samba - Oct 2025 - AXFR transfer: SRV for DC missing

On Mon, 27 Oct 2025 21:08:39 +0100
Markus Gschwendt via samba <samba at lists.samba.org> wrote:
> Thanks for the fast answers, Rowland and Peter!
> 
> On Mon, 2025-10-27 at 18:02 +0000, Rowland Penny via samba wrote:
> > On Mon, 27 Oct 2025 17:56:38 +0100
> > "Ing. Markus Gschwendt via samba" <samba at
lists.samba.org> wrote:
> > 
> > > ...
> > > Everything is on the latest packages of debian bookworm (Samba,
> > > Bind,...) 
> > 
> > I would have used Trixie, bookworm isn't likely to get any further
> > Samba updates.
> 
> This is the intention. But if I'm informed right, there is no support
> for NT-style domains in the Samba version in Trixie or Bookworm
> Backports.
I do not know where you got that idea from, you can set up an NT4-style
domain even with the latest Samba version, I just wouldn't recommend
doing so.
> So we did the migration prior to the Debian upgrade.
> As we have the problem with AXFR transfers only at one of 2 sites I'd
> like to fix this before we do any further upgrades.
Why do you want to do this ? 
Samba AD DCs are authoritative for the DNS domain, all of them, it is
known as multi-master. There is no real need to transfer the records to
an external dns server.
 
> (A short try to upgrade to Trixie did not start samba - I had no time
> to investigate)
It should have started, provided you ran something like 'systemctl
start samba-ad-dc'.
> 
> ...
> > > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
> > 
> > There must be a reason why you have sanitised that 192.168.0 IP,
> > but it
> > beats me, it isn't routable outside your network.
> 
> It's just the IP of the Samba AD DC server. Private IP subnet.
I realised that and there was no need to sanitise it, but light might
be dawning, are you using your registered dns domain for the AD domain
and not a subdomain e.g. something like ad.example.internal ?

> The domain name is changed to example.internal.
> 
> > ...
> > > * Inside samba ldb the record is present.
> > > * Bind seems it can deliver the SRV record.
> > > * But it is not delivered in a zone transfer via AXFR.
> > > 
> > > As you can see from the output, the axfr transfer itself does
work
> > > and
> > > the allow-settings are correct.
> > > 
> > > Why is the record in AXFR missing or how can I get it into AXFR?
> > > Can anybody help on this?
> > 
> > It is very easy to get DNS onto another server, add another DC, you
> > should have more than one DC anyway.
> 
> There is no issue with a secondary DC.
> 
> We need to get the whole zone information to another Bind9 server via
> AXFR.
Why ?
> This NS server receives the zone from the Samba AD DC but it is
> missing a few records.
Rowland

On Mon, 2025-10-27 at 20:24 +0000, Rowland Penny via samba
wrote:
> On Mon, 27 Oct 2025 21:08:39 +0100
> Markus Gschwendt via samba <samba at lists.samba.org> wrote:
> 
> > Thanks for the fast answers, Rowland and Peter!
It was Luis! Sorry, I did mix the names from the last posts.
> > 
> > On Mon, 2025-10-27 at 18:02 +0000, Rowland Penny via samba wrote:
> > > On Mon, 27 Oct 2025 17:56:38 +0100
> > > "Ing. Markus Gschwendt via samba" <samba at
lists.samba.org> wrote:
> > > 
> > > > ...
> > > > Everything is on the latest packages of debian bookworm
(Samba,
> > > > Bind,...) 
> > > 
> > > I would have used Trixie, bookworm isn't likely to get any
> > > further
> > > Samba updates.
> > 
> > This is the intention. But if I'm informed right, there is no
> > support
> > for NT-style domains in the Samba version in Trixie or Bookworm
> > Backports.
> 
> I do not know where you got that idea from, you can set up an NT4-
> style
> domain even with the latest Samba version, I just wouldn't recommend
> doing so.
It did read this some time ago and I don't remember the source - sorry.
But good to know it should still work in Trixie.
However, the upgrade was necessary because we could not join Win11 24H2
clients and we thought its time to migrate to AD anyways.
> 
> > So we did the migration prior to the Debian upgrade.
> > As we have the problem with AXFR transfers only at one of 2 sites
> > I'd
> > like to fix this before we do any further upgrades.
> 
> Why do you want to do this ? 
> Samba AD DCs are authoritative for the DNS domain, all of them, it is
> known as multi-master. There is no real need to transfer the records
> to
> an external dns server.
We really don't want the Samba server to be our central DNS system.
Separating services is the main reason. (Security, debugging, ...)
Maybe a discussion for another thread.
> ?
> > (A short try to upgrade to Trixie did not start samba - I had no
> > time
> > to investigate)
> 
> It should have started, provided you ran something like 'systemctl
> start samba-ad-dc'.
> 
I'll try again in some weeks when we are done with the rest of the
migration.
> > 
> > ...
> > > > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
> > > 
> > > There must be a reason why you have sanitised that 192.168.0 IP,
> > > but it
> > > beats me, it isn't routable outside your network.
> > 
> > It's just the IP of the Samba AD DC server. Private IP subnet.
> 
> I realised that and there was no need to sanitise it, but light might
> be dawning, are you using your registered dns domain for the AD
> domain
> and not a subdomain e.g. something like ad.example.internal ?
It's like 'ad1.companyname.internal'
.internal as TLD as recommended by IANA [0]
> ...
> > 
> > We need to get the whole zone information to another Bind9 server
> > via
> > AXFR.
> 
> Why ?
I think that's one of the reasons the bind9_dlz module exists and even
there is a setting in smb.conf '[global]' to allow such transfers.
E.g.:
'dns zone transfer clients allow = 192.168.0.1'


Markus



[0]?https://www.icann.org/en/board-activities-and-meetings/materials/approved-resolutions-special-meeting-of-the-icann-board-29-07-2024-en#section2.a