[Samba] Samba 4 AD DC and BIND

[Gerry Reno]

When setting up Samba 4 AD DC to use BIND DNS is it possible to use BIND located on a separate server?

Or do you need to run BIND on the same machine as Samba 4 AD DC?


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Daniel Müller]

I think it is NO.
If you think about what bind is doing?!: bind needs to read/write in
ex.:/usr/local/samba/private/dns and reads
/usr/local/samba/private/named.conf.
In my case the named conf:
dlz "AD DNS Zone" {
# For BIND 9.8.0
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

In my production environment I point bind on my samba4 ads to addresses
outside the domain with the forwarder option to another
bind running.

Greetings
Daniel



-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Gerry Reno
Gesendet: Sonntag, 10. März 2013 14:14
An: sa...@lists.samba.org
Betreff: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

Thanks. That is how I ended up setting it up with a forwarder to the existing BIND server in the network.

[Gerry Reno]

When I ran the provision I selected BIND9_DLZ.

The provision did not prompt me for a DNS forwarder IP.

So after the provision finished I entered the DNS forwarder IP manually into smb.conf.

Should the provision have prompted for the DNS forwarder IP?

[Gerry Reno]

On 03/11/2013 12:53 PM, Ricky Nance wrote:
> With the BIND9_DLZ backend, bind actually handles the forwarding, so you will need to set that up in your named conf,
> something like the following:
>
> options {
> forwarders { 192.249.249.1; 192.249.249.3; };
> };
>
> Although, some distros break apart the named stuff, so you may need to find information specific to your distro on this.
>
> Ricky

>
>
> On Mon, Mar 11, 2013 at 11:30 AM, Gerry Reno <gr...@verizon.net <mailto:gr...@verizon.net>> wrote:
>
> When I ran the provision I selected BIND9_DLZ.
>
> The provision did not prompt me for a DNS forwarder IP.
>
> So after the provision finished I entered the DNS forwarder IP manually into smb.conf.
>
> Should the provision have prompted for the DNS forwarder IP?
>
>

Thanks. That makes sense. So the provision only prompts for the DNS forwarder IP when you select SAMBA_INTERNAL as the
DNS backend.

[Ricky Nance]

With the BIND9_DLZ backend, bind actually handles the forwarding, so you
will need to set that up in your named conf, something like the following:

options {
forwarders { 192.249.249.1; 192.249.249.3; };
};

Although, some distros break apart the named stuff, so you may need to find
information specific to your distro on this.

Ricky

--

[Rowland Penny]

On 11/03/13 16:30, Gerry Reno wrote:
> When I ran the provision I selected BIND9_DLZ.
>
> The provision did not prompt me for a DNS forwarder IP.
>
> So after the provision finished I entered the DNS forwarder IP manually into smb.conf.
>
> Should the provision have prompted for the DNS forwarder IP?
>
>

Hi, No, you only require the forwarder in smb.conf if you using the
internal DNS.

Rowland

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

[Gerry Reno]

Since I am using views, where should I include the provision-generated named.conf?

Just in the local network view?

-Gerry

[Ricky Nance]

Sorry I don't understand what you mean by views... the provision generated
named.conf should be inserted into your /etc/named/named.conf (again this
varies on different distros) as an include directive, it is not meant to be
a full named.conf.

Ricky

--

[Gerry Reno]

On 03/11/2013 08:27 PM, Ricky Nance wrote:
> Sorry I don't understand what you mean by views... the provision generated named.conf should be inserted into your
> /etc/named/named.conf (again this varies on different distros) as an include directive, it is not meant to be a full
> named.conf.
>
> Ricky
>
>
> On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno <gr...@verizon.net <mailto:gr...@verizon.net>> wrote:
>
> Since I am using views, where should I include the provision-generated named.conf?
>
> Just in the local network view?
>
> -Gerry
>

This is BIND views: http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/

aka Split-DNS related to Stealth-DNS.

My question is asking where in our main named.conf do we include this provision-generated named.conf when we are using
BIND views.

[Gerry Reno]

On 03/11/2013 08:50 PM, Ricky Nance wrote:
> I am not 100% sure, but anywhere in the named.conf config should be sufficient, DLZ is Dynamically Loadable Zones, so
> samba ends up being its own zone as far as I know.

>
> Ricky
>
>
> On Mon, Mar 11, 2013 at 7:43 PM, Gerry Reno <gr...@verizon.net <mailto:gr...@verizon.net>> wrote:
>
> On 03/11/2013 08:27 PM, Ricky Nance wrote:
> > Sorry I don't understand what you mean by views... the provision generated named.conf should be inserted into your
> > /etc/named/named.conf (again this varies on different distros) as an include directive, it is not meant to be a full
> > named.conf.
> >
> > Ricky
> >
> >
> > On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno <gr...@verizon.net <mailto:gr...@verizon.net>
> <mailto:gr...@verizon.net <mailto:gr...@verizon.net>>> wrote:
> >
> > Since I am using views, where should I include the provision-generated named.conf?
> >
> > Just in the local network view?
> >
> > -Gerry
> >
>
> This is BIND views: http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/
>
> aka Split-DNS related to Stealth-DNS.
>
> My question is asking where in our main named.conf do we include this provision-generated named.conf when we are using
> BIND views.
>
> -Gerry
>

Ricky, that will not work. By definition, all zones need to be inside of one or more views when you are using views.
So we need to know in what view(s) we need to include this file.

[Ricky Nance]

I am not 100% sure, but anywhere in the named.conf config should be
sufficient, DLZ is Dynamically Loadable Zones, so samba ends up being its
own zone as far as I know.

Ricky

--

[Andrew Bartlett]

On Mon, 2013-03-11 at 19:16 -0400, Gerry Reno wrote:
> Since I am using views, where should I include the provision-generated named.conf?
>
> Just in the local network view?

Why are you using views?

My understanding is that these are normally used when external clients
and internal clients may hit the same name server. That implies that
there is direct internet access to your AD DC. If you are doing that,
then I suggest you find a different way to operate - the AD DC is the
security heart of the network, and should be more protected than that.

One approach is to have your DNS server (with views) use a zone of type
'forward' to point at the Samba server, which would not need to know
about these complex thigs.

Otherwise, if you insist you will have to manually determine how the
view statements and the include statements interact. This hasn't ever
been done before, and I don't know if the dlz module is compatible with
that, as it dynamically creates the zones.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

[Gerry Reno]

On 03/13/2013 12:53 AM, Andrew Bartlett wrote:
> On Mon, 2013-03-11 at 19:16 -0400, Gerry Reno wrote:
>> Since I am using views, where should I include the provision-generated named.conf?
>>
>> Just in the local network view?
> Why are you using views?
>
> My understanding is that these are normally used when external clients
> and internal clients may hit the same name server. That implies that
> there is direct internet access to your AD DC. If you are doing that,
> then I suggest you find a different way to operate - the AD DC is the
> security heart of the network, and should be more protected than that.
>
> One approach is to have your DNS server (with views) use a zone of type
> 'forward' to point at the Samba server, which would not need to know
> about these complex thigs.
>
> Otherwise, if you insist you will have to manually determine how the
> view statements and the include statements interact. This hasn't ever
> been done before, and I don't know if the dlz module is compatible with
> that, as it dynamically creates the zones.
>
> Andrew Bartlett
>

My AD DC is not directly connected to the internet. It is behind an internet gateway router which has 53 open and
routing traffic to/from the BIND server on the AD DC. Nothing unusual about this.

The point of the split DNS and views is exactly to prevent exposing internal network to the outside world.

I am going to try the dlz with the views. I can think of no reason why it should not work. If I run into trouble I'll
post back.

-Gerry

[Gregory Sloop]

>> If you are doing that,
>> then I suggest you find a different way to operate - the AD DC is the
>> security heart of the network, and should be more protected than that.

GR> My AD DC is not directly connected to the internet. It is
GR> behind an internet gateway router which has 53 open and
GR> routing traffic to/from the BIND server on the AD DC. Nothing unusual about this.

GR> The point of the split DNS and views is exactly to prevent
GR> exposing internal network to the outside world.

Which, to me at least, means that queries from the world are hitting
the BIND server on your AD - which is *exactly* what Andrew was
talking about.

...And when someone finds a way to compromise BIND, your AD is also
totally compromised. It's probably a lot easier to burn down and
rebuild a BIND server vs your whole AD infrastructure.

I guess this whole branch of the discussion is essentially off-topic,
but were I in your shoes, I'd be running a stand-alone BIND server
completely separate from the AD for security as well as simplicity
purposes. [Or moving the "external" DNS services into a service
provider somewhere.]

...Or run it in a VM if you have to. Just don't, IMO, run a
world-reachable BIND server as part of AD.

[Gerry Reno]

I have plenty of installations that are setup running separate DNS machines.

Just not this one which is running just for some testing.

[Gerry Reno]

When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers
this means that the ISP and the internal network nameservers will both have SOA record for the domain.

/etc/resolv.conf looks like this:

domain company.com
nameserver 192.168.2.105


/etc/named.conf contains:

forwarders { isp_nameservers; };
recursion yes;

What is the preferred way to forward DNS requests to the ISP nameservers in order to resolve the domain's external
servers without using BIND views?

Right now, all of Samba 4 AD DC DNS is working with the exception of being able to resolve the domain's external servers.

One solution could be to dump all our domain records at the ISP and duplicate them in the AD DNS Zone which seems
unnecessary.

-Gerry

[Gerry Reno]

On 03/17/2013 05:10 PM, Thomas Simmons wrote:
> Ideally you should not use the same domain name for your AD domain. Microsoft used to use "domain.local" for a default
> configuration, but this can cause problems with certain external services (Exchange/Office365 for example) and it also
> conflicts with some "local" Apple services if you have Macs on your networks. You could also purchase and use
> "domain.net <http://domain.net>" if it's available. Finally, what I did was use a sub-domain for AD (I used
> internal.domain.com <http://internal.domain.com> but others use ad.domain.com <http://ad.domain.com>, etc...) If you
> really must use your external FQDN, a split-dns setup (your last statement) is probably going to be your only option.

>
> On Sun, Mar 17, 2013 at 3:57 PM, Gerry Reno <gr...@verizon.net <mailto:gr...@verizon.net>> wrote:
>
> When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers
> this means that the ISP and the internal network nameservers will both have SOA record for the domain.
>
> /etc/resolv.conf looks like this:
>

> domain company.com <http://company.com>

> nameserver 192.168.2.105
>
>
> /etc/named.conf contains:
>
> forwarders { isp_nameservers; };
> recursion yes;
>
> What is the preferred way to forward DNS requests to the ISP nameservers in order to resolve the domain's external
> servers without using BIND views?
>
> Right now, all of Samba 4 AD DC DNS is working with the exception of being able to resolve the domain's external
> servers.
>
> One solution could be to dump all our domain records at the ISP and duplicate them in the AD DNS Zone which seems
> unnecessary.
>
> -Gerry
>

Please try to avoid top posting.
----------------------------------------

Certainly having different internal and external domains is easier, but I'm trying to work out the use case for how we
do it when the domain must be the same both internal and external.

Duping the records from the ISP works and we could live with this if necessary. But I'm trying to avoid Split-DNS
solution and to find a way to use forwarding to do it without having to maintain duplicated records.

[Thomas Simmons]

Ideally you should not use the same domain name for your AD domain.
Microsoft used to use "domain.local" for a default configuration, but this
can cause problems with certain external services (Exchange/Office365 for
example) and it also conflicts with some "local" Apple services if you have

Macs on your networks. You could also purchase and use "domain.net" if it's

available. Finally, what I did was use a sub-domain for AD (I used

internal.domain.com but others use ad.domain.com, etc...) If you really

must use your external FQDN, a split-dns setup (your last statement) is
probably going to be your only option.

[Michael Leone]

On Sun, Mar 17, 2013 at 5:10 PM, Thomas Simmons <tws...@gmail.com> wrote:
> Ideally you should not use the same domain name for your AD domain.
> Microsoft used to use "domain.local" for a default configuration, but this
> can cause problems with certain external services (Exchange/Office365 for
> example) and it also conflicts with some "local" Apple services if you have
> Macs on your networks. You could also purchase and use "domain.net" if it's
> available. Finally, what I did was use a sub-domain for AD (I used
> internal.domain.com but others use ad.domain.com, etc...) If you really
> must use your external FQDN, a split-dns setup (your last statement) is
> probably going to be your only option.

MS guidelines for AD domain names:

Naming conventions in Active Directory for computers, domains, sites, and OUs
< http://support.microsoft.com/kb/909264 >

--

2B || !2B

[Thomas Simmons]

On Sun, Mar 17, 2013 at 5:14 PM, Michael Leone <tur...@mike-leone.com>wrote:

> On Sun, Mar 17, 2013 at 5:10 PM, Thomas Simmons <tws...@gmail.com> wrote:
> > Ideally you should not use the same domain name for your AD domain.
> > Microsoft used to use "domain.local" for a default configuration, but
> this
> > can cause problems with certain external services (Exchange/Office365 for
> > example) and it also conflicts with some "local" Apple services if you
> have
> > Macs on your networks. You could also purchase and use "domain.net" if
> it's
> > available. Finally, what I did was use a sub-domain for AD (I used
> > internal.domain.com but others use ad.domain.com, etc...) If you really
> > must use your external FQDN, a split-dns setup (your last statement) is
> > probably going to be your only option.
>
> MS guidelines for AD domain names:
>
> Naming conventions in Active Directory for computers, domains, sites, and
> OUs
> < http://support.microsoft.com/kb/909264 >
>

> Hi Michael,
As I noted, Microsoft changed the recommended ".local" some time ago. Back
in the 2003/R2 days dcpromo suggested a .local extension by default. This
turned out to cause some headaches when using certain off-site services (if
you want auth tied into AD) and have since changed their recommendation.
Another problem with using "domain.com" is that most people want that to
resolve to their main website, though if you are running AD it will resolve
to your DC. The only solution I know of is to install IIS (Apache if S4)
and have it redirect requests to the web server hosting your website. Could
be a bit of extra work if you have many DCs.

[Gerry Reno]

I have Samba 4 AD DC running with BIND9_DLZ.

I am trying to use samba-tool to administer dns but I keep getting this error:

# /usr/local/samba/bin/samba-tool dns query 127.0.0.1 company.com www.company.com ALL
Password for [COMPANY\root]:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[1024,sign] NT_STATUS_NET_WRITE_FAULTERROR(runtime):
uncaught exception - (-1073741614, 'NT_STATUS_NET_WRITE_FAULT')
File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 970, in run
dns_conn = dns_connect(server, self.lp, self.creds)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 37, in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)


What is this error? And how do I get rid of it?

-Gerry

[Ricky Nance]

I seen this error recently myself, and haven't yet investigated whats going
on for sure, but I suspect its the way dns_connect is parsing everything (I
seen it with the | or >) ... try with -Uadministrator%password (replacing
password to be the administrator password you use) and report back please.

Ricky

--

[Gerry Reno]

On 03/19/2013 08:38 PM, Ricky Nance wrote:
> I seen this error recently myself, and haven't yet investigated whats going on for sure, but I suspect its the way
> dns_connect is parsing everything (I seen it with the | or >) ... try with -Uadministrator%password (replacing
> password to be the administrator password you use) and report back please.
>
> Ricky
>

If you search for a label that is in the DNS then the command succeeds.

If you search for a label that is not in the DNS it yields the following error:

/usr/local/samba/bin/samba-tool dns query 127.0.0.1 company.com www.company.com ALL -Uadministrator%HIDDEN
ERROR(runtime): uncaught exception - (9714, 'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST')

File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)

File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 974, in run
None, record_type, select_flags, None, None)


samba-tool behaving badly....

[Ricky Nance]

Try samba-tool dns query netbiosname company.com @ ALL
-Uadministrator%HIDDEN (where netbiosname is generally the same as your
computers hostname)... try to avoid using 127.0.0.1 or localhost. Also that
error is often signs of DNS server not running, so doublecheck that with
netstat -anp | grep 53 | grep "LISTEN ".

Ricky

--

[Gerry Reno]

On 03/19/2013 09:00 PM, Ricky Nance wrote:
> Try samba-tool dns query netbiosname company.com <http://company.com> @ ALL -Uadministrator%HIDDEN (where netbiosname

> is generally the same as your computers hostname)... try to avoid using 127.0.0.1 or localhost. Also that error is
> often signs of DNS server not running, so doublecheck that with netstat -anp | grep 53 | grep "LISTEN ".
>
> Ricky
>

DNS is running just fine. Otherwise I would not have gotten answers on the first good query.

# ps -ef | grep named
named 9313 1 0 13:36 ? 00:00:00 /usr/sbin/named -u named

And that last netbiosname style command gives this error:

# /usr/local/samba/bin/samba-tool dns query COMPANY company.com @ ALL -Uadministrator%HIDDEN
ERROR(runtime): uncaught exception - (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')

File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)

File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 970, in run
dns_conn = dns_connect(server, self.lp, self.creds)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 37, in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

[Ricky Nance]

Try first a kinit administrator, then enter the administrator password,
then /usr/local/samba/bin/samba-tool dns query COMPANY.company.com
company.com @ ALL (notice no -U this time, and the format of host.realm
instead of just host... I mistyped that in the last message) and see if it
works, this will cause that tool to use kerberos instead of the regular
login.

Ricky

--

[Gerry Reno]

On 03/19/2013 10:57 PM, Ricky Nance wrote:
> Try first a kinit administrator, then enter the administrator password, then /usr/local/samba/bin/samba-tool dns query

> COMPANY.company.com <http://COMPANY.company.com> company.com <http://company.com/> @ ALL (notice no -U this time, and

> the format of host.realm instead of just host... I mistyped that in the last message) and see if it works, this will
> cause that tool to use kerberos instead of the regular login.
>
> Ricky
>

Nope.

Did the kinit and got a good ticket.

# /usr/local/samba/bin/samba-tool dns query COMPANY.company.com company.com @ ALL

[Ricky Nance]

What is the error message now?

Ricky

--

[Daniel Müller]

/usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain
your.domain @ ALL

Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL
Will do:
Password for [admini...@TPLECHLER.KKH]:


Greetings Daniel

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Gerry Reno
Gesendet: Mittwoch, 20. März 2013 04:06
An: sa...@lists.samba.org
Betreff: Re: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

On 03/20/2013 02:59 AM, Daniel Müller wrote:
> /usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain
> your.domain @ ALL
>
> Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL
> Will do:
> Password for [admini...@TPLECHLER.KKH]:
>
>
> Greetings Daniel
>
>

Hi Daniel, yes you're correct. That works with my BIND9 DLZ backend.

When I use dns name for the samba machine, eg: samba.company.com then it works both with and without Kerberos auth. But
if I use anything else, even the machine IP, it fails. Seems like it should work if you use the machine IP but it doesn't

[Daniel Müller]

It looks as if the script does not like reverse lookups!???

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Gerry Reno

Gesendet: Mittwoch, 20. März 2013 13:59

An: sa...@lists.samba.org
Betreff: Re: [Samba] Samba 4 AD DC and BIND

[Daniel Müller]

This should do the reverse lookup:
Ex: samba-tool dns query 192.168.132.123 132.168.192.in-addr.arpa @ All

Name=, Records=3, Children=0
SOA: serial=6, refresh=900, retry=600, expire=86400,
ns=linux2.tplechler.kkh., email=hostmaster.tplechler.kkh. (flags=600000f0,
serial=6, ttl=3600)
NS: linux2.tplechler.kkh. (flags=600000f0, serial=1, ttl=0)
NS: samba4.tplechler.kkh. (flags=600000f0, serial=5, ttl=0)
Name=kkh, Records=0, Children=1
Name=123, Records=1, Children=0
PTR: linux2.tplechler.kkh (flags=f0, serial=2, ttl=0)
Name=132, Records=1, Children=0
PTR: samba4.tplechler.kkh (flags=f0, serial=3, ttl=0)


Samba-tool dns query IP.YOUR.DNS:SERVER reverse.dns.zone.in-addr.arpa @ ALL

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im

Auftrag von Daniel Müller
Gesendet: Mittwoch, 20. März 2013 14:15
An: 'Gerry Reno'; sa...@lists.samba.org

[Rowland Penny]

Hi, have you created a reverse zone?

Rowland

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

[Gerry Reno]

On 03/20/2013 08:59 AM, Gerry Reno wrote:
> On 03/20/2013 02:59 AM, Daniel Müller wrote:
>> /usr/local/samba/bin/samba-tool dns query yourdnshost.your.domain
>> your.domain @ ALL
>>
>> Ex: samba-tool dns query samba4.tplechler.kkh tlechler.kkh @ ALL
>> Will do:
>> Password for [admini...@TPLECHLER.KKH]:
>>
>>
>> Greetings Daniel
>>
>>
> Hi Daniel, yes you're correct. That works with my BIND9 DLZ backend.
>
> When I use dns name for the samba machine, eg: samba.company.com then it works both with and without Kerberos auth. But
> if I use anything else, even the machine IP, it fails. Seems like it should work if you use the machine IP but it doesn't
>
>
> -Gerry

Correction, ok IP will work but just not using Kerberos.

[Gerry Reno]

I spent the better part of this morning playing around with samba-tool dns and also nsupdate -g.

I was never able to add delegation records using this samba-tool dns. It always kept giving me errors about dns name
not found.

I was however fully successful at adding delegation records to samba when using the nsupdate -g.

Just a note in case anyone else has problems adding delegation records to samba.