Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] specify alternative port for samba internal dns server
371 views
Skip to first unread message
Ben Cohen
Feb 26, 2015, 5:20:03 PM2/26/15
to
I asked this question on serverfault
http://serverfault.com/questions/666972/possible-to-make-samba4s-internal-dns-server-listen-on-non-standard-port
I would like to be able to configure the internal samba dns server to
listen on a port other than 53 so I can easily interoperate the samba
internal dns with another dns server on the same host.
Many other samba services have configuration to change the default port --
the dns server should as well.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
http://serverfault.com/questions/666972/possible-to-make-samba4s-internal-dns-server-listen-on-non-standard-port
I would like to be able to configure the internal samba dns server to
listen on a port other than 53 so I can easily interoperate the samba
internal dns with another dns server on the same host.
Many other samba services have configuration to change the default port --
the dns server should as well.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Feb 26, 2015, 5:40:03 PM2/26/15
to
On 26/02/15 22:15, Ben Cohen wrote:
> I asked this question on serverfault
> http://serverfault.com/questions/666972/possible-to-make-samba4s-internal-dns-server-listen-on-non-standard-port
>
> I would like to be able to configure the internal samba dns server to
> listen on a port other than 53 so I can easily interoperate the samba
> internal dns with another dns server on the same host.
>
> Many other samba services have configuration to change the default port --
> the dns server should as well.
Just like you where told on the link you provided *NO*
> I asked this question on serverfault
> http://serverfault.com/questions/666972/possible-to-make-samba4s-internal-dns-server-listen-on-non-standard-port
>
> I would like to be able to configure the internal samba dns server to
> listen on a port other than 53 so I can easily interoperate the samba
> internal dns with another dns server on the same host.
>
> Many other samba services have configuration to change the default port --
> the dns server should as well.
The kerberos server built into samba4 relies on dns, so the dns server
needs to be authorative for the dns domain, anything else it forwards to
another dns server outside the domain.
Rowland
Rowland Penny
Feb 26, 2015, 6:10:03 PM2/26/15
to
On 26/02/15 22:58, Ben Cohen wrote:
> My goal is for the samba dns server to be authoritative for
> 'ad.mydomain.com <http://ad.mydomain.com>' but not for mydomain.com
> <http://mydomain.com>. The dns server that the clients in my domain
> use is statically configured to resolve all requests for
> ad.mydomain.com <http://ad.mydomain.com> via the samba internal dns --
> I believe this is exactly what is required for samba to function ...
> Is this incorrect somehow?
You should point your domain members to the DC, if the record the client
requires is inside the AD domain, the DC will return answer, if it
doesn't know, it will forward the request to whatever you have set as
the forwarder.
>
> A whole bunch of other samba services can listen on other than the
> default service port through configuration options ... Why should the
> dns service uniquely deserve an all-caps *NO* with regard to this
> configurability?
>
You could always try and alter the ldap port that samba4 listens on, oh
sorry, you cannot change that either can you.
Please stop trying to bend AD to your way of working.
> My goal is for the samba dns server to be authoritative for
> 'ad.mydomain.com <http://ad.mydomain.com>' but not for mydomain.com
> <http://mydomain.com>. The dns server that the clients in my domain
> use is statically configured to resolve all requests for
> ad.mydomain.com <http://ad.mydomain.com> via the samba internal dns --
> I believe this is exactly what is required for samba to function ...
> Is this incorrect somehow?
You should point your domain members to the DC, if the record the client
requires is inside the AD domain, the DC will return answer, if it
doesn't know, it will forward the request to whatever you have set as
the forwarder.
>
> A whole bunch of other samba services can listen on other than the
> default service port through configuration options ... Why should the
> dns service uniquely deserve an all-caps *NO* with regard to this
> configurability?
>
You could always try and alter the ldap port that samba4 listens on, oh
sorry, you cannot change that either can you.
Please stop trying to bend AD to your way of working.
Steve Ankeny
Feb 26, 2015, 6:20:04 PM2/26/15
to
I found with my Windows clients it was extremely important to point them
to the Samba AD only.
No other ip_address for DNS, and as Rowland indicates, anything they
need outside the domain is resolved by Samba forwarding the request (in
my case, it's our gateway device which in turn forwards outside)
On 02/26/2015 06:06 PM, Rowland Penny wrote:
> On 26/02/15 22:58, Ben Cohen wrote:
>> My goal is for the samba dns server to be authoritative for
>> 'ad.mydomain.com <http://ad.mydomain.com>' but not for mydomain.com
>> <http://mydomain.com>. The dns server that the clients in my domain
>> use is statically configured to resolve all requests for
>> ad.mydomain.com <http://ad.mydomain.com> via the samba internal dns
>> -- I believe this is exactly what is required for samba to function
>> ... Is this incorrect somehow?
>
> You should point your domain members to the DC, if the record the
> client requires is inside the AD domain, the DC will return answer, if
> it doesn't know, it will forward the request to whatever you have set
> as the forwarder.
to the Samba AD only.
No other ip_address for DNS, and as Rowland indicates, anything they
need outside the domain is resolved by Samba forwarding the request (in
my case, it's our gateway device which in turn forwards outside)
On 02/26/2015 06:06 PM, Rowland Penny wrote:
> On 26/02/15 22:58, Ben Cohen wrote:
>> My goal is for the samba dns server to be authoritative for
>> 'ad.mydomain.com <http://ad.mydomain.com>' but not for mydomain.com
>> <http://mydomain.com>. The dns server that the clients in my domain
>> use is statically configured to resolve all requests for
>> ad.mydomain.com <http://ad.mydomain.com> via the samba internal dns
>> -- I believe this is exactly what is required for samba to function
>> ... Is this incorrect somehow?
>
> You should point your domain members to the DC, if the record the
> client requires is inside the AD domain, the DC will return answer, if
> it doesn't know, it will forward the request to whatever you have set
> as the forwarder.
Rowland Penny
Feb 26, 2015, 7:10:03 PM2/26/15
to
On 26/02/15 23:39, Ben Cohen wrote:
> Please stop making the assumption that I don't have different problems
> than you...
>
> I support IT environments that are connected via incredibly slow
> internet links -- user clients CANNOT use something other than my dns
> server as their dns resolver -- I have to implement logic which
> controls all internet access, including dns resolution, on a per user
> basis per-byte basis -- if I put another dns server in-between me and
> the network clients, I lose the information by which my dns
> forwarding-resolver can make the identify determination. Perhaps you
> have some way of passing forward the identity information regarding
> which client is making the dns request in a way that my
> network-access-control appliance understands -- oh, right no you don't
> do you?
>
> In my testing my approach seems to work the way I want to do things --
> two servers, one with dnsmasq, one with samba internal dns. Clients
> point at my dnsmasq, dnsmasq resolves ad domain via samba dns. Is
> this not appropriate for some reason? How does this go against the
> 'ad' way? As far as I can tell there is absolutely nothing wrong with
> this architecture ... why should the clients need to talk to the samba
> dns directly rather than via my intermediary -- is that actually
> required? Its my impression that my campus network doesn't do this
> with normal active directory -- I believe they run BIND and queries
> for ad.foo.com <http://ad.foo.com> are resolved via authoritative AD
> dns servers running on windows server ... Isn't that the normal way?
>
> The reason I want to run the samba4 dns on a different port than the
> default is to avoid having to run an additional OS -- my environments
> are very expensive to put equipment in, reducing the hardware and OS
> count is desirable, particularly where there is not a good reason that
> something needs to have its own OS instance ...
>
> It seems you reference a straw-man desire to customize the ldap server
> port in order to evoke some history of problems surrounding people
> trying to use services that don't work with the AD model within
> samba. In fact my GOAL is exactly the opposite -- I WANT to USE the
> samba integrated dns in order to avoid having any issues with the
> required set of magic AD dns behaviours -- rather than trying to hack
> those required dns behaviours into my existing dns configuration ...
>
> I appreciate your thoughts and if my suggested approach (with two
> servers) truly isn't going to work, it would be huge if you or someone
> else could tell me and give a lot insight why ... because my plan even
> with a *NO* on the ability to change the port that samba-dns listens
> on, is to use two servers as described above ... If that's not gonna
> work for some reason it'd be awesome to find out now ...
>
> Thanks,
>
> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> On 26/02/15 22:58, Ben Cohen wrote:
>
> My goal is for the samba dns server to be authoritative for
> 'ad.mydomain.com <http://ad.mydomain.com>
> <http://ad.mydomain.com>' but not for mydomain.com
> <http://mydomain.com> <http://mydomain.com>. The dns server
> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> On 26/02/15 22:58, Ben Cohen wrote:
>
> My goal is for the samba dns server to be authoritative for
> 'ad.mydomain.com <http://ad.mydomain.com>
> <http://ad.mydomain.com>' but not for mydomain.com
> that the clients in my domain use is statically configured to
> resolve all requests for ad.mydomain.com
> <http://ad.mydomain.com> <http://ad.mydomain.com> via the
> resolve all requests for ad.mydomain.com
> samba internal dns -- I believe this is exactly what is
> required for samba to function ... Is this incorrect somehow?
>
>
> You should point your domain members to the DC, if the record the
> client requires is inside the AD domain, the DC will return
> answer, if it doesn't know, it will forward the request to
> whatever you have set as the forwarder.
>
>
> A whole bunch of other samba services can listen on other than
> the default service port through configuration options ...
> Why should the dns service uniquely deserve an all-caps *NO*
> with regard to this configurability?
>
>
> You could always try and alter the ldap port that samba4 listens
> on, oh sorry, you cannot change that either can you.
>
> Please stop trying to bend AD to your way of working.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Please stop sending emails directly to me, keep it on list.
> required for samba to function ... Is this incorrect somehow?
>
>
> You should point your domain members to the DC, if the record the
> client requires is inside the AD domain, the DC will return
> answer, if it doesn't know, it will forward the request to
> whatever you have set as the forwarder.
>
>
> A whole bunch of other samba services can listen on other than
> the default service port through configuration options ...
> Why should the dns service uniquely deserve an all-caps *NO*
> with regard to this configurability?
>
>
> You could always try and alter the ldap port that samba4 listens
> on, oh sorry, you cannot change that either can you.
>
> Please stop trying to bend AD to your way of working.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
If you are struggling with resources, you could run another OS inside a
VM and point the samba forwarder to a DNS server running on the OS in
the VM.
Would you try and circumvent the way a windows server works, I do not
think so and as samba4 AD works exactly the same as windows AD, you
shouldn't try to change the way it works.
Note that this is the last I will have to say on this subject.
Ben Cohen
Feb 26, 2015, 7:20:03 PM2/26/15
to
My goal is for the samba dns server to be authoritative for 'ad.mydomain.com'
but not for mydomain.com. The dns server that the clients in my domain use
is statically configured to resolve all requests for ad.mydomain.com via
wrote:
but not for mydomain.com. The dns server that the clients in my domain use
is statically configured to resolve all requests for ad.mydomain.com via
the samba internal dns -- I believe this is exactly what is required for
samba to function ... Is this incorrect somehow?
samba to function ... Is this incorrect somehow?
A whole bunch of other samba services can listen on other than the default
service port through configuration options ... Why should the dns service
uniquely deserve an all-caps *NO* with regard to this configurability?
On Thu, Feb 26, 2015 at 2:39 PM, Rowland Penny <rowlan...@googlemail.com>
service port through configuration options ... Why should the dns service
uniquely deserve an all-caps *NO* with regard to this configurability?
wrote:
Ben Cohen
Feb 26, 2015, 7:20:03 PM2/26/15
to
Whoops - sorry for responding to you directly rather than via the list -- I
only use gmail for extremely high-volume mailing lists, and usually that's
just to skim-read them -- so I don't know the gmail web-ui very well (and
it seems to change all the time) -- apologies. (Also i have no idea how to
not top-post with gmail ... I'll figure that out for next time)
You seem to have strong opinions regarding the default port for the dns
server - I disagree with you but I'm not going to try to change your deeply
held beliefs.
While expressing your opinions earlier in the thread, the idea was raised
that it is somehow _REQUIRED_ for clients to use the samba internal dns
directly rather than receive dns responses via an intermediary dns server
-- can someone confirm whether or not this is the case?
On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlan...@googlemail.com>
only use gmail for extremely high-volume mailing lists, and usually that's
just to skim-read them -- so I don't know the gmail web-ui very well (and
it seems to change all the time) -- apologies. (Also i have no idea how to
not top-post with gmail ... I'll figure that out for next time)
You seem to have strong opinions regarding the default port for the dns
server - I disagree with you but I'm not going to try to change your deeply
held beliefs.
While expressing your opinions earlier in the thread, the idea was raised
that it is somehow _REQUIRED_ for clients to use the samba internal dns
directly rather than receive dns responses via an intermediary dns server
-- can someone confirm whether or not this is the case?
On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlan...@googlemail.com>
Ben Cohen
Feb 26, 2015, 7:20:04 PM2/26/15
to
That's not good! Do you have any insight why this would be?
Thanks,
On Thu, Feb 26, 2015 at 3:16 PM, Steve Ankeny <ste...@cinergymetro.net>
wrote:
Thanks,
On Thu, Feb 26, 2015 at 3:16 PM, Steve Ankeny <ste...@cinergymetro.net>
wrote:
Ben Cohen
Feb 26, 2015, 7:20:04 PM2/26/15
to
Please stop making the assumption that I don't have different problems than
you...
I support IT environments that are connected via incredibly slow internet
links -- user clients CANNOT use something other than my dns server as
their dns resolver -- I have to implement logic which controls all internet
access, including dns resolution, on a per user basis per-byte basis -- if
I put another dns server in-between me and the network clients, I lose the
information by which my dns forwarding-resolver can make the identify
determination. Perhaps you have some way of passing forward the identity
information regarding which client is making the dns request in a way that
my network-access-control appliance understands -- oh, right no you don't
do you?
In my testing my approach seems to work the way I want to do things -- two
servers, one with dnsmasq, one with samba internal dns. Clients point at
my dnsmasq, dnsmasq resolves ad domain via samba dns. Is this not
appropriate for some reason? How does this go against the 'ad' way? As
far as I can tell there is absolutely nothing wrong with this architecture
... why should the clients need to talk to the samba dns directly rather
than via my intermediary -- is that actually required? Its my impression
that my campus network doesn't do this with normal active directory -- I
believe they run BIND and queries for ad.foo.com are resolved via
you...
I support IT environments that are connected via incredibly slow internet
links -- user clients CANNOT use something other than my dns server as
their dns resolver -- I have to implement logic which controls all internet
access, including dns resolution, on a per user basis per-byte basis -- if
I put another dns server in-between me and the network clients, I lose the
information by which my dns forwarding-resolver can make the identify
determination. Perhaps you have some way of passing forward the identity
information regarding which client is making the dns request in a way that
my network-access-control appliance understands -- oh, right no you don't
do you?
In my testing my approach seems to work the way I want to do things -- two
servers, one with dnsmasq, one with samba internal dns. Clients point at
my dnsmasq, dnsmasq resolves ad domain via samba dns. Is this not
appropriate for some reason? How does this go against the 'ad' way? As
far as I can tell there is absolutely nothing wrong with this architecture
... why should the clients need to talk to the samba dns directly rather
than via my intermediary -- is that actually required? Its my impression
that my campus network doesn't do this with normal active directory -- I
authoritative AD dns servers running on windows server ... Isn't that the
normal way?
The reason I want to run the samba4 dns on a different port than the
default is to avoid having to run an additional OS -- my environments are
very expensive to put equipment in, reducing the hardware and OS count is
desirable, particularly where there is not a good reason that something
needs to have its own OS instance ...
It seems you reference a straw-man desire to customize the ldap server port
in order to evoke some history of problems surrounding people trying to use
services that don't work with the AD model within samba. In fact my GOAL
is exactly the opposite -- I WANT to USE the samba integrated dns in order
to avoid having any issues with the required set of magic AD dns behaviours
-- rather than trying to hack those required dns behaviours into my
existing dns configuration ...
I appreciate your thoughts and if my suggested approach (with two servers)
truly isn't going to work, it would be huge if you or someone else could
tell me and give a lot insight why ... because my plan even with a *NO* on
the ability to change the port that samba-dns listens on, is to use two
servers as described above ... If that's not gonna work for some reason
it'd be awesome to find out now ...
Thanks,
normal way?
The reason I want to run the samba4 dns on a different port than the
default is to avoid having to run an additional OS -- my environments are
very expensive to put equipment in, reducing the hardware and OS count is
desirable, particularly where there is not a good reason that something
needs to have its own OS instance ...
It seems you reference a straw-man desire to customize the ldap server port
in order to evoke some history of problems surrounding people trying to use
services that don't work with the AD model within samba. In fact my GOAL
is exactly the opposite -- I WANT to USE the samba integrated dns in order
to avoid having any issues with the required set of magic AD dns behaviours
-- rather than trying to hack those required dns behaviours into my
existing dns configuration ...
I appreciate your thoughts and if my suggested approach (with two servers)
truly isn't going to work, it would be huge if you or someone else could
tell me and give a lot insight why ... because my plan even with a *NO* on
the ability to change the port that samba-dns listens on, is to use two
servers as described above ... If that's not gonna work for some reason
it'd be awesome to find out now ...
wrote:
John Yocum
Feb 26, 2015, 7:30:02 PM2/26/15
to
Though, it does make troubleshooting/resolving issues much simpler.
One thought would be, replace dnsmasq with BIND, and use BIND to do
Samba's DNS along with your other DNS needs.
--
John Yocum, Systems Administrator, DEOHS
Rowland Penny
Feb 26, 2015, 7:30:03 PM2/26/15
to
On 27/02/15 00:10, Ben Cohen wrote:
> Whoops - sorry for responding to you directly rather than via the list -- I
> only use gmail for extremely high-volume mailing lists, and usually that's
> just to skim-read them -- so I don't know the gmail web-ui very well (and
> it seems to change all the time) -- apologies. (Also i have no idea how to
> not top-post with gmail ... I'll figure that out for next time)
>
> You seem to have strong opinions regarding the default port for the dns
> server - I disagree with you but I'm not going to try to change your deeply
> held beliefs.
>
> While expressing your opinions earlier in the thread, the idea was raised
> that it is somehow _REQUIRED_ for clients to use the samba internal dns
> directly rather than receive dns responses via an intermediary dns server
> -- can someone confirm whether or not this is the case?
>
>
Try reading this samba wiki page:
> Whoops - sorry for responding to you directly rather than via the list -- I
> only use gmail for extremely high-volume mailing lists, and usually that's
> just to skim-read them -- so I don't know the gmail web-ui very well (and
> it seems to change all the time) -- apologies. (Also i have no idea how to
> not top-post with gmail ... I'll figure that out for next time)
>
> You seem to have strong opinions regarding the default port for the dns
> server - I disagree with you but I'm not going to try to change your deeply
> held beliefs.
>
> While expressing your opinions earlier in the thread, the idea was raised
> that it is somehow _REQUIRED_ for clients to use the samba internal dns
> directly rather than receive dns responses via an intermediary dns server
> -- can someone confirm whether or not this is the case?
>
>
https://wiki.samba.org/index.php/DNS#Which_DNS_backend_should_I_choose.3F
Especially the bit at the top.
Ben Cohen
Feb 26, 2015, 8:10:03 PM2/26/15
to
Ok great -- thanks for the response. Based on your answer, I'm under the
impression my approach should work fine then.
As for switching to BIND -- my networks are small, BIND is a whole lot more
dns-server than I need ... dnsmasq has advantages to BIND -- its much
easier to administer, much more flexible, we use it for dhcp, and perhaps
most importantly -- we are already using it ...
With this setup samba-dns should own all dns behaviours that depend on AD,
and the rest of my environment's behaviours will work exactly as before (so
as long as there's not something basic that I'm not understanding). I
don't see why this should be considered a hard to troubleshoot arrangement,
all the tricky dns stuff should be handled within the samba dns server ...
I know from experience that troubleshooting BIND with external dynamic dns
mutators is not particularly fun ... This approach requires much less
heavy inter-service dependencies in my opinion -- samba wholly owns the ad
dns, dnsmasq points to ad dns for the ad domain as it would any other dns
server -- no BIND-DDNS synchronization is needed ...
Thanks again for the thoughts -- and I hope I'm not coming across as
someone who's repeatedly disregarding advice. I'm in a position where I do
want to use the internal samba dns, but I can't point my clients at the
internal dns as their primary dns server. It seems to me like there might
be a lot of other environments where this same approach would make samba4
integration substantially more straightforward than the two approaches
described in the samba4 documentation ...
impression my approach should work fine then.
As for switching to BIND -- my networks are small, BIND is a whole lot more
dns-server than I need ... dnsmasq has advantages to BIND -- its much
easier to administer, much more flexible, we use it for dhcp, and perhaps
most importantly -- we are already using it ...
With this setup samba-dns should own all dns behaviours that depend on AD,
and the rest of my environment's behaviours will work exactly as before (so
as long as there's not something basic that I'm not understanding). I
don't see why this should be considered a hard to troubleshoot arrangement,
all the tricky dns stuff should be handled within the samba dns server ...
I know from experience that troubleshooting BIND with external dynamic dns
mutators is not particularly fun ... This approach requires much less
heavy inter-service dependencies in my opinion -- samba wholly owns the ad
dns, dnsmasq points to ad dns for the ad domain as it would any other dns
server -- no BIND-DDNS synchronization is needed ...
Thanks again for the thoughts -- and I hope I'm not coming across as
someone who's repeatedly disregarding advice. I'm in a position where I do
want to use the internal samba dns, but I can't point my clients at the
internal dns as their primary dns server. It seems to me like there might
be a lot of other environments where this same approach would make samba4
integration substantially more straightforward than the two approaches
described in the samba4 documentation ...
Ben Cohen
Feb 26, 2015, 8:20:03 PM2/26/15
to
I read that page -- but I'm not seeing anything that makes me think my dns
strategy is inappropriate ...
The article does describe the possible deployment strategies in what I
believe to be an overly constrained manner:
From the wiki:
---
You can use either the internal DNS server that is built into the samba4
binary, or an external bind DNS server. Default is to use the internal
server, and it is highly recommended that when you start using Samba4 as
AD-DC for the first time, you install it this way. You can later switch
between the two variants if needed. If you do use an external bind DNS
server, it must use the DLZ backend and run on the Samba AD DC.
---
In my opinion this should be augmented to explain that its simple to use
the internal samba dns in combination with an external dns server.
Something like:
---
You can use the samba internal dns in combination with any other dns server
so long as that external dns server resolves queries for your active
directory domain via the samba dns server.
For example, suppose you've configured a samba domain to use the internal
dns as like this:
# *samba-tool domain provision --use-rfc2307 --interactive*
Realm [SAMDOM.EXAMPLE.COM]: *SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>*
Domain [SAMDOM]: *SAMDOM*
The above configures samba with and sets the internal samba-dns as the
authoritative dns server for samdom.example.com. To ensure clients find
the necessary active directory information for samdom.example.com, ensure
the dns server on your network resolves all queries for samdom.example.com
via the samba internal dns server.
For example to configure a dnsmasq server to resolve queries for
samdom.example.com via the samba internal dns server -- include in your
dnsmasq configuration:
server=/samdom.example.com/192.168.1.2
where 192.168.1.2 in the above is the ip address of the server running
samba4.
---
This third strategy uses the samba internal dns for all dns behavior that
samba/ad depends on, while still allowing use of another dns server than.
The source of truth for samdom.example.com is the samba-dns which is
tightly (and correctly) integrated with the semantics of the active
directory domain. This setup does not require use of BIND and does not
require clients on the network use the samba dns for name resolution.
On Thu, Feb 26, 2015 at 4:24 PM, Rowland Penny <rowlan...@googlemail.com>
wrote:
strategy is inappropriate ...
The article does describe the possible deployment strategies in what I
believe to be an overly constrained manner:
From the wiki:
---
You can use either the internal DNS server that is built into the samba4
binary, or an external bind DNS server. Default is to use the internal
server, and it is highly recommended that when you start using Samba4 as
AD-DC for the first time, you install it this way. You can later switch
between the two variants if needed. If you do use an external bind DNS
server, it must use the DLZ backend and run on the Samba AD DC.
---
In my opinion this should be augmented to explain that its simple to use
the internal samba dns in combination with an external dns server.
Something like:
---
You can use the samba internal dns in combination with any other dns server
so long as that external dns server resolves queries for your active
directory domain via the samba dns server.
For example, suppose you've configured a samba domain to use the internal
dns as like this:
# *samba-tool domain provision --use-rfc2307 --interactive*
Realm [SAMDOM.EXAMPLE.COM]: *SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>*
Domain [SAMDOM]: *SAMDOM*
The above configures samba with and sets the internal samba-dns as the
authoritative dns server for samdom.example.com. To ensure clients find
the necessary active directory information for samdom.example.com, ensure
the dns server on your network resolves all queries for samdom.example.com
via the samba internal dns server.
For example to configure a dnsmasq server to resolve queries for
samdom.example.com via the samba internal dns server -- include in your
dnsmasq configuration:
server=/samdom.example.com/192.168.1.2
where 192.168.1.2 in the above is the ip address of the server running
samba4.
---
This third strategy uses the samba internal dns for all dns behavior that
samba/ad depends on, while still allowing use of another dns server than.
The source of truth for samdom.example.com is the samba-dns which is
tightly (and correctly) integrated with the semantics of the active
directory domain. This setup does not require use of BIND and does not
require clients on the network use the samba dns for name resolution.
On Thu, Feb 26, 2015 at 4:24 PM, Rowland Penny <rowlan...@googlemail.com>
wrote:
Marc Muehlfeld
Feb 27, 2015, 9:50:03 AM2/27/15
to
Hello Ben,
Am 27.02.2015 um 01:14 schrieb Ben Cohen:
> My goal is for the samba dns server to be authoritative for 'ad.mydomain.com'
> but not for mydomain.com.
If ad.mydomain.com is your AD domain, then AD is authoritative for that.
But it's not for mydomain.com.
> The dns server that the clients in my domain use
> is statically configured to resolve all requests for ad.mydomain.com
> via the samba internal dns -- I believe this is exactly what is
> required for samba to function ... Is this incorrect somehow?
It doesn't matter, which DNS the clients use. You only must ensure, that
this DNS server is able to resolve the zones, your AD uses. E. g. we use
a BIND server at work on one site, that forwards all request for the AD
zone to the AD DNS servers.
If you want to run DNS on a different port, then you have to use
BIND_DLZ and not the internal DNS. BIND you can configure to run on a
different port. But as already said before: You have to make sure, that
the DNS your AD servers and clients uses, is able to resolve the AD
zones or your AD won't work AD heavily relies on a working DNS.
Regards,
Marc
Am 27.02.2015 um 01:14 schrieb Ben Cohen:
> My goal is for the samba dns server to be authoritative for 'ad.mydomain.com'
> but not for mydomain.com.
But it's not for mydomain.com.
> The dns server that the clients in my domain use
> is statically configured to resolve all requests for ad.mydomain.com
> via the samba internal dns -- I believe this is exactly what is
> required for samba to function ... Is this incorrect somehow?
this DNS server is able to resolve the zones, your AD uses. E. g. we use
a BIND server at work on one site, that forwards all request for the AD
zone to the AD DNS servers.
If you want to run DNS on a different port, then you have to use
BIND_DLZ and not the internal DNS. BIND you can configure to run on a
different port. But as already said before: You have to make sure, that
the DNS your AD servers and clients uses, is able to resolve the AD
zones or your AD won't work AD heavily relies on a working DNS.
Regards,
Marc
Andrew Bartlett
Feb 28, 2015, 8:30:03 PM2/28/15
to
On Thu, 2015-02-26 at 16:10 -0800, Ben Cohen wrote:
>
> While expressing your opinions earlier in the thread, the idea was
> raised
> that it is somehow _REQUIRED_ for clients to use the samba internal
> dns
> directly rather than receive dns responses via an intermediary dns
> server
> -- can someone confirm whether or not this is the case?
It is, as GSS-TSIG secured dynamic updates must go directly to the
>
> While expressing your opinions earlier in the thread, the idea was
> raised
> that it is somehow _REQUIRED_ for clients to use the samba internal
> dns
> directly rather than receive dns responses via an intermediary dns
> server
> -- can someone confirm whether or not this is the case?
target server on port 53, they are not proxied.
If you need to run multiple services, and pointing clients at another
DNS server to proxy to samba is a supported configuration, just don't
try and change the port, change the IP (multiple IP addresses on a
single physical adaptor), and ensure that like LDAP, clients can still
reach it directly.
I really should get around to proposing removal of the various 'xxx
port' options for AD services. These just add complexity and encourage
folks down the wrong line of thought, rather than to virtual interfaces.
The selection of which services are in or not in that list is
essentially random - portmapper on 135, ldap and ldaps also are not
listed, but cldap is!
As to BIND being overkill, the time I've spent working in AD has shown
me that everything looks like overkill until you have to implement
everything that is needed. The choice of DNS servers seems to be
something folks get very passionate about, I actually wish we had just
mandated BIND9 and put the effort into automating the configuration.
The current situation where users hope for the simplicity of 'internal
DNS' with just one more option
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew Bartlett
Feb 28, 2015, 8:30:03 PM2/28/15
to
reasonable to add.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
0 new messages