Web lists-archives.com

Re: [Samba] DNS not resolving particular host from queries from particular subnet




On Fri, 1 Jun 2018 12:12:43 +0100
Zdravko Zdravkov <nirayah@xxxxxxxxx> wrote:

> True that! Sorry
> 
> smb.conf
> 
> 
> >         [global]
> >         netbios name = AD
> >         realm = XXXX.CO.UK
> >         server role = active directory domain controller
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = XXXX
> >         idmap config XXXX:unix_nss_info = yes

You should remove the line above, it should not be in a DC smb.conf

> >         idmap_ldb:use rfc2307 = yes
> >         log file = /var/log/samba/samba.log
> >         log level = 3
> 
> 
> 
> named.conf
> 
> include "/usr/local/samba/private/named.conf";
> > options {
> >         listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> > //      listen-on-v6 port 53 { ::1; };
> >         directory       "/var/named";
> >         dump-file       "/var/named/data/cache_dump.db";
> >         statistics-file "/var/named/data/named_stats.txt";
> >         memstatistics-file "/var/named/data/named_mem_stats.txt";
> >         allow-query     { any; };
> >         /*
> >          - If you are building an AUTHORITATIVE DNS server, do NOT
> > enable recursion.
> >          - If you are building a RECURSIVE (caching) DNS server,
> > you need to enable
> >            recursion.
> >          - If your recursive DNS server has a public IP address,
> > you MUST enable access
> >            control to limit queries to your legitimate users.
> > Failing to do so will
> >            cause your server to become part of large scale DNS
> > amplification
> >            attacks. Implementing BCP38 within your network would
> > greatly reduce such attack surface
> >         */
> >         allow-recursion {
> >         127.0.0.1;
> >         192.168.26.0/24;
> >         192.168.27.0/24;
> >         };
> >
> >
> >         //recursion yes;
> >         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> >         dnssec-enable yes;
> >         dnssec-validation yes;
> >         /* Path to ISC DLV key */
> >         bindkeys-file "/etc/named.iscdlv.key";
> >         managed-keys-directory "/var/named/dynamic";
> >         pid-file "/run/named/named.pid";
> >         session-keyfile "/run/named/session.key";
> > };
> > logging {
> >         channel default_debug {
> >                 file "data/named.run";
> >                 severity dynamic;
> >         };
> > };
> > zone "." IN {
> >         type hint;
> >         file "named.ca";
> > };
> > //include "/etc/named.rfc1912.zones";
> > //include "/etc/named.root.key";
> 
> 

There are several things wrong with that named.conf, the biggest being
that you haven't set any forwarders. The DNS server running on a Samba
AD DC must be authoritative for its DNS domain, anything outside this
domain should be forwarded to another DNS server outside the domain.
Can I suggest you try this named.conf:

 options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        forwarders { 8.8.8.8; 8.8.4.4; };

        dnssec-validation no;
        auth-nxdomain yes;    # conform to RFC1035 =no
        listen-on-v6 { none; };
        listen-on port 53 { 127.0.0.1; 192.168.26.2; };
        notify no;
        empty-zones-enable no;
        allow-query { any; };
        allow-recursion {
        127.0.0.1/32;
        192.168.26.0/24;
        192.168.27.0/24;
        };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

};

include "/usr/local/samba/private/named.conf";

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};

It is based on your info and my known working set up, though you may
want to change the forwarders.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba