enterprise-support team mailing list archive

Thread
Date

[Bug 2019870] [NEW] AD provision DEP8 tests: should also create reverse DNS zone

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <2019870@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 May 2023 14:20:05 -0000
Reply-to: Bug 2019870 <2019870@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

While working on bug #1984073, I used the existing samba AD DEP8 test to
provision an AD server, which was convenient. But I couldn't get
ldapwhoami -Y GSSAPI to work, it was always trying to fetch the service
ticket using an incorrect domain, sometimes it was even using an IP
instead of a domain name.

Some troubleshooting later and it was caused by a missing reverse DNS
zone for that domain. I thought setting "rdns = false"[2] in
/etc/krb5.conf would have addressed that, but for some reason it didn't,
and the fix I found was to actually create the reverse zone while
provisioning that AD server.

The change to the provisioning part of the script should be something
like this[1]:

  # samba-tool dns zonecreate $(hostname -f) x.y.z.in-addr.arpa
  # samba-tool dns add $(hostname -f) x.y.z.in-addr.arpa $last-octect-of-my-ip PTR $(hostname -f)

1. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone
2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014829

** Affects: samba (Ubuntu)
     Importance: Wishlist
         Status: New


** Tags: bitesize

** Description changed:

  While working on bug #1984073, I used the existing samba AD DEP8 test to
  provision an AD server, which was convenient. But I couldn't get
  ldapwhoami -Y GSSAPI to work, it was always trying to fetch the service
  ticket using an incorrect domain, sometimes it was even using an IP
  instead of a domain name.
  
  Some troubleshooting later and it was caused by a missing reverse DNS
- zone for that domain. I thought setting "rdns = false" in /etc/krb5.conf
- would have addressed that, but for some reason it didn't, and the fix I
- found was to actually create the reverse zone while provisioning that AD
- server.
+ zone for that domain. I thought setting "rdns = false"[2] in
+ /etc/krb5.conf would have addressed that, but for some reason it didn't,
+ and the fix I found was to actually create the reverse zone while
+ provisioning that AD server.
  
  The change to the provisioning part of the script should be something
  like this[1]:
  
-   # samba-tool dns zonecreate $(hostname -f) x.y.z.in-addr.arpa
-   # samba-tool dns add $(hostname -f) x.y.z.in-addr.arpa $last-octect-of-my-ip PTR $(hostname -f)
+   # samba-tool dns zonecreate $(hostname -f) x.y.z.in-addr.arpa
+   # samba-tool dns add $(hostname -f) x.y.z.in-addr.arpa $last-octect-of-my-ip PTR $(hostname -f)
  
- 1.
- https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone
+ 1. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone
+ 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014829

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2019870

Title:
  AD provision DEP8 tests: should also create reverse DNS zone

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2019870/+subscriptions