I’ve got a NethServer Primary DC up and running beautifully overall. I have two problems I’d like help with and one direct question. All of the actions described hereafter are executed via Windows 10’s RSAT DNS, ADUC, and ADSI Edit (while exploring potential permissions issues).
Automatic PTR Record creation / update.
This doesn’t seem to be happening by default. If I manually create the reverse lookup zone and create an entry for a server already listed in a forward lookup zone they also do not seem to become associated by default. What’s up? Must I tweak something to get automatic PTR creation / update working? I didn’t see anything about this in the documentation (though I’d love to be shown otherwise!).
Domain Deletions.
I created an administrative user who is included in all default administrative groups (Ent. Admins, Schema Admins, DnsAdmins, etc). I then created a few new DNS domains for testing, nested a few inside those, and then attempted a deletion. It seems even if that user has full control over the object (including ownership) that god-level user is disallowed from deleting the object. Might be a disconnect between linux / windows (wherein the god-level AD user also needs to be a sudoer on the nsdc container)? Just a guess. Thoughts? The real quirky bit is I can delete entire zones even though I cannot delete the individual domains underneath.
Domain redirection.
I’d prefer to run a split-zone DNS where my internal DNS domain is the same as my external. Normally I’d create a few CNAMEs and install nginx on the DC to forward http/https requests to the same place. Is there a recommended procedure for this when using NethServer/nsdc? I’m comfortable with the administrative overhead. Just looking for best practices for the less-than-best-practice.
Thank you in advance! <3
P.S. I’m not afraid of reading. If someone has brought up these questions before or there are answers documented somewhere feel free to link me.
Thanks for the response! That would be a step backward though. I’m not looking to move DNS away from the nsdc. I need to get the nsdc’s DNS working correctly.
That thread didn’t solve poor laframba’s problem either. Davide’s original reply does seem to be going in the right direction though. Reverse Zones are not created by default. What are the appropriate steps for creating Reverse Lookup Zones so that they work correctly with nsdc’s Forward Lookup Zones?
If NethServer runs as public mail server or you want account names like user@publicdomain, set the public domain as suffix for it under Server name page. Otherwise set the private DNS domain – the same private domain of AD.
In the first case, NethServer should be the LAN DNS. As it runs dnsmasq the public DNS zone is “masqueraded” and you can define local overrides for it.
In the second case, you could use the NSDC IP as LAN DNS, as AD recommends, to make DDNS updates work correctly.
Right on. Thanks for the lead. I’ll check with them.
Understood.
I understand this is the recommended method and best practice. I’m specifically asking if there’s a recommended procedure for running nsdc’s DNS with a split-zone architecture.
That sounds useful but I’m not sure what you mean. Under the Server Name page on NethServer I only have the option of providing the FQDN of NethServer itself. Would you mind clarifying (perhaps with a visual aid)?
The second case is my preferred and current setup. DDNS updates work for forward zones but not reverse zones. We’ve been over that though.
My use-case here is that there are many internal DNS entries which must be sorted into their own zones / domains under the primary domain. If my first zone is a subdomain of my primary domain then this structure breaks down.
No, I think. A private authoritative name server for your LAN that overlaps the public DNS zone somewebsite.com is maybe difficult to administer but you can sort it out.
For instance,
in Server name page you can assign as FQDN
nsrv.somewebsite.com
Configure the local AD accounts provider, with domain somewebsite.com.
AD is now authoritative DNS for the zone somewebsite.com. LAN clients send DNS queries to/through it. To reach a public web site in that zone (or any subzone) you need to manually add DNS entries to AD. Same for mail servers and other resources in the public DNS.
Following the advice given in the previously linked samba mailing list archive I ssh’d into NethServer and then used systemd-run -M nsdc -t /bin/bash to enter into the nsdc container. I then ran:
bash-4.2# samba-tool dns zonecreate your-samba-dns-server 50.1.10.in-addr.arpa.
But got back an error: ERROR: Connecting to DNS RPC server your-samba-dns-server failed with (-1073741772, 'The object name is not found.')
Running the same command on NethServer itself kicks back saying that Samba is not installed: [root@pPxDc01 ~]# samba-tool dns zonecreate your-samba-dns-server 50.1.10.in-addr.arpa. -bash: samba-tool: command not found
So it is clear that samba AD / DNS is only running within the container, however; I cannot execute the required command within the container. Thoughts? Or should I toss this at the Samba guys as well?
Which backend do you deploy for Samba within the nsdc container? Samba Internal or BIND9?
Interesting. Being able to pass a user along with the command sounds useful. If I add -U to either the samba-tool command in-container or the systemd-run command from NethServer I get the same result: no such command/option.
No worries! After a bit of fiddling I realized the samba-tool command I was using was malformed. Now the command is executing correctly but it seems root does not have the correct rights to execute the command.
bash-4.2# samba-tool dns zonecreate nsdc-nethserver.somewebsite.com 50.1.10.in-addr.arpa. ERROR(runtime): uncaught exception - (-1073741790, '{Access Denied} A process has requested access to an object but has not been granted those access rights.') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 732, in run zone_create_info)
I’ve tried a few different samba-tool commands with the same result.
It also seems root is the only username available for shell access: bash-4.2# cut -d: -f1 /etc/passwd root bin daemon adm lp sync shutdown halt mail operator games ftp nobody systemd-network dbus tss ntp
Sorry to dig up the old thread again. Just for information, if you put a point at the end of the reverse zone, the zone will end up at the foreward zones and not at the reverse zones.
So it is correct for a reverse zone:
IPv4
bash-4.2# samba-tool dns zonecreate nsdc-ns01.home.test.lan 178.168.192.in-addr.arpa -U administrator
Password for [HOME\administrator]:
Zone 178.168.192.in-addr.arpa created successfully
bash-4.2#
IPv6
bash-4.2# samba-tool dns zonecreate nsdc-ns01.home.test.lan 0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.f.ip6.arpa -U administrator
Password for [HOME\administrator]:
Zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.f.ip6.arpa created successfully
bash-4.2#