Am 19.12.2022 um 20:27 schrieb Rowland Penny via samba:>
> On 19/12/2022 18:50, Markus Mueller via samba wrote:
>>
>> I run a Samba AD domain (let's call it myAD.mydomain.net) with DLZ
>> DNS backend (Ubuntu 20.04, vanilla Samba install) which I migrated
>> from an NT-style domain. Not all machines in my network participate
>> in the AD (some Linux only machines and guests), which is why I have
>> a separate 'master' DHCPD/bind9 server (let's call it
>> master.mydomain.net) serving zone mydomain.net. The AD host
>> (nameserver.myAD.mydomain.net) serves zone myAD.mydomain.net.
>>
>> Ideally, I would like to have the Samba-DNS serving the requests from
>> myAD.mydomain.net and the DHCPD/bind9 machine serving mydomain.net
>> (which they do). But: the samba AD should forward all requests for
>> mydomain.net to the master nameserver (which it does not, even though
>> I set the dns forwarder to master.mydomain.net in smb.conf). It
>> should be possible (in my opinion) by creating a secondary DNS zone
>> on the Samba AD (nameserver.myAD.mydomain.net). But that doesn't
seem
>> allowed. samba-tool allows me to create that zone, but I couldn't
>> figure out how to do the slave config (e.g. setting the master
>> server). The Microsoft DNS tool does not allow me to create a
>> secondary zone at all.
>>
>> Why do I try so complicated? My general nameserver failed recently
>> from a segmentation fault and my whole intranet went down (because my
>> dhcpd relies on client identification via DNS, mainly for historical
>> reasons). I would like to have a backup nameserver, but I prefer not
>> to install yet another instance.
>>
>> Cheers
>> Markus
>>
Dear Rowland
thanks a lot for your reply.You really helped me to optimize my settings.
> If your AD DC is using Bind9, then you do not set the forwarder in
> smb.conf (that is for the internal dns server), you set it the Bind9
> conf files.
I have not thought about this yet. Always tried to leave the bind9
config alone and tried to use the samba-tool or Windows DNS only. I did
set the forwarder in /etc/bind named.conf.options to my master DNS now,
but it didn't resolve any hosts of mydomain.net. I had to also change
/etc/resolv.conf to that address and it worked.>
> You usually do it the other way around, you point your AD clients at
> the main dns server and this forwards everything for the AD domain
> (myAD.mydomain.net) to the dns server on the DC.
Sorry, I was unspecific. I actually did it that way. Nevertheless, I
would like the Samba AD DC to also serve the master domain in case of a
failure.
This is the zone config on my master DNS:
zone "mydomain.net" in {
??????? allow-transfer { any; };
??????? allow-update { AD-DC; };
??????? also-notify { AD-DC; };
??????? file "/var/lib/bind/mydomain.net";
??????? type master;
};
zone "myAD.mydomain.net" in {
??????? type forward;
??????? forwarders { AD-DC; };
??????? forward only;
};
Inspired by your suggestion to modify the config files directly I did so
and it works! My AD-DC Bind is now serving mydomain.net:)
zone "mydomain.net" in {
????? type slave;
????? file "/var/lib/bind/mydomain.net";
????? masters {myMasterDNS; };
};
Only glitch is that apparmor appears to disallow access to the linked
zone file. But as far as I understood, that file is not needed as it
will be loaded from the master.
Dec 20 10:57:53 AD-DC kernel: [3936415.836872] audit: type=1400
audit(1671530273.221:193): apparmor="DENIED"
operation="link"
profile="/usr/sbin/named" name="/var/lib/bind/db-A7K09h1n"
pid=284798
comm="isc-worker0008" requested_mask="l"
denied_mask="l" fsuid=114
ouid=114 target="/var/lib/bind/mydomain.net"
>
> Why not join your Linux machines to the domain ? they work well.
Some don't really need it (e.g. my webservers). But others certainly are
domain members.>
> Rowland
Thanks again
Markus