Web lists-archives.com

Re: [Samba] Samba, AD, 'short' name resolving...




Hai Marco,  

What i see below is correct. 
You useing a dhcp outside the network and thats ok. 

The windows pc that joined the domain automaticly register A and PTR. 
So that correct also. 

> c) seems to use some ''random'' AD DNS, not the one in the site, for
>  example.
Yes that is correct. ( The DC Locator Process does that ) 
If you dont want that, you can assign by GPO a preffered server. 

You can set it as preffered server per site in the GPO. ( note, a pc needs 2 reboots ) 
Set the variable logon server in a GPO. 
Thats one of the options. 

And try this setting.
include "/etc/bind/rndc.key";
    controls {
    inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

See how far you get. 

Hint: 
https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication 
Net Logon 
;-) 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: maandag 11 juni 2018 14:39
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > If the primary domain is set in windows, which is after 
> domain join, it used that. 
> > Ipconfig /all and see primary DNS suffix. 
> > The dns suffix and first dns search list should be the same.
> > Yes, other settings are possible, but stick to this for now. 
> 
> Ok, i canconfirm that: the AD domain dns name are the dns suffix and
> the first search, see my previous post.
> 
> 
> > The Primay DNS suffix is used for the register of the IP in 
> the DNS. 
> 
> Ok. i make a note. I'm not using DNS/DHCP integration, eg: i'm NOT
> using:
> 	
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
> 
> simply i've keeped the old setup in place.
> 
> 
> > The DHCP Service User MUST be a member of the DNSAdmins. 
> > The DHCP service User SHOULD NOT have the kerberos auth 
> requirement (disable pre-kerberos auth), and disable password 
> changes. 
> 
> ?! I've not 'DHCP Service' user in my AD. I've no windows servers.
> 
> 
> > In my lan i use pc's with DHCP and static ips, all register 
> within the DNS zone they should. 
> > I reviewed my logs and compaired them to yours. That looks 
> the same execpt i dont have message like : 
> > >> request has invalid signature: TSIG 
> 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634 
> (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)
> 
> As stated in previous email, i'm suffering some connectivity trouble
> now, so some errors are expected; after some seconds, client register
> itself correctly.
> 
> 
> > A cause might be, 
> > - 2 x pc with the same name.
> > - The rights op this object in the DNS are not correct and 
> the "dhcp service" user is unable to update it. 
> > - The pc joint with a static ip and now its dhcp, then the 
> above line applies. 
> 
> No, none of the above.
> 
> > Check you have have within the options section in 
> name.conf.options. 
> > auth-nxdomain yes;    # conform to RFC1035 = no 
> 
> Ok, correct.
> 
> 
> > Make sure you have somewhere below options { .... }  in 
> name.conf.options.
> > include "/etc/bind/rndc.key";
> >     controls {
> >      inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
> > };
> 
> I've not such stanza, and i've verified in samba wiki there's no
> mention about that.
> 
> Clearly, i've instead:
> 	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> 
> 
> The point here is:
> 
> a) even if dhcp auto registration is not enabled, windows 
> client try to
>  ''register'' itself on the dns; good.
> 
> b) on opposite of what say Rowland, client correctly use a AD DNS to
>  register itself.
> 
> c) seems to use some ''random'' AD DNS, not the one in the site, for
>  example.
> 
> 
> > See also : 
> https://support.microsoft.com/en-us/help/909264/naming-convent
> ions-in-active-directory-for-computers-domains-sites-and 
> > And this link is imo a must read before you install any AD. 
> It really helps in preventing strang problems. 
> 
> Thanks for the link!
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba