> Every Samba DC should use itself for its nameserver.
We configured it like this
bind9 on a DC:
/etc/bind/named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.samba";
cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow
multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses
replacing
// the all-0's placeholder.
forwarders {
172.27.2.12; 172.27.2.11; <--- Primary DNS (used by
clients)
};
recursion yes;
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
allow-transfer { any; };
#keep-response-order { any; };
//====================================================================== // If
BIND logs error messages about the root key being
expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//======================================================================
//dnssec-validation auto;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
minimal-responses yes;
};
cat /etc/bind/named.conf.samba
dlz "AD DNS Zone" {
# For BIND 9.16
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";
};
cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and
for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
============================================
bind9 on DNS server:
named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.conditional_forwarders";
include "/etc/bind/named.conf.slaves";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.local.forwarders";
cat named.conf.options
options {
directory "/var/cache/bind";
forward only;
forwarders {
103.247.36.36;
103.247.37.37;
};
recursion yes;
dnssec-validation no;
empty-zones-enable yes;
disable-empty-zone "16.172.in-addr.arpa";
disable-empty-zone "17.172.in-addr.arpa";
disable-empty-zone "18.172.in-addr.arpa";
disable-empty-zone "19.172.in-addr.arpa";
disable-empty-zone "20.172.in-addr.arpa";
disable-empty-zone "21.172.in-addr.arpa";
disable-empty-zone "22.172.in-addr.arpa";
disable-empty-zone "23.172.in-addr.arpa";
disable-empty-zone "24.172.in-addr.arpa";
disable-empty-zone "25.172.in-addr.arpa";
disable-empty-zone "26.172.in-addr.arpa";
disable-empty-zone "27.172.in-addr.arpa";
disable-empty-zone "28.172.in-addr.arpa";
disable-empty-zone "29.172.in-addr.arpa";
disable-empty-zone "30.172.in-addr.arpa";
disable-empty-zone "31.172.in-addr.arpa";
disable-empty-zone "10.in-addr.arpa";
disable-empty-zone "168.192.in-addr.arpa";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on port 53 { any; };
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
querylog yes;
//enable response policy zone.
response-policy {
zone "rpz.local";
};
};
cat named.conf.conditional_forwarders
zone "interno.gov.it" IN {
type forward;
forwarders {217.199.1.1; 217.199.0.250; };
};
zone "interno.gov.it.edgekey.net" IN {
type forward;
forwarders {217.199.1.1; 217.199.0.250; };
};
cat named.conf.slaves
include "/etc/bind/named.conf.slaves.d/klingons.example.net.zone";
include "/etc/bind/named.conf.slaves.d/example.net.zone";
include "/etc/bind/named.conf.slaves.d/_msdcs.example.net.zone";
include "/etc/bind/named.conf.slaves.d/subdomain2.example.net.zone";
include "/etc/bind/named.conf.slaves.d/subdomain1.example.net.zone";
.... ecc.
cat /etc/bind/named.conf.slaves.d/example.net.zone
zone "example.net" IN {
type slave;
file "example.net.zone";
masters { IP-OF-DC; };
};
cat /etc/bind/named.conf.slaves.d/klingons.example.net.zone
zone "klingons.example.net" IN {
type slave;
file "klingons.example.net.zone";
masters { IP-OF-DC; };
};
Am Mittwoch, dem 20.11.2024 um 16:13 +0000 schrieb Rowland Penny via
samba:> On Wed, 20 Nov 2024 15:45:29 +0000
> Heinz H?lzl <heinz.hoelzl at gvcc.net> wrote:
>
> See inline comments:
>
> > hi,
> > i deleted the accounts with pdbdel.
> >
> > I did a few spot checks, none of the pc accounts had the attribute
> > dNSHostName there are no dns-rcords concerning the account
>
> The computer accounts should have the dNSHostName attribute set.
> This seems to explain why it hangs though, the code is this:
>
> ??????????? if "dNSHostName" in res[0]:
> ??????????????? computer_dns_host_name >
str(res[0]["dNSHostName"][0])
> ??????????? else:
> ??????????????? computer_dns_host_name = None
>
> Which means that 'computer_dns_host_name' is being set to
'None'
>
> Then, a bit lower down, in the 'try' there is this:
>
> ??????? try:
> ??????????? samdb.delete(computer_dn)
> ??????????? if computer_dns_host_name:
> ??????????????? remove_dns_references(
>
> This means that the 'if' is always run and the subsequent code
tries
> to
> remove the dns records for a computer called 'None', that is the
way
> I
> read it.
>
> >
> > we use bind9 for dns.
> > all pc have a bind9 configured as dns server, which is a dns slave
> > of
> > the bind9 on the samba server.
>
> I think we need to know more about your dns server setup, it could be
> the cause of your entire problems.
>
> This is how Samba AD DNS works:
> Every DC is authoritative for the DNS domain, it is known as multi
> master.
> Every Samba DC should use itself for its nameserver.
> Anything outside the AD DNS domain should be forwarded to an external
> nameserver.
> Clients should use the DCs as their nameservers, though this could be
> via a caching DNS server, never a slave.
>
> Please post your named.conf files (from the DCs and the clients)
>
> >
> > here the requested informations:
> >
> > all DC are on samba
> >
> > smb.conf
> >
> > [global]
> > ??????? netbios name = DCX
> > ??????? realm = EXAMPLE.NET
> > ??????? server services = -dns
> > ??????? workgroup = EXAMPLE
> > ??????? server role = active directory domain controller
> > ??????? ad dc functional level = 2016
> > ??????? idmap_ldb:use rfc2307 = yes
> > ??????? comment > > ??????? template homedir = /home/%U
> > ??????? template shell = /bin/bash
> > ??????? ldap server require strong auth = No
> > ??????? ntlm auth = Yes
> >
> > ??????? log level = auth_json_audit:0 auth_audit:3
> > ??????? logging = syslog
> > ??????? log file = /dev/null
> >
> > ??????? password hash gpg key ids =
"xxxxxxxxxxxxxxxxxxxxxxx"
> > ??????? dns forwarder = xxxxxx
>
> As you are using bind9, the forwarder(s) should be set in bind9 conf
> file.
>
> > ??????? dns update command = /usr/local/samba/sbin/samba_dnsupdate
> > --use-samba-tool logon script = login.bat
> > ??????? dns zone transfer clients allow = xxxxxxxxxxxxxxxxxxx
> > ??????? prefork children = 4
> > ??????? prefork children:ldap = 1
> > ??????? server min protocol = SMB2_10
> >
> >
> > [netlogon]
> > ??????? path > >
/usr/local/samba/var/locks/sysvol/example.net/scripts
> > ??????? read only = No
> > ??????? guest ok = Yes
>
> As you do not have 'map to guest = bad user' set in global, you
will
> not get any guest access.
>
> > ??????? browseable = No
> >
> >
> > [sysvol]
> > ??????? path = /usr/local/samba/var/locks/sysvol
> > ??????? read only = No
> >
>
> Rowland
>