samba - Mar 2022 - samba_dlz: add another A record for domain (@ record)

Il giorno sab, 12/03/2022 alle 14.48 +0000, Rowland Penny via samba ha
scritto:
> Is there some reason that you are not using a subdomain for your
> Samba
> AD domain ?
I didn't know I was must to use a subdomain for my Samba AD domain.
So, several years ago i set up a fancy local domain like "domain.loc".
Is this limitation?written?into some how to that I am lost?

So, after several years that the AD worked without problems, last week
I had to set up an new intranet web server and on AD I have add the
corresponding A record for "domain.loc" pointed to this server IP.
> Your Samba AD DC's should be masters for the AD dns domain,
My Samba AD DC is master for the AD dns domain, record NS point to it,
I want change only the record A of @, not SOA or NS or MX
> so you should be pointing your AD clients at your main dns server
My all clients are already pointed to my main dns server, the AD
> and this should forward anything to do with the AD dns domain to the
> DC's.
My DNS server is AD, then it does not need forward anything to other
server.

Question:

a) It's possible point the A record of @, like I do on a Windows DC
server, to another server different dal DC, without after few minutes
the DC change it to itself?

b) why DC has to change this record?
?
> There is also another potential problem, are your DC's running on
> Fedora 35 with the OS Samba packages ? If so, are you aware that the
> Fedora packages use MIT and are classed as experimental.
This is another thing and it is relevant only if my problem occurs only
in this scenario.

Do you mean that the samba Debian version "not MIT" does NOT have this
A record substitution for @ and it's possible change it?
?
Many thanks for reply.

Dario

On Sun, 2022-03-13 at 13:51 +0100, Dario Lesca via samba
wrote:
> Il giorno sab, 12/03/2022 alle 14.48 +0000, Rowland Penny via samba
> ha
> scritto:
> > Is there some reason that you are not using a subdomain for your
> > Samba
> > AD domain ?
> 
> I didn't know I was must to use a subdomain for my Samba AD domain.
> So, several years ago i set up a fancy local domain like
> "domain.loc".
> Is this limitation written into some how to that I am lost?
Try reading this:
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ

It explains the situation.
> 
> So, after several years that the AD worked without problems, last
> week
> I had to set up an new intranet web server and on AD I have add the
> corresponding A record for "domain.loc" pointed to this server
IP.
Yes, but where was it pointing from ? Your AD DC's or your non AD dns
server that appears to be using the same dns domain as your AD.
> 
> > Your Samba AD DC's should be masters for the AD dns domain,
> 
> My Samba AD DC is master for the AD dns domain, record NS point to
> it,
> I want change only the record A of @, not SOA or NS or MX
The '@' is the SOA
> 
> > so you should be pointing your AD clients at your main dns server
> 
> My all clients are already pointed to my main dns server, the AD
> 
> > and this should forward anything to do with the AD dns domain to
> > the
> > DC's.
> My DNS server is AD, then it does not need forward anything to other
> server.
>From my understanding of what you posted, you have at least one Samba
AD DC (which should be the dns server for the AD ) and another dns
server that is also using the same domain. If this is the case, you 
shouldn't be doing this.
 
> 
> Question:
> 
> a) It's possible point the A record of @, like I do on a Windows DC
> server, to another server different dal DC, without after few minutes
> the DC change it to itself?
No, mainly because of two things, a Samba DC is setup to create any
missing dns records and the '@' record should show each DC as being the
dns domain master (it is known as multi-master).
I suggest you turn off the non-AD dns server.
 
> 
> b) why DC has to change this record?
see above.
>  
> > There is also another potential problem, are your DC's running on
> > Fedora 35 with the OS Samba packages ? If so, are you aware that
> > the
> > Fedora packages use MIT and are classed as experimental.
> 
> This is another thing and it is relevant only if my problem occurs
> only
> in this scenario.
Are you using Fedora as an AD DC ? I know it has nothing to do with
this problem, but you shouldn't be using it in production, that is why
I mentioned it.
> 
> Do you mean that the samba Debian version "not MIT" does NOT have
> this
> A record substitution for @ and it's possible change it?
No, it is Samba acting correctly.

Rowland