Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Samba AD with external DNS server

1,014 views
Skip to first unread message

Harry Busch (bh@hs-furtwangen.de)

unread,
Mar 20, 2015, 9:30:04 AM3/20/15
to
Hallo,

We have Samba4 (Sernet, Version4.1) on a Debian Wheezy server. There we try to
use our Infoblox (It is our primary and secondary DNS server) as an external DNS
server for the active directory on the samba4 server. It doesn’t matter which
setup option (Samba_internal, bind_dlz, none) we use it doesn’t work.

Harry
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny

unread,
Mar 20, 2015, 9:40:04 AM3/20/15
to
On 20/03/15 13:20, Harry Busch (b...@hs-furtwangen.de) wrote:
> Hallo,
>
> We have Samba4 (Sernet, Version4.1) on a Debian Wheezy server. There we try to
> use our Infoblox (It is our primary and secondary DNS server) as an external DNS
> server for the active directory on the samba4 server. It doesn’t matter which
> setup option (Samba_internal, bind_dlz, none) we use it doesn’t work.
>
> Harry

Yes, you are quite correct, it will not work. You need to set the Samba
4 AD DC as the DNS server for the AD domain and then forward anything
outside the AD domain to the infoblox device.

Rowland

L.P.H. van Belle

unread,
Mar 20, 2015, 9:50:03 AM3/20/15
to
add to your named.conf.options.
on the MASTER (DC)

before the options add: ( and change the ranged to your ranges or ips..

acl all-networks {
192.168.0.0/24; 10.249.0.0/16;
};

in the options..

// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "all-networks"; 127.0.0.1/32; };
// Add any subnets or hosts you want to allow to use recursive queries
allow-recursion { "all-networks"; 127.0.0.1/32; };


and in the "slave dns server"

add in named.conf.local
///// ZONE SLAVE
zone "your.domain.tld" IN {
type slave;
masters { HERE_IP_OF_DC; };
file "/var/cache/bind/db.your.domain.tld.hosts";
notify no;
allow-transfer { HERE_IP_OF_DC; 127.0.0.1; ::1; };
};
zone "0.168.192.in-addr.arpa" {
type slave;
masters { HERE_IP_OF_DC; };
file "/var/cache/bind/db.your.domain.tld.rev";
notify no;
allow-transfer { HERE_IP_OF_DC; 127.0.0.1; ::1; };
};

and try again.
this works fine for me.

Greetz,
Louis


>-----Oorspronkelijk bericht-----
>Van: Harry...@hs-furtwangen.de
>[mailto:samba-...@lists.samba.org] Namens Harry Busch
>(b...@hs-furtwangen.de)
>Verzonden: vrijdag 20 maart 2015 14:20
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] Samba AD with external DNS server

Sven Schwedas

unread,
Mar 20, 2015, 9:50:04 AM3/20/15
to
On 2015-03-20 14:20, Harry Busch (b...@hs-furtwangen.de) wrote:
> Hallo,
>
> We have Samba4 (Sernet, Version4.1) on a Debian Wheezy server. There we try to
> use our Infoblox (It is our primary and secondary DNS server) as an external DNS
> server for the active directory on the samba4 server. It doesn’t matter which
> setup option (Samba_internal, bind_dlz, none) we use it doesn’t work.

"Doesn't work" is not a problem description, it's shorthand for "please
ridicule me".

--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.s...@tao.at | +43 (0)680 301 7167
http://software.tao.at

signature.asc

L.P.H. van Belle

unread,
Mar 20, 2015, 9:50:05 AM3/20/15
to
Ow sorry, i didnt read it correct..
forget my previous mail..

Rowland is right.

Louis


>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 20 maart 2015 14:34
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Samba AD with external DNS server

L.P.H. van Belle

unread,
Mar 20, 2015, 10:00:04 AM3/20/15
to
Sven, i'll explain a bit..

If you use samba4 AD DC, then these are always your master DNS servers.
this is because samba is handles the dns.

but you can forward it, like wat i "wrongly" suggested in my previous e-mail.
now what you can do is the following.

SAMBADC1 => Slave DNS1 .
SAMBADC2 => Slave DNS2 .

in my case i have multiple other zones as master in "Slave DNS1"
here i have a automaticy created zone and this zone is also as slave in Slave DNS2.
why not by my samba, only 1 server has access to a remote network, and based on pings
i recreate these zone..
Dont ask why.. but this other network does not allow stub zones.. :-(

So for Harry..
( base on bind9_DLZ )

A suggestion is..

Put your samba servers an other zone then you infoblox is handeling.

set these as slave in you Infoblox
and add aliases records in the infobox zone for needed records.
and/or make sure you "search " in /etc/resolv.conf also has the samba zone.

should work imo.

Greetz,

Louis



>-----Oorspronkelijk bericht-----
>Van: sven.s...@tao.at
>[mailto:samba-...@lists.samba.org] Namens Sven Schwedas
>Verzonden: vrijdag 20 maart 2015 14:38
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Samba AD with external DNS server
>
>On 2015-03-20 14:20, Harry Busch (b...@hs-furtwangen.de) wrote:
>> Hallo,
>>
>> We have Samba4 (Sernet, Version4.1) on a Debian Wheezy
>server. There we try to
>> use our Infoblox (It is our primary and secondary DNS
>server) as an external DNS
>> server for the active directory on the samba4 server. It
>doesn?t matter which
>> setup option (Samba_internal, bind_dlz, none) we use it doesn?t work.
>
>"Doesn't work" is not a problem description, it's shorthand for "please
>ridicule me".
>
>--
>Mit freundlichen Grüßen, / Best Regards,
>Sven Schwedas
>Systemadministrator
>TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
>Mail/XMPP: sven.s...@tao.at | +43 (0)680 301 7167
>http://software.tao.at
>

TAKAHASHI Motonobu

unread,
Mar 20, 2015, 11:30:03 PM3/20/15
to
Hello,

>> We have Samba4 (Sernet, Version4.1) on a Debian Wheezy
>> server. There we try to use our Infoblox (It is our
>> primary and secondary DNS server) as an external DNS
>> server for the active directory on the samba4 server. It
>> doesn’t matter which setup option (Samba_internal,
>> bind_dlz, none) we use it doesn’t work.
>
>Yes, you are quite correct, it will not work. You need to set
>the Samba
>4 AD DC as the DNS server for the AD domain and then forward anything
>outside the AD domain to the infoblox device.

You can use external DNS server for AD, but it is strongly unrecommended.
If you want to use external DNS server,

0) confirm Infoblox's DNS server is AD compatible
See https://technet.microsoft.com/en-us/library/cc755717%28v=ws.10%29.aspx
1) choose setop option BIND9_FLATFILE
2) pick up the generated zone file (in /usr/local/samba/private/dns,
if you install Samba from source)
3) Add the defined resource records defined in the zone file
to Infoblox's zone

But it is highly unrecommended. Because unless you enable Dynamic DNS
feature, if you change some AD settings for example adding new DCs,
configuring AD Site settings, ..., you have to manually update DNS
records corresponding to these.

---
TAKAHASHI Motonobu <mo...@monyo.com> / @damemonyo
facebook.com/takahashi.motonobu

Marc Muehlfeld

unread,
Mar 21, 2015, 3:20:03 PM3/21/15
to
Am 20.03.2015 um 14:34 schrieb Rowland Penny:
> Yes, you are quite correct, it will not work. You need to set the Samba
> 4 AD DC as the DNS server for the AD domain and then forward anything
> outside the AD domain to the infoblox device.

Or he can put a forwarder zone on his two DNS servers. If your two DNS
are running BIND, add the following to your named.conf:

zone "samdom.example.com" {
type forward;
forwarders { 10.99.0.1; 10.99.0.2; };
};


The only important thing is, that the clients use a DNS server, that is
able to resolve the AD DNS zone(s). If they resolve the zone directly
via the AD DNS or by asking a different host, doesn't matter, if this
one forwards.


Regards,
Marc
0 new messages