Web lists-archives.com

Re: [Samba] Find/delete bad DNS Entry




Hi Rowland,

A more expeditive way is to delete and recreate the zone using the
samba-tool dns zonedelete / zonecreate. The SRV entries are recreated
when the server restart. You should just be careful about having your
kerberos configuration properly so it does not needs DNS to find its
KDC (you can take a look at krb5.conf file in [1] for inspiration).
Then you'll have to recreate your DNS entries in that clean'ed up
zone.


Hi Dennis, DNS is an integral part of Active Directory, so if the
machine you are trying to join as a DC cannot find the KDC via dns,
then it is likely to have problems later. You must have working dns
before the join.

Thanks for you input. It is indeed important to stress out how important is DNS in an AD environment. My point just above underline that if we have wiped out the DNS zone, then using dns_lookup_kdc=true won't work anymore, so it will be necessary to give a hint to the local machine to authenticate to "find itself".

Once the DNS zone has been recreated with all the proper SRV entries, then one can switch back to dns_lookup_kdc=true. But actually, even on a properly setup domain, I advocate to make an explicit configuration of KDC in /etc/krb5.conf. And actually it is a must have in a large multi-site setup with slow VPN and strict firewall rules.

I have read your join howto and have the following comments, based on
my experience.

I would also install libpam_winbind and libpam_krb5

we are limiting at much as possible shell connection to the AD (a compromission on your AD is a compromission of your whole network). So we don't enable this kind of authentication on DC. SSH key exchange for the lucky few that manage the AD is much better suited IMHO.

/etc/krb5.conf  needs to be only this:

[libdefaults]
    default_realm = MONDOMAINE.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = true

see above

I would stop smbd, nmbd, winbind before the join

Indeed that might be cleaner, even if it does change much in the present case. Debian behavior of starting daemon just after installation is sometime awkward.

I would run the join command like this:
samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307  = yes' --option='dns forwarder = 8.8.8.8'

we are trying to get people out of RFC2307. It is almost never really needed and it may create issues when people forget to setup a UID/GID for a user or if there are duplicate (there is no pool for UID like there is for RID, and there is no unique index on that value).

By the way, 8.8.8.8 is a easy to remember ip address, but it is a PITA in the long run with internal DNS. Google does throttling and since internal DNS does no caching, one very fast non answered queries and angry users on any moderate size site.

That is why we advocate for using Bind-DLZ, even if it is awkward to setup. You can take a look at the page https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9

if you copy netlogon and sysvol from the first DC, you really also need to copy idmap.ldb

it is really helpful if you have GPO delegation. Otherwise a simple samba-tool ntacl sysvolreset will do it like it is mentioned in the documentation. Maintaining replication of idmap.ldb is not easy either in the long run. It would be great to have a RID xid mapping for domain controllers too!

Please do not do this: ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
If you must do it, then do this instead: cp /var/lib/samba/private/krb5.conf to /etc/krb5.conf

It is important to have both file in sync, since some processes are using one or the other. So symlink is a must IMHO. And since /var/lib/samba/private is not readable for everyone, the best thing is to have a symlink like stated in our wiki page [1] you are referring to.

By the way, those small details are the result of more than 250 migrations or domain fixing in the last 5 years... So even though it might not be perfect, it is field tested.

But it will just replace what is there, with the same content, if it has been set as suggested above.

Finally, I would have set up NTP before the join and ensured the time was the same as on the DC.

An ntpdate might be of use before the join indeed. But since the NTP is connecting to a UNIX socket instanciated by Samba, I prefer to start it afterward.

Thanks for you input,

Cheers,

Denis

[1] https://dev.tranquil.it/wiki/SAMBA_-_Installation_samba4_comme_DC_secondaire


Rowland


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba