Rowland Penny
2023-Apr-25 15:22 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 25/04/2023 15:37, Gary Dale via samba wrote:> On 2023-04-25 08:15, Rowland Penny via samba wrote: >> >> >> On 25/04/2023 12:52, Gary Dale via samba wrote: >>>> >>> Yes. Your answer is out of date. That part is now working as per my >>> reply to my own question at 23:56 last night. I note however that the >>> wiki doesn't actually tell you to do that. It only suggests >>> (optionally) creating the reverse zone. You need to read the >>> Administering DNS Samba wiki to potentially figure out you have to do >>> that. >> >> It is optional, well, because it is optional for AD, but AD does work >> better if it is created. >> >> The Samba wiki was/is written from the point of view that it was using >> a self compiled version of Samba, it was expected that the distros >> would provide there own documentation. Some distros are better at this >> than others. > And anyone who dares use the distribution-created documentation gets > blasted for doing so and told to use the Samba documentation instead. > Besides, the distribution-created documentation gets outdated just as > fast as the Samba documentation.The Samba documentation isn't that far out of date, yes there are problems, but not that many. Samba has no control over the distros documentation, some of which is good, what is really bad is the wealth of howtos out there on the internet, written by an 'expert'.>>> >>> e.g. in the DNS wiki under "Adding new records", the first example >>> reads: >>> samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> >>> samdom.example.com demo A 192.168.0.55 >>> >>> It starts out well? but then you hit "samdom..." which should be >>> <your realm in lowercase>. >> >> There you see, you are wrong, AD lives and dies on dns, so your <your >> realm in lowercase> should actually be <your dns domain>, the realm >> would be <your dns domain in uppercase>. > I suppose it is possible that <your dns domain> could be different from > <your realm in lowercase> but can you suggest why anyone would do that?What I was trying to point out was that you appear to be thinking in the wrong direction, the dns domain comes first and the realm devolves from that, hence <your dns domain> rather than <your realm in lowercase>. The dns domain should always be in lowercase and the realm always referred to in uppercase.>> >>> >>> For extra clarity, it could be followed by an example with all the >>> values substituted: >>> samba-tool dns add DC1 samdom.example.com demo A 192.168.0.55 >>> then showing the results of the command. And of course, it should use >>> the -U Administrator option since that seems to be required these days. >> >> The '-U' option isn't actually set in stone, you could get a kerberos >> ticket and use kerberos instead. Your point is valid though, it should >> stick to one way of doing things. > Yes. If you follow the example as written, you get an error message. >I have updated https://wiki.samba.org/index.php/DNS_Administration Hopefully it is nearer to what is required now, but if you find any other errors or omissions, please let us know, we can only fix such things if we are told about them. Rowland
Gary Dale
2023-Apr-25 21:59 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-25 11:22, Rowland Penny via samba wrote:> > > On 25/04/2023 15:37, Gary Dale via samba wrote: >> On 2023-04-25 08:15, Rowland Penny via samba wrote: >>> >>> >>> On 25/04/2023 12:52, Gary Dale via samba wrote: >>>>> >>>> Yes. Your answer is out of date. That part is now working as per my >>>> reply to my own question at 23:56 last night. I note however that >>>> the wiki doesn't actually tell you to do that. It only suggests >>>> (optionally) creating the reverse zone. You need to read the >>>> Administering DNS Samba wiki to potentially figure out you have to >>>> do that. >>> >>> It is optional, well, because it is optional for AD, but AD does >>> work better if it is created. >>> >>> The Samba wiki was/is written from the point of view that it was >>> using a self compiled version of Samba, it was expected that the >>> distros would provide there own documentation. Some distros are >>> better at this than others. >> And anyone who dares use the distribution-created documentation gets >> blasted for doing so and told to use the Samba documentation instead. >> Besides, the distribution-created documentation gets outdated just as >> fast as the Samba documentation. > > The Samba documentation isn't that far out of date, yes there are > problems, but not that many. Samba has no control over the distros > documentation, some of which is good, what is really bad is the wealth > of howtos out there on the internet, written by an 'expert'. > >>>> >>>> e.g. in the DNS wiki under "Adding new records", the first example >>>> reads: >>>> samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> >>>> samdom.example.com demo A 192.168.0.55 >>>> >>>> It starts out well? but then you hit "samdom..." which should be >>>> <your realm in lowercase>. >>> >>> There you see, you are wrong, AD lives and dies on dns, so your >>> <your realm in lowercase> should actually be <your dns domain>, the >>> realm would be <your dns domain in uppercase>. >> I suppose it is possible that <your dns domain> could be different >> from <your realm in lowercase> but can you suggest why anyone would >> do that? > > What I was trying to point out was that you appear to be thinking in > the wrong direction, the dns domain comes first and the realm devolves > from that, hence <your dns domain> rather than <your realm in > lowercase>. The dns domain should always be in lowercase and the realm > always referred to in uppercase. > >>> >>>> >>>> For extra clarity, it could be followed by an example with all the >>>> values substituted: >>>> samba-tool dns add DC1 samdom.example.com demo A 192.168.0.55 >>>> then showing the results of the command. And of course, it should >>>> use the -U Administrator option since that seems to be required >>>> these days. >>> >>> The '-U' option isn't actually set in stone, you could get a >>> kerberos ticket and use kerberos instead. Your point is valid >>> though, it should stick to one way of doing things. >> Yes. If you follow the example as written, you get an error message. >> > > I have updated https://wiki.samba.org/index.php/DNS_Administration > > Hopefully it is nearer to what is required now, but if you find any > other errors or omissions, please let us know, we can only fix such > things if we are told about them. > > Rowland >I actually think you went in the wrong direction there. By removing the <some meaningful information>? and putting in just the actual values, it's harder to distinguish what is magic and what is user-provided. For example, in adding an A record, demo is the name of the new host being added while A is the record type being created and 192.168.0.55 is the IPV4 address of the demo host. I think it would be clearer to write the example as: $ samba-tool dns add <dns server> <dns domain> <name to add> A <IPV4 address to add> -U administrator The example now shows people unnecessarily writing the FQDN of the DNS server when only the name is really needed. The omission would be a test that shows why my setup isn't working.