Web lists-archives.com

Re: [Samba] Find/delete bad DNS Entry

On Tue, 24 Apr 2018 09:50:10 +0200
Denis Cardon via samba <samba@xxxxxxxxxxxxxxx> wrote:

> A more expeditive way is to delete and recreate the zone using the 
> samba-tool dns zonedelete / zonecreate. The SRV entries are recreated 
> when the server restart. You should just be careful about having your 
> kerberos configuration properly so it does not needs DNS to find its
> KDC (you can take a look at krb5.conf file in [1] for inspiration).
> Then you'll have to recreate your DNS entries in that clean'ed up
> zone.

Hi Dennis, DNS is an integral part of Active Directory, so if the
machine you are trying to join as a DC cannot find the KDC via dns,
then it is likely to have problems later. You must have working dns
before the join.

I have read your join howto and have the following comments, based on
my experience. 

I would also install libpam_winbind and libpam_krb5

/etc/krb5.conf  needs to be only this:

    default_realm = MONDOMAINE.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = true

I would stop smbd, nmbd, winbind before the join

I would run the join command like this:
samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307  = yes' --option='dns forwarder ='

if you copy netlogon and sysvol from the first DC, you really also need to copy idmap.ldb

Please do not do this: ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
If you must do it, then do this instead: cp /var/lib/samba/private/krb5.conf to /etc/krb5.conf

But it will just replace what is there, with the same content, if it has been set as suggested above.

Finally, I would have set up NTP before the join and ensured the time was the same as on the DC.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba