/key S-ADDC\$\@DOMAIN.LOC: > updating zone 'domain.loc/NONE': adding an RR at 'domain.loc' A > 192.168.1.100 > mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: added > rdataset domain.loc 'domain.loc. 900 IN A > 192.168.1.100' > mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: > subtracted rdataset domain.loc 'domain.loc. 3600 > IN SOA s-addc.domain.loc. hostmaster.domain.loc. 25091 > 900 600 86400 3600' > mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: added > rdataset domain.loc 'domain.loc. 3600 IN > SOA s-addc.domain.loc. hostmaster.domain.loc. 25092 900 600 > 86400 3600' > mar 12 09:57:38 s-addc.domain.loc named[3365517]: samba_dlz: > committed transaction on zone domain.loc > mar 12 09:57:38 s-addc.domain.loc named[3365517]: validating in- > addr.arpa/SOA: got insecure response; parent indicates it should be > secure > > Why this happened? > it's possible to avoid this automatism? > > Or I must delete it via crond every few-1 minutes this recordIs there some reason that you are not using a subdomain for your Samba AD domain ? Your Samba AD DC's should be masters for the AD dns domain, so you should be pointing your AD clients at your main dns server and this should forward anything to do with the AD dns domain to the DC's. There is also another potential problem, are your DC's running on Fedora 35 with the OS Samba packages ? If so, are you aware that the Fedora packages use MIT and are classed as experimental. Rowland