PTR Records, Domain deletions, and domain redirection

activedirectory

(Derek Blechinger) #1

NethServer Version: 7.5.1804
Module: nsdc

I’ve got a NethServer Primary DC up and running beautifully overall. I have two problems I’d like help with and one direct question. All of the actions described hereafter are executed via Windows 10’s RSAT DNS, ADUC, and ADSI Edit (while exploring potential permissions issues).

  1. Automatic PTR Record creation / update.
    This doesn’t seem to be happening by default. If I manually create the reverse lookup zone and create an entry for a server already listed in a forward lookup zone they also do not seem to become associated by default. What’s up? Must I tweak something to get automatic PTR creation / update working? I didn’t see anything about this in the documentation (though I’d love to be shown otherwise!).

  2. Domain Deletions.
    I created an administrative user who is included in all default administrative groups (Ent. Admins, Schema Admins, DnsAdmins, etc). I then created a few new DNS domains for testing, nested a few inside those, and then attempted a deletion. It seems even if that user has full control over the object (including ownership) that god-level user is disallowed from deleting the object. Might be a disconnect between linux / windows (wherein the god-level AD user also needs to be a sudoer on the nsdc container)? Just a guess. Thoughts? :smiley: The real quirky bit is I can delete entire zones even though I cannot delete the individual domains underneath.

  3. Domain redirection.
    I’d prefer to run a split-zone DNS where my internal DNS domain is the same as my external. Normally I’d create a few CNAMEs and install nginx on the DC to forward http/https requests to the same place. Is there a recommended procedure for this when using NethServer/nsdc? I’m comfortable with the administrative overhead. Just looking for best practices for the less-than-best-practice. :wink:

Thank you in advance! <3

P.S. I’m not afraid of reading. If someone has brought up these questions before or there are answers documented somewhere feel free to link me.


(Michael Träumner) #2

Please have a look at the following link, perhaps it could help with reverse lookup zone


(Derek Blechinger) #3

Thanks for the response! :smiley:That would be a step backward though. I’m not looking to move DNS away from the nsdc. I need to get the nsdc’s DNS working correctly. :slightly_smiling_face:

That thread didn’t solve poor laframba’s problem either. Davide’s original reply does seem to be going in the right direction though. Reverse Zones are not created by default. What are the appropriate steps for creating Reverse Lookup Zones so that they work correctly with nsdc’s Forward Lookup Zones?

Thank you again!


(Davide Principi) #4

I’m afraid we have to ask Samba’s ML for this. Please search the upstream forum, this could be a starter: https://lists.samba.org/archive/samba/2014-March/179441.html

I don’t know! This sounds like another question for Samba ML…

As explained in the manual, you should use a separate, private DNS domain for AD

http://docs.nethserver.org/en/v7/accounts.html#dns-and-ad-domain

If NethServer runs as public mail server or you want account names like user@publicdomain, set the public domain as suffix for it under Server name page. Otherwise set the private DNS domain – the same private domain of AD.

In the first case, NethServer should be the LAN DNS. As it runs dnsmasq the public DNS zone is “masqueraded” and you can define local overrides for it.

In the second case, you could use the NSDC IP as LAN DNS, as AD recommends, to make DDNS updates work correctly.


(Derek Blechinger) #5

Right on. Thanks for the lead. I’ll check with them. :slight_smile:

Understood.

I understand this is the recommended method and best practice. I’m specifically asking if there’s a recommended procedure for running nsdc’s DNS with a split-zone architecture.

That sounds useful but I’m not sure what you mean. Under the Server Name page on NethServer I only have the option of providing the FQDN of NethServer itself. Would you mind clarifying (perhaps with a visual aid)?

The second case is my preferred and current setup. DDNS updates work for forward zones but not reverse zones. We’ve been over that though. :smiley:

My use-case here is that there are many internal DNS entries which must be sorted into their own zones / domains under the primary domain. If my first zone is a subdomain of my primary domain then this structure breaks down.

For instance: somewebsite.com could then include production.somewebsite.com, development.somewebsite.com and so on. If internal AD / DNS starts at ad.somewebsite.com then these must change to production.ad.somewebsite.com, development.ad.somewebsite.com, and so on. This is not desirable.

Have I misunderstood a fundamental principle?

Either way thank you, both, for the quick and helpful replies!


(Davide Principi) #6

No, I think. A private authoritative name server for your LAN that overlaps the public DNS zone somewebsite.com is maybe difficult to administer but you can sort it out.

For instance,

  1. in Server name page you can assign as FQDN

    nsrv.somewebsite.com
    
  2. Configure the local AD accounts provider, with domain somewebsite.com.

AD is now authoritative DNS for the zone somewebsite.com. LAN clients send DNS queries to/through it. To reach a public web site in that zone (or any subzone) you need to manually add DNS entries to AD. Same for mail servers and other resources in the public DNS.


(Derek Blechinger) #7

Thank you for the clarification.

Two questions then I’ll go away. :slight_smile:

  1. Following the advice given in the previously linked samba mailing list archive I ssh’d into NethServer and then used systemd-run -M nsdc -t /bin/bash to enter into the nsdc container. I then ran:

bash-4.2# samba-tool dns zonecreate your-samba-dns-server 50.1.10.in-addr.arpa.
But got back an error:
ERROR: Connecting to DNS RPC server your-samba-dns-server failed with (-1073741772, 'The object name is not found.')

Running the same command on NethServer itself kicks back saying that Samba is not installed:
[root@pPxDc01 ~]# samba-tool dns zonecreate your-samba-dns-server 50.1.10.in-addr.arpa. -bash: samba-tool: command not found

So it is clear that samba AD / DNS is only running within the container, however; I cannot execute the required command within the container. Thoughts? Or should I toss this at the Samba guys as well?

  1. Which backend do you deploy for Samba within the nsdc container? Samba Internal or BIND9?

Thanks again!


(Davide Principi) #8

NSDC runs the samba internal backend (ATM)

I don’t know why the samba-tool command failed in nsdc container. Similar commands worked for me. Sometimes passing -U helps.


(Davide Principi) #9

No, don’t go! Please stay among us :hugs:


(Derek Blechinger) #10

Interesting. Being able to pass a user along with the command sounds useful. If I add -U to either the samba-tool command in-container or the systemd-run command from NethServer I get the same result: no such command/option.

May I ask where you are entering the -U option?

Thanks again, David. You’re a gem. :slight_smile:


(Davide Principi) #11

Thanks but I’m going by memory…

  1. samba-tool is available only under nsdc
  2. every subcommand accepts its own args list, try just samba-tool for inline help

(Derek Blechinger) #12

No worries! After a bit of fiddling I realized the samba-tool command I was using was malformed. Now the command is executing correctly but it seems root does not have the correct rights to execute the command.

bash-4.2# samba-tool dns zonecreate nsdc-nethserver.somewebsite.com 50.1.10.in-addr.arpa. ERROR(runtime): uncaught exception - (-1073741790, '{Access Denied} A process has requested access to an object but has not been granted those access rights.') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 732, in run zone_create_info)
I’ve tried a few different samba-tool commands with the same result.

It also seems root is the only username available for shell access:
bash-4.2# cut -d: -f1 /etc/passwd
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
operator
games
ftp
nobody
systemd-network
dbus
tss
ntp

Thoughts?


(Davide Principi) #13

The zonecreate command should ask for password, according to

https://wiki.samba.org/index.php/DNS_Administration#Creating_a_new_zone_2

Search for additional cli arguments!


(Derek Blechinger) #14

Bingo. Got it. Had to form the argument like so:
samba-tool dns zonecreate nsdc-ppxdc01.blechinger.io 50.1.10.in-addr.arpa. -U administrator

Samba then grabbed the domain and appended it to the user automatically. Not sure why it needs that specific syntax but, hey, it worked!

<3 Thanks again!


(Davide Principi) #15

I’m glad you sorted it out! Please give back your expertise to help other users and to improve NethServer 7.5!