Samba Internal DNS Back End: Difference between revisions

From SambaWiki
m (Fix link)
m (/* added round robin limitation)
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


The Samba Active Directory (AD) domain controller (DC) provides an internal DNS server that supports the basic feature required in an AD. It is easy to configure and requires no additional software or knowledge about DNS. The <code>INTERNAL_DNS</code> back end is recommended for simple DNS setups.
The internal DNS server is built into Samba and uses AD as the backend, it is the default DNS solution when provisioning a new Samba AD DC or upgrading from a Samba NT4 domain to Samba AD. Because the information the DNS server uses is stored in AD, you do not need to create any extra databases.


An alternative backend is [[Configure_BIND_as_backend_for_Samba_AD|BIND_DLZ]].








= Limitations =


The internal DNS does not support:
= Configuration =


* acting as a caching resolver
If you have chosen the internal DNS as backend for your environment, there are only two options that can be added to your smb.conf, to control the behaviour of DNS at this point:
* recursive queries
* shared-key transaction signature (TSIG)
* stub zones
* zone transfers
* wildcard DNS entries: [https://bugzilla.samba.org/show_bug.cgi?id=10435 See related bug report]
* Round Robin load balancing among DC's


# Don't allow any updates | allow unsigned updates | only allow signed updates
allow dns updates = False | nonsecure | signed
# If you require recursive queries i.e. queries outside the AD domain, the following is also needed.
# Samba 4.5 and later supports a space-sparated list of IPs. Older versions support only one IP.
dns forwarder = <ip addr of external dns server>








= Setting up Dynamic DNS Updates Using Kerberos =


Dynamic DNS updates using Kerberos is enabled by default in the internal DNS server. To change this setting, set the <code>allow dns updates</code> parameter in the <code>smb.conf</code> file.
= Limitations / Known issues =


For further details, see the <code>smb.conf (5)</code> man page.
* The internal server is not a [[DNS/ToDo/caching_resolver|caching resolver]].
* The internal server by default only comes with a working forward zone; if you need a reverse zone, see [[DNS_Administration#Creating_a_new_zone|instructions here]].
* The samba_dnsupdate command produces warnings when used with [[DNS/ToDo/signed_updates|signed updates]]. We're currently investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine.
* Currently, recursive queries are not possible [[DNS/ToDo/recursive_queries_without_forwarder|without using a forwarder]].
* Negative replies do not come with an [[DNS/ToDo/add_authority_record|authority record]] (not required by RFC, but Windows seems to like that).
* [[DNS/ToDo/shared_key_tsig|Shared-key TSIG]] is not implemented.
* [[DNS/ToDo/stub_zones|Stub zones]] are not implemented.
* Zone axfr is not allowed from internal samba DNS.




Line 39: Line 33:




= Setting up a DNS Forwarder =
= Tests =


The internal DNS server is only able to resolve the Active Directory (AD) DNS zones. To enable recursive queries of other zones, set the <code>dns forwarder</code> parameter in the <code>smb.conf</code> file to one or more IP addresses of DNS servers that support recursive resolving. For example:
Run during make test
TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns


dns forwarder = 8.8.8.8
Run against external servers (Windows or BIND)

SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns
{{Imbox
| type = note
| text = Samba 4.5 and later supports multiple space-separated IP addresses. Older versions support one IP address.
}}

For further details, see the <code>smb.conf (5)</code> man page.





= Troubleshooting =

== Clients Are Unable to Resolve DNS Queries ==

If you are not able to resolve records from your Active Directory (AD) DNS zone, verify that you have set the IP of a DNS server that is able to resolve the AD DNS zone in your operating system. See:
:* [[Windows_DNS_Configuration|Windows DNS Configuration]]
:* [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]]
:* [[Mac_OS_X_DNS_Configuration|Mac OS X DNS Configuration]]

If the client configuration is correct, make sure that the Samba DNS server is running. For details, see [[#Samba_DNS_Server_Does_Not_Start|Samba DNS Server Does Not Start]].



== Samba DNS Server Does Not Start ==

To verify that no other process uses the TCP and UDP port 53:

* Check the Samba log files for DNS related errors. For example:

[2016/01/01 00:00:00.000000, 0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

* Verify that no other process is listening on the TCP and UDP port 53. For example:
# netstat -tulpn | grep ":53"
tcp 0 0 10.99.0.1:53 0.0.0.0:* LISTEN 972/dnsmasq
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 903/dnsmasq
udp 0 0 10.99.0.1:53 0.0.0.0:* 972/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 903/dnsmasq

: The example show, that the <code>dnsmasq</code> process is listening on port 53.

To fix the problem:

* Stop the service listening on port 53 and disable it to auto-start at boot time. For details, see your operating system's documentation.

* Restart Samba.





----
[[Category:Active Directory]]
[[Category:DNS]]

Revision as of 08:15, 29 September 2018

Introduction

The Samba Active Directory (AD) domain controller (DC) provides an internal DNS server that supports the basic feature required in an AD. It is easy to configure and requires no additional software or knowledge about DNS. The INTERNAL_DNS back end is recommended for simple DNS setups.



Limitations

The internal DNS does not support:

  • acting as a caching resolver
  • recursive queries
  • shared-key transaction signature (TSIG)
  • stub zones
  • zone transfers
  • wildcard DNS entries: See related bug report
  • Round Robin load balancing among DC's



Setting up Dynamic DNS Updates Using Kerberos

Dynamic DNS updates using Kerberos is enabled by default in the internal DNS server. To change this setting, set the allow dns updates parameter in the smb.conf file.

For further details, see the smb.conf (5) man page.



Setting up a DNS Forwarder

The internal DNS server is only able to resolve the Active Directory (AD) DNS zones. To enable recursive queries of other zones, set the dns forwarder parameter in the smb.conf file to one or more IP addresses of DNS servers that support recursive resolving. For example:

dns forwarder = 8.8.8.8

For further details, see the smb.conf (5) man page.



Troubleshooting

Clients Are Unable to Resolve DNS Queries

If you are not able to resolve records from your Active Directory (AD) DNS zone, verify that you have set the IP of a DNS server that is able to resolve the AD DNS zone in your operating system. See:

If the client configuration is correct, make sure that the Samba DNS server is running. For details, see Samba DNS Server Does Not Start.


Samba DNS Server Does Not Start

To verify that no other process uses the TCP and UDP port 53:

  • Check the Samba log files for DNS related errors. For example:
 [2016/01/01 00:00:00.000000,  0] ../source4/smbd/service_stream.c:346(stream_setup_socket)
  Failed to listen on 127.0.0.1:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
  • Verify that no other process is listening on the TCP and UDP port 53. For example:
# netstat -tulpn | grep ":53"
tcp        0      0 10.99.0.1:53        0.0.0.0:*               LISTEN      972/dnsmasq         
tcp        0      0 127.0.0.1:53        0.0.0.0:*               LISTEN      903/dnsmasq         
udp        0      0 10.99.0.1:53        0.0.0.0:*                           972/dnsmasq         
udp        0      0 127.0.0.1:53        0.0.0.0:*                           903/dnsmasq         
The example show, that the dnsmasq process is listening on port 53.

To fix the problem:

  • Stop the service listening on port 53 and disable it to auto-start at boot time. For details, see your operating system's documentation.
  • Restart Samba.