DNS (bind_dlz) forwarding not working

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

DNS (bind_dlz) forwarding not working

Samba - General mailing list
Hello,

I provisioned an samba AD with the bind_dlz option. So far so
good. Followed the samba wiki.

I have a DNS for our external access services (website, moodle, etc) and
I'm using it as a forwarder to AD but it is not working.

In a win7 I configured the AD IP as primary DNS and put it in the domain.
When I try to access, for example, "wiki.samba.org" it opens normally, but
when I try to access our site "www.myinstitution.edu" it does not open.

I have reviewed the bind and samba settings several times and do not show
any errors.

*Note: All services (www, dns, moodle, etc) and user computers have public
IP.*

*Here are my settings:*

*named.conf*

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
include "/etc/bind/named.conf.log";

*db.local*
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1
addc    IN      A       xxx.xxx.xxx.6

_kerberos._udp.myinstitution.edu. IN SRV 0 100 88 addc
_ldap._tcp.myinstitution.edu. IN SRV 0 100 389 addc
_kpasswd._udp.myinstitution.edu. IN SRV 0 100 464 addc

*named.conf.options*

acl clientes {
        127.0.0.1;
        mylocalsubnets; # public IP subnets
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query {
                clientes;
        };

        forwarders {
                xxx.xxx.xxx.10; # Our DNS
        };
        forward only;

        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.6; };
};
xxx.xxx.xxx.6 -> Ip of AD

*smb.conf*

# Global parameters
[global]
        netbios name = ADDC
        realm = MYINSTITUTION.EDU
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MYINSTITUTION
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/myinstitution.edu/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Am I forgetting something?

--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Tue, 16 May 2017 15:12:38 -0300
Elias Pereira via samba <[hidden email]> wrote:

> Hello,
>
> I provisioned an samba AD with the bind_dlz option. So far so
> good. Followed the samba wiki.
>
> I have a DNS for our external access services (website, moodle, etc)
> and I'm using it as a forwarder to AD but it is not working.
>
> In a win7 I configured the AD IP as primary DNS and put it in the
> domain. When I try to access, for example, "wiki.samba.org" it opens
> normally, but when I try to access our site "www.myinstitution.edu"
> it does not open.
>
> I have reviewed the bind and samba settings several times and do not
> show any errors.
>
> *Note: All services (www, dns, moodle, etc) and user computers have
> public IP.*
>
> *Here are my settings:*
>
> *named.conf*
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> include "/etc/bind/named.conf.log";
>
> *db.local*
> ;
> ; BIND data file for local loopback interface
> ;
> $TTL    604800
> @       IN      SOA     localhost. root.localhost. (
>                               2         ; Serial
>                          604800         ; Refresh
>                           86400         ; Retry
>                         2419200         ; Expire
>                          604800 )       ; Negative Cache TTL
> ;
> @       IN      NS      localhost.
> @       IN      A       127.0.0.1
> @       IN      AAAA    ::1
> addc    IN      A       xxx.xxx.xxx.6
>
> _kerberos._udp.myinstitution.edu. IN SRV 0 100 88 addc
> _ldap._tcp.myinstitution.edu. IN SRV 0 100 389 addc
> _kpasswd._udp.myinstitution.edu. IN SRV 0 100 464 addc
>
> *named.conf.options*
>
> acl clientes {
>         127.0.0.1;
>         mylocalsubnets; # public IP subnets
> };
>
> options {
>         directory "/var/cache/bind";
>
>         recursion yes;
>         allow-query {
>                 clientes;
>         };
>
>         forwarders {
>                 xxx.xxx.xxx.10; # Our DNS
>         };
>         forward only;
>
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
>         dnssec-validation auto;
>
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { any; };
>         listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.6; };
> };
> xxx.xxx.xxx.6 -> Ip of AD
>
> *smb.conf*
>
> # Global parameters
> [global]
>         netbios name = ADDC
>         realm = MYINSTITUTION.EDU
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = MYINSTITUTION
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>         path = /var/lib/samba/sysvol/myinstitution.edu/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> Am I forgetting something?
>

Not so much forgetting but not understanding ;-)

Your dns for AD should be in AD, all of it, these are my named files:

named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;

        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.2; 127.0.0.1; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

named.conf.local

include "/usr/local/samba/private/named.conf";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

/etc/resolv.conf

search samdom.example.com
nameserver 192.168.0.2
nameserver 192.168.0.7

My dns domain is samdom.example.com and the two DCs are 192.168.0.2 and
192.168.0.7

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
>
> Not so much forgetting but not understanding ;-)


- Internal DNS that responds to our services (site, moodle, etc) -
ns.myinstitution.edu (registered in registro.br)
- Samba DNS answering for samba stuff - addc.myinstitution.edu

Maybe it's better to use SAMBA_INTERNAL instead of BIND_DLZ?

On Tue, May 16, 2017 at 4:29 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Tue, 16 May 2017 15:12:38 -0300
> Elias Pereira via samba <[hidden email]> wrote:
>
> > Hello,
> >
> > I provisioned an samba AD with the bind_dlz option. So far so
> > good. Followed the samba wiki.
> >
> > I have a DNS for our external access services (website, moodle, etc)
> > and I'm using it as a forwarder to AD but it is not working.
> >
> > In a win7 I configured the AD IP as primary DNS and put it in the
> > domain. When I try to access, for example, "wiki.samba.org" it opens
> > normally, but when I try to access our site "www.myinstitution.edu"
> > it does not open.
> >
> > I have reviewed the bind and samba settings several times and do not
> > show any errors.
> >
> > *Note: All services (www, dns, moodle, etc) and user computers have
> > public IP.*
> >
> > *Here are my settings:*
> >
> > *named.conf*
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> > include "/etc/bind/named.conf.log";
> >
> > *db.local*
> > ;
> > ; BIND data file for local loopback interface
> > ;
> > $TTL    604800
> > @       IN      SOA     localhost. root.localhost. (
> >                               2         ; Serial
> >                          604800         ; Refresh
> >                           86400         ; Retry
> >                         2419200         ; Expire
> >                          604800 )       ; Negative Cache TTL
> > ;
> > @       IN      NS      localhost.
> > @       IN      A       127.0.0.1
> > @       IN      AAAA    ::1
> > addc    IN      A       xxx.xxx.xxx.6
> >
> > _kerberos._udp.myinstitution.edu. IN SRV 0 100 88 addc
> > _ldap._tcp.myinstitution.edu. IN SRV 0 100 389 addc
> > _kpasswd._udp.myinstitution.edu. IN SRV 0 100 464 addc
> >
> > *named.conf.options*
> >
> > acl clientes {
> >         127.0.0.1;
> >         mylocalsubnets; # public IP subnets
> > };
> >
> > options {
> >         directory "/var/cache/bind";
> >
> >         recursion yes;
> >         allow-query {
> >                 clientes;
> >         };
> >
> >         forwarders {
> >                 xxx.xxx.xxx.10; # Our DNS
> >         };
> >         forward only;
> >
> >         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >
> >         dnssec-validation auto;
> >
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on-v6 { any; };
> >         listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.6; };
> > };
> > xxx.xxx.xxx.6 -> Ip of AD
> >
> > *smb.conf*
> >
> > # Global parameters
> > [global]
> >         netbios name = ADDC
> >         realm = MYINSTITUTION.EDU
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = MYINSTITUTION
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> >         path = /var/lib/samba/sysvol/myinstitution.edu/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> >
> > Am I forgetting something?
> >
>
> Not so much forgetting but not understanding ;-)
>
> Your dns for AD should be in AD, all of it, these are my named files:
>
> named.conf
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> named.conf.options
>
> options {
>         directory "/var/cache/bind";
>         version "0.0.7";
>         notify no;
>         empty-zones-enable no;
>         allow-query { 127.0.0.1; 192.168.0.0/24; };
>         allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>         forwarders { 8.8.8.8; };
>         allow-transfer { none; };
>         dnssec-validation no;
>         dnssec-enable no;
>
>         listen-on-v6 { none; };
>         listen-on port 53 { 192.168.0.2; 127.0.0.1; };
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> };
>
> named.conf.local
>
> include "/usr/local/samba/private/named.conf";
>
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
>
> /etc/resolv.conf
>
> search samdom.example.com
> nameserver 192.168.0.2
> nameserver 192.168.0.7
>
> My dns domain is samdom.example.com and the two DCs are 192.168.0.2 and
> 192.168.0.7
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Tue, 16 May 2017 17:04:26 -0300
Elias Pereira via samba <[hidden email]> wrote:

> >
> > Not so much forgetting but not understanding ;-)
>
>
> - Internal DNS that responds to our services (site, moodle, etc) -
> ns.myinstitution.edu (registered in registro.br)
> - Samba DNS answering for samba stuff - addc.myinstitution.edu
>
> Maybe it's better to use SAMBA_INTERNAL instead of BIND_DLZ?
>

Seeing as BIND_DLZ uses the same info in AD as SAMBA_INTERNAL does,
then no, using the internal dns server will not make any difference.

Which ever dns server you use, it must be authoritative for the AD
domain and if required it should be a subdomain of your registered
domain, see here:

https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Subdomain_of_a_Domain_You_Own

From the sound of it, you are trying to do it incorrectly, it
sounds like you are using the same dns domain name for your AD
domain as your existing dns domain, this is not likely to work.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
Rowland,

Seeing as BIND_DLZ uses the same info in AD as SAMBA_INTERNAL does,
> then no, using the internal dns server will not make any difference.


Ok.

Which ever dns server you use, it must be authoritative for the AD
> domain and if required it should be a subdomain of your registered
> domain, see here:
>
> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
> #Subdomain_of_a_Domain_You_Own
>
> From the sound of it, you are trying to do it incorrectly, it
> sounds like you are using the same dns domain name for your AD
> domain as your existing dns domain, this is not likely to work.


I am using subdomains for this, so much that I posted in the other message.

*Domain*: mydomain.edu
*DNS Server*: ns.mydomain.edu
*AD Server*: addc.mydomain.edu

Is it mandatory to put the AD IP as primary dns in pcs? If not, can I
configure the IP of the DNS server and create a zone like this below to be
forwarded the requests?

*named.conf.local*
...
zone "addc.mydomain.edu" IN {
                type forward;
                forward only;
                forwarders { xxx.xxx.xxx.6; }; # IP of AD
        };
...

On Tue, May 16, 2017 at 5:50 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Tue, 16 May 2017 17:04:26 -0300
> Elias Pereira via samba <[hidden email]> wrote:
>
> > >
> > > Not so much forgetting but not understanding ;-)
> >
> >
> > - Internal DNS that responds to our services (site, moodle, etc) -
> > ns.myinstitution.edu (registered in registro.br)
> > - Samba DNS answering for samba stuff - addc.myinstitution.edu
> >
> > Maybe it's better to use SAMBA_INTERNAL instead of BIND_DLZ?
> >
>
> Seeing as BIND_DLZ uses the same info in AD as SAMBA_INTERNAL does,
> then no, using the internal dns server will not make any difference.
>
> Which ever dns server you use, it must be authoritative for the AD
> domain and if required it should be a subdomain of your registered
> domain, see here:
>
> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
> #Subdomain_of_a_Domain_You_Own
>
> From the sound of it, you are trying to do it incorrectly, it
> sounds like you are using the same dns domain name for your AD
> domain as your existing dns domain, this is not likely to work.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Tue, 16 May 2017 18:28:01 -0300
Elias Pereira via samba <[hidden email]> wrote:


>
> I am using subdomains for this, so much that I posted in the other
> message.
>
> *Domain*: mydomain.edu
> *DNS Server*: ns.mydomain.edu
> *AD Server*: addc.mydomain.edu

Sorry, must have missed that.

OK, your dns domain is 'mydomain.edu' and your AD dns domain is
'addc.mydomain.edu', so far so good, but is the AD REALM set to
'ADDC.MYDOMAIN.EDU' ?

>
> Is it mandatory to put the AD IP as primary dns in pcs?

Yes, your AD DC should be the authoritative dns server for the AD dns
domain.

>  If not, can I
> configure the IP of the DNS server and create a zone like this below
> to be forwarded the requests?

No, all your AD clients etc should use the DC for their nameserver,
anything it doesn't know about (anything outside the ad dns domain) it
should ask the forwarder for (I think you are trying to do this the
other way around)
 
>
> *named.conf.local*
> ...
> zone "addc.mydomain.edu" IN {
>                 type forward;
>                 forward only;
>                 forwarders { xxx.xxx.xxx.6; }; # IP of AD
>         };

There is another reason, the zone above should already exist on the AD
DC and should only exist on the AD DC.

There are those that say you can do something similar to what you are
trying to do, but this is not supported by Samba.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
>
> Sorry, must have missed that.


No problem! :D

 OK, your dns domain is 'mydomain.edu' and your AD dns domain is

'addc.mydomain.edu', so far so good, but is the AD REALM set to
'ADDC.MYDOMAIN.EDU <http://addc.mydomain.edu/>' ?

Yes, my AD REALM is ADDC.MYDOMAIN.EDU

Yes, your AD DC should be the authoritative dns server for the AD dns
> domain.


ok.

No, all your AD clients etc should use the DC for their nameserver,
> anything it doesn't know about (anything outside the ad dns domain) it
> should ask the forwarder for (I think you are trying to do this the
> other way around)


 ok.

Now I migrate to SAMBA_INTERNAL and set on smb.conf,

server services = ... dns
dns forwarder = xxx.xxx.xxx.10 # DNS server
allow dns updates = nonsecure and secure

I can not see where I'm going wrong. Our DNS server is authoritative for
our internal services, but on the machine I am testing, do not open any of
the services. Any other site I can access. This machine is in the domain
with the primary dns the IP of the AD.

On Tue, May 16, 2017 at 6:58 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Tue, 16 May 2017 18:28:01 -0300
> Elias Pereira via samba <[hidden email]> wrote:
>
>
> >
> > I am using subdomains for this, so much that I posted in the other
> > message.
> >
> > *Domain*: mydomain.edu
> > *DNS Server*: ns.mydomain.edu
> > *AD Server*: addc.mydomain.edu
>
> Sorry, must have missed that.
>
> OK, your dns domain is 'mydomain.edu' and your AD dns domain is
> 'addc.mydomain.edu', so far so good, but is the AD REALM set to
> 'ADDC.MYDOMAIN.EDU' ?
>
> >
> > Is it mandatory to put the AD IP as primary dns in pcs?
>
> Yes, your AD DC should be the authoritative dns server for the AD dns
> domain.
>
> >  If not, can I
> > configure the IP of the DNS server and create a zone like this below
> > to be forwarded the requests?
>
> No, all your AD clients etc should use the DC for their nameserver,
> anything it doesn't know about (anything outside the ad dns domain) it
> should ask the forwarder for (I think you are trying to do this the
> other way around)
>
> >
> > *named.conf.local*
> > ...
> > zone "addc.mydomain.edu" IN {
> >                 type forward;
> >                 forward only;
> >                 forwarders { xxx.xxx.xxx.6; }; # IP of AD
> >         };
>
> There is another reason, the zone above should already exist on the AD
> DC and should only exist on the AD DC.
>
> There are those that say you can do something similar to what you are
> trying to do, but this is not supported by Samba.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Tue, 16 May 2017 19:27:33 -0300
Elias Pereira via samba <[hidden email]> wrote:

> >
> > Sorry, must have missed that.
>
>
> No problem! :D
>
>  OK, your dns domain is 'mydomain.edu' and your AD dns domain is
>
> 'addc.mydomain.edu', so far so good, but is the AD REALM set to
> 'ADDC.MYDOMAIN.EDU <http://addc.mydomain.edu/>' ?
>
> Yes, my AD REALM is ADDC.MYDOMAIN.EDU
>
> Yes, your AD DC should be the authoritative dns server for the AD dns
> > domain.
>
>
> ok.
>
> No, all your AD clients etc should use the DC for their nameserver,
> > anything it doesn't know about (anything outside the ad dns domain)
> > it should ask the forwarder for (I think you are trying to do this
> > the other way around)
>
>
>  ok.
>
> Now I migrate to SAMBA_INTERNAL and set on smb.conf,
>
> server services = ... dns
> dns forwarder = xxx.xxx.xxx.10 # DNS server
> allow dns updates = nonsecure and secure
>
> I can not see where I'm going wrong. Our DNS server is authoritative
> for our internal services, but on the machine I am testing, do not
> open any of the services. Any other site I can access. This machine
> is in the domain with the primary dns the IP of the AD.
>

All I can say is that it should work and swapping the dns server
shouldn't make any difference.

As long as all your AD clients are in the AD dns and nowhere else, it
should work.

You can remove the 'server services' line you have added, not having
one is the same as having one with all the servers listed.

Is anything else listening on port 53 ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
>
> Is anything else listening on port 53 ?


I don't think so.

# netstat -npl |grep 53
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
     27882/samba
tcp6       0      0 :::53                   :::*                    LISTEN
     27882/samba
udp        0      0 0.0.0.0:53              0.0.0.0:*
    27882/samba
udp6       0      0 :::53                   :::*
     27882/samba

If I use a public DNS, for example, "dns forwarder = 8.8.8.8" necessarily
must work, right?


On Wed, May 17, 2017 at 4:52 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Tue, 16 May 2017 19:27:33 -0300
> Elias Pereira via samba <[hidden email]> wrote:
>
> > >
> > > Sorry, must have missed that.
> >
> >
> > No problem! :D
> >
> >  OK, your dns domain is 'mydomain.edu' and your AD dns domain is
> >
> > 'addc.mydomain.edu', so far so good, but is the AD REALM set to
> > 'ADDC.MYDOMAIN.EDU <http://addc.mydomain.edu/>' ?
> >
> > Yes, my AD REALM is ADDC.MYDOMAIN.EDU
> >
> > Yes, your AD DC should be the authoritative dns server for the AD dns
> > > domain.
> >
> >
> > ok.
> >
> > No, all your AD clients etc should use the DC for their nameserver,
> > > anything it doesn't know about (anything outside the ad dns domain)
> > > it should ask the forwarder for (I think you are trying to do this
> > > the other way around)
> >
> >
> >  ok.
> >
> > Now I migrate to SAMBA_INTERNAL and set on smb.conf,
> >
> > server services = ... dns
> > dns forwarder = xxx.xxx.xxx.10 # DNS server
> > allow dns updates = nonsecure and secure
> >
> > I can not see where I'm going wrong. Our DNS server is authoritative
> > for our internal services, but on the machine I am testing, do not
> > open any of the services. Any other site I can access. This machine
> > is in the domain with the primary dns the IP of the AD.
> >
>
> All I can say is that it should work and swapping the dns server
> shouldn't make any difference.
>
> As long as all your AD clients are in the AD dns and nowhere else, it
> should work.
>
> You can remove the 'server services' line you have added, not having
> one is the same as having one with all the servers listed.
>
> Is anything else listening on port 53 ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Wed, 17 May 2017 11:59:21 -0300
Elias Pereira via samba <[hidden email]> wrote:

> >
> > Is anything else listening on port 53 ?
>
>
> I don't think so.
>
> # netstat -npl |grep 53
> tcp        0      0 0.0.0.0:53              0.0.0.0:*
> LISTEN 27882/samba
> tcp6       0      0 :::53                   :::*
> LISTEN 27882/samba
> udp        0      0 0.0.0.0:53              0.0.0.0:*
>     27882/samba
> udp6       0      0 :::53                   :::*
>      27882/samba
>
> If I use a public DNS, for example, "dns forwarder = 8.8.8.8"
> necessarily must work, right?
>

It should work if you forward anything outside the AD domain to your
other dns server, as long as your other dns server doesn't contain
anything of your AD records and is setup to forward anything unknown to
another dns server i.e. 8.8.8.8. So, using Googles dns server instead
of your other dns server should work.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
Rowland,

Can I use AD bind as slave for some zones of our bind master server?

On Wed, May 17, 2017 at 1:00 PM, Rowland Penny <[hidden email]> wrote:

> On Wed, 17 May 2017 11:59:21 -0300
> Elias Pereira via samba <[hidden email]> wrote:
>
> > >
> > > Is anything else listening on port 53 ?
> >
> >
> > I don't think so.
> >
> > # netstat -npl |grep 53
> > tcp        0      0 0.0.0.0:53              0.0.0.0:*
> > LISTEN 27882/samba
> > tcp6       0      0 :::53                   :::*
> > LISTEN 27882/samba
> > udp        0      0 0.0.0.0:53              0.0.0.0:*
> >     27882/samba
> > udp6       0      0 :::53                   :::*
> >      27882/samba
> >
> > If I use a public DNS, for example, "dns forwarder = 8.8.8.8"
> > necessarily must work, right?
> >
>
> It should work if you forward anything outside the AD domain to your
> other dns server, as long as your other dns server doesn't contain
> anything of your AD records and is setup to forward anything unknown to
> another dns server i.e. 8.8.8.8. So, using Googles dns server instead
> of your other dns server should work.
>
> Rowland
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Wed, 17 May 2017 15:54:20 -0300
Elias Pereira via samba <[hidden email]> wrote:

> Rowland,
>
> Can I use AD bind as slave for some zones of our bind master server?
>

Not sure I 100% understand what you are trying to say ;-)

I will try to explain how Samba, when running as an AD DC, supports DNS.

If you have a registered dns domain (we will use 'example.com'), you
should set the AD domain to a subdomain of this, for instance:
ad.example.com. You should then ensure that any computers that will be
joined to the AD domain use this subdomain.

When an AD domain member needs to find another computer (whether this
is another domain computer or not), it should ask one of the domain
DCs. If the DC does not know who the computer is, it should ask its
forwarder.

If a domain client (client1) needs to connect to another domain client
(client2), the DC should be able to return the data for
client2.ad.example.com

If a domain client needs to connect to Google, the DC will not know who
this is and so, should ask its forwarder and then return this data
to the domain client.

So, to put it in a nutshell, an AD DC running a dns server must be
authoritative for the AD dns domain, it cannot be a slave of another
dns server, but the dns server can hold zones that are not part of
the AD domain, you would just have to find a way of updating the
non-domain zone records.

Rowland
   

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
Ok.

I understood your explanations, but I do not know where else I can get
information about it.

I thought that this functionality between an existing dns server and the
dns server that samba provided was not so complicated!

On Wed, May 17, 2017 at 4:35 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Wed, 17 May 2017 15:54:20 -0300
> Elias Pereira via samba <[hidden email]> wrote:
>
> > Rowland,
> >
> > Can I use AD bind as slave for some zones of our bind master server?
> >
>
> Not sure I 100% understand what you are trying to say ;-)
>
> I will try to explain how Samba, when running as an AD DC, supports DNS.
>
> If you have a registered dns domain (we will use 'example.com'), you
> should set the AD domain to a subdomain of this, for instance:
> ad.example.com. You should then ensure that any computers that will be
> joined to the AD domain use this subdomain.
>
> When an AD domain member needs to find another computer (whether this
> is another domain computer or not), it should ask one of the domain
> DCs. If the DC does not know who the computer is, it should ask its
> forwarder.
>
> If a domain client (client1) needs to connect to another domain client
> (client2), the DC should be able to return the data for
> client2.ad.example.com
>
> If a domain client needs to connect to Google, the DC will not know who
> this is and so, should ask its forwarder and then return this data
> to the domain client.
>
> So, to put it in a nutshell, an AD DC running a dns server must be
> authoritative for the AD dns domain, it cannot be a slave of another
> dns server, but the dns server can hold zones that are not part of
> the AD domain, you would just have to find a way of updating the
> non-domain zone records.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Wed, 17 May 2017 19:47:00 -0300
Elias Pereira via samba <[hidden email]> wrote:

> Ok.
>
> I understood your explanations, but I do not know where else I can get
> information about it.
>
> I thought that this functionality between an existing dns server and
> the dns server that samba provided was not so complicated!
>

It isn't complicated ;-)

Samba DCs know all about the DNS for their domain, anything else is
forwarded to another DNS server that might.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
Rowland,

I used the M$ DNS Manager tool and was able to create a delegation from a
subdomain to my existing DNS.

DNS Manager > Forward Lookup Zones > Right-click on mydomain.edu > New
Delegation > ...

After this I can open, for example the service "www.mydomain.edu" normally.

Where are these entries in AD?

On Thu, May 18, 2017 at 4:07 AM, Rowland Penny <[hidden email]> wrote:

> On Wed, 17 May 2017 19:47:00 -0300
> Elias Pereira via samba <[hidden email]> wrote:
>
> > Ok.
> >
> > I understood your explanations, but I do not know where else I can get
> > information about it.
> >
> > I thought that this functionality between an existing dns server and
> > the dns server that samba provided was not so complicated!
> >
>
> It isn't complicated ;-)
>
> Samba DCs know all about the DNS for their domain, anything else is
> forwarded to another DNS server that might.
>
> Rowland
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Thu, 18 May 2017 19:52:23 -0300
Elias Pereira <[hidden email]> wrote:

> Rowland,
>
> I used the M$ DNS Manager tool and was able to create a delegation
> from a subdomain to my existing DNS.
>
> DNS Manager > Forward Lookup Zones > Right-click on mydomain.edu > New
> Delegation > ...
>
> After this I can open, for example the service "www.mydomain.edu"
> normally.
>
> Where are these entries in AD?
>

They should be under:

DC=DomainDnsZones,DC=samdom,DC=example,DC=com

DC=ForestDnsZones,DC=samdom,DC=example,DC=com

Where 'DC=samdom,DC=example,DC=com' is replace with your domain info

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
Thanks.

I was able to verify through the following command:

*samba-tool dns query localhost yourdomain.lan @ ALL -U administrator*

--------------

Rowland,

Some time ago I had made some questions about dns with samba4. In the topic
below you say:

"I would suggest you create a sub domain of your main domain (this is
recommended anyway) i.e. if your main domain is called 'company.com',
create a sub domain called 'samba.company.com'. Use the sub domain for
your AD domain and forward anything outside the sub domain to your main
DNS servers.

Rowland"
https://lists.samba.org/archive/samba/2016-July/201497.html

Ok. I created the subdomain for the samba.

*addc.mydomain.edu <http://addc.mydomain.edu>*

Use the sub domain for your AD domain and forward anything outside the sub
> domain to your main DNS servers.


How would I do that? I thought I was already doing this with the settings I
already posted on this thread. :D

On Fri, May 19, 2017 at 3:46 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 18 May 2017 19:52:23 -0300
> Elias Pereira <[hidden email]> wrote:
>
> > Rowland,
> >
> > I used the M$ DNS Manager tool and was able to create a delegation
> > from a subdomain to my existing DNS.
> >
> > DNS Manager > Forward Lookup Zones > Right-click on mydomain.edu > New
> > Delegation > ...
> >
> > After this I can open, for example the service "www.mydomain.edu"
> > normally.
> >
> > Where are these entries in AD?
> >
>
> They should be under:
>
> DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
> DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>
> Where 'DC=samdom,DC=example,DC=com' is replace with your domain info
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Fri, 19 May 2017 08:55:11 -0300
Elias Pereira <[hidden email]> wrote:

> Thanks.
>
> I was able to verify through the following command:
>
> *samba-tool dns query localhost yourdomain.lan @ ALL -U administrator*
>
> --------------
>
> Rowland,
>
> Some time ago I had made some questions about dns with samba4. In the
> topic below you say:
>
> "I would suggest you create a sub domain of your main domain (this is
> recommended anyway) i.e. if your main domain is called 'company.com',
> create a sub domain called 'samba.company.com'. Use the sub domain for
> your AD domain and forward anything outside the sub domain to your
> main DNS servers.
>
> Rowland"
> https://lists.samba.org/archive/samba/2016-July/201497.html
>
> Ok. I created the subdomain for the samba.
>
> *addc.mydomain.edu <http://addc.mydomain.edu>*
>
> Use the sub domain for your AD domain and forward anything outside
> the sub
> > domain to your main DNS servers.
>
>
> How would I do that? I thought I was already doing this with the
> settings I already posted on this thread. :D
>

Unless I misunderstood what you have posted, you initially had some of
the AD dns domain records stored in your main dns server.

When you initially set up an AD domain, you need to choose a dns
domain name to use. If you already have a registered domain, you
should not use this for your AD dns domain, you should create a
subdomain name and use this.

So, if your registered domain is 'example.com', you could use
'ad.example.com' for the AD dns domain. You would use this when
provisioning the new AD domain, this would mean that the kerberos realm
would be 'AD.EXAMPLE.COM'. You would only store the AD dns records in
AD on the DC, nowhere else.

This way (provided you set the AD clients to use the AD DC as their
dns nameserver) your clients ask the DC for their dns info, anything
that the DC doesn't know about (an external website for instance), it
would ask the forwarder you set in smb.conf if using the internal dns
server, or the forwarder set in named.conf if using Bind9.

Most people use something like google for the forwarder, but there is
nothing stopping you using an original dns server, provided it doesn't
hold any of your AD dns records and is setup to forward anything it
doesn't know. You should also never set any of the AD dns servers to
'forward first'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
Thanks Rowland!!

Now everything is working properly. After I create the subdomain for samba,
the queries that don't belong to AD are forward to our main DNS and I have
again access to our internal services.

Other question.

Can I add another email domain option in AD?

Example in http://i.imgur.com/cLU2UyYl.png
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS (bind_dlz) forwarding not working

Samba - General mailing list
On Mon, 22 May 2017 17:49:09 -0300
Elias Pereira via samba <[hidden email]> wrote:

> Thanks Rowland!!
>
> Now everything is working properly. After I create the subdomain for
> samba, the queries that don't belong to AD are forward to our main
> DNS and I have again access to our internal services.
>
> Other question.
>
> Can I add another email domain option in AD?
>
> Example in http://i.imgur.com/cLU2UyYl.png

Ah, that isn't actually an email address, it is the userPrincipalName.
There is the 'mail' attribute in AD to store a users email address,
but this is single valued.
There is also the 'otherMailbox' attribute and this can used multiple
times.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12