The Samba AD DNS Back Ends: Difference between revisions
Mmuehlfeld (talk | contribs) m (Added info how to check if the DNS databases aren't hard-linked.) |
(Added some information about editing/querying the Samba DNS using samba-tool) |
||
(74 intermediate revisions by 13 users not shown) | |||
Line 1: | Line 1: | ||
__TOC__ |
|||
=Internal DNS= |
|||
= Introduction = |
|||
Developing and using the DNS server built into Samba. AD backend. |
|||
In an Active Directory (AD), DNS is a very important service. It is used for: |
|||
==Status== |
|||
* name resolution |
|||
* locating services, such as Kerberos and LDAP |
|||
* locating local domain controllers (DC) when using AD sites. For details, see [[Active_Directory_Sites|Active Directory Sites]]. |
|||
{{Imbox |
|||
As of early September 2012, the internal DNS server is fully functional, for both GSS-TSIG-signed and unsigned updates. |
|||
| type = note |
|||
| text = All clients and server in an AD must use a DNS server that is able to resolve the AD DNS zones. |
|||
}} |
|||
== Configuration == |
|||
There are three options that can be added to smb.conf to control the behavior of DNS at this point: |
|||
# Allow unsigned updates | don't allow any updates | only allow signed updates |
|||
allow dns updates = True | False | signed |
|||
# If recursive queries = yes is set, the following is also needed |
|||
dns forwarder = <ip addr of external dns server> |
|||
== Known Issues == |
|||
= Supported DNS Back Ends = |
|||
The samba_dnsupdate command produces warnings when used with signed updates. We're currenly investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine |
|||
Samba supports the following DNS back ends: |
|||
==Tests== |
|||
* [[Samba_Internal_DNS_Back_End|Samba Internal DNS Back End]] |
|||
Run during make test |
|||
:* Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD. |
|||
TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns |
|||
:* No additional software or DNS knowledge is required. |
|||
:* Use this back end for simple DNS setups. For a list of limitations, see [[Samba_Internal_DNS_Back_End#Limitations|Limitations]]. |
|||
* [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]] |
|||
Run against external servers (Windows or BIND) |
|||
:* Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see [[Setting_up_a_BIND_DNS_Server|Setting up a BIND DNS Server]]. |
|||
SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns |
|||
:* Requires knowledge about the BIND DNS server and how to configure the service. |
|||
:* Use this back end for complex DNS scenarios, you can not configure in the internal DNS. |
|||
If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]]. |
|||
=BIND 9.8.0 DLZ plug-in= |
|||
Dynamically loaded zones plug-in for BIND 9.8.0. AD backend. |
|||
{{Imbox |
|||
==Status== |
|||
| type = important |
|||
| text = Do not use the <code>BIND9_FLATFILE</code> DNS back end. It is not supported and will be formally deprecated when 4.11.0 is released and removed at 4.12.0. |
|||
}} |
|||
Module is built with Samba, handles RFC 1035 and RFC 2136 |
|||
= Using the Samba Internal DNS Back End = |
|||
The Samba internal DNS server can be edited and queried using [https://www.samba.org/samba/docs/current/man-html/samba-tool.8.html samba-tool]. For example, |
|||
=BIND & samba_dnsupdate= |
|||
To get a get a list of zones: <code>samba-tool dns zonelist ''server''</code> |
|||
Non-AD backend, but works with older BINDs. |
|||
To update a record: <code>samba-tool dns update ''server'' ''zone_name'' A|AAA|CNAME|NS|MX|SRV|TXT ''old_value'' ''new_value''</code> |
|||
==Status== |
|||
Run <code>samba-tool dns -h</code> to see the complete list of available commands. |
|||
samba_dnsupdate script shipped with Samba, lets BIND handle DNS and just dynamically modifies AD-related information. |
|||
= Selecting the AD Forest Root Domain = |
|||
Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]]. |
|||
= A note on DNS problems with BIND9 DLZ= |
|||
{{Imbox |
|||
If you have problems with resolving the new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following: |
|||
| type = warning |
|||
| text = Samba does not support renaming the AD forest root domain. |
|||
}} |
|||
Best practices: |
|||
Files in samba/private/dns/sam.ldb.d/ are hardlinks to samba/private/sam.ldb.d/. |
|||
Maybe you've copied/moved it across filesystems and the hardlinking got lost |
|||
and you're now running with two different copies of the databases at the moment |
|||
(You can test this by adding a new DNS entry, e. g. by samba-tool. If you can't |
|||
resolve it, check if the inodes differ). |
|||
* Use a domain name you own. |
|||
If you "ls -i" on the two folders, you should see, that the following files |
|||
* Use a subdomain of your domain, such as <code>ad.example.com</code>. |
|||
have the same inodes (what indicates, that they are hard-linked): |
|||
* Do not use <code>.local</code> domains. They can cause problems with Mac OS X and Zeroconf. |
|||
For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]]. |
|||
# ls -lai .../samba/private/sam.ldb.d/ |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
# ls -lai .../samba/private/dns/sam.ldb.d/ |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
If the files in the two folders have different inode numbers, then they |
|||
aren't hard-links. To fix this, run |
|||
# samba_upgradedns --dns-backend=BIND9_DLZ |
|||
This will recreate the DNS files with correct hard links and permissions. |
|||
Then restart BIND9. |
|||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:DNS]] |
Latest revision as of 18:10, 5 November 2021
Introduction
In an Active Directory (AD), DNS is a very important service. It is used for:
- name resolution
- locating services, such as Kerberos and LDAP
- locating local domain controllers (DC) when using AD sites. For details, see Active Directory Sites.
All clients and server in an AD must use a DNS server that is able to resolve the AD DNS zones. |
Supported DNS Back Ends
Samba supports the following DNS back ends:
- Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
- No additional software or DNS knowledge is required.
- Use this back end for simple DNS setups. For a list of limitations, see Limitations.
- Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see Setting up a BIND DNS Server.
- Requires knowledge about the BIND DNS server and how to configure the service.
- Use this back end for complex DNS scenarios, you can not configure in the internal DNS.
If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see Changing the DNS Back End of a Samba AD DC.
Do not use the BIND9_FLATFILE DNS back end. It is not supported and will be formally deprecated when 4.11.0 is released and removed at 4.12.0. |
Using the Samba Internal DNS Back End
The Samba internal DNS server can be edited and queried using samba-tool. For example,
To get a get a list of zones: samba-tool dns zonelist server
To update a record: samba-tool dns update server zone_name A|AAA|CNAME|NS|MX|SRV|TXT old_value new_value
Run samba-tool dns -h
to see the complete list of available commands.
Selecting the AD Forest Root Domain
Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see Active Directory Naming FAQ.
Samba does not support renaming the AD forest root domain. |
Best practices:
- Use a domain name you own.
- Use a subdomain of your domain, such as
ad.example.com
. - Do not use
.local
domains. They can cause problems with Mac OS X and Zeroconf.
For details, see Active Directory Naming FAQ.