Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] multiple dns forwarders
778 views
Skip to first unread message
mourik jan heupink
Mar 19, 2014, 6:50:01 AM3/19/14
to
Hi,
To make our AD more robust, I'd like to provide more than one dns
forwarder, like for example:
dns forwarder = 8.8.8.8 8.8.4.4
However, this seems to break dns resolution completely (and without
logging errors in the logs!):
# Host test.com not found: 3(NXDOMAIN)
With only one forwarder things work:
$ test.com has address 208.64.121.161
Am I really allowed to specify only one forwarder? And if I really
cannot enter two ip's, should samba not log an error?
Regards,
MJ
--
Mourik Jan Heupink
sys admin
unu-merit - www.merit.unu.edu
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To make our AD more robust, I'd like to provide more than one dns
forwarder, like for example:
dns forwarder = 8.8.8.8 8.8.4.4
However, this seems to break dns resolution completely (and without
logging errors in the logs!):
# Host test.com not found: 3(NXDOMAIN)
With only one forwarder things work:
$ test.com has address 208.64.121.161
Am I really allowed to specify only one forwarder? And if I really
cannot enter two ip's, should samba not log an error?
Regards,
MJ
--
Mourik Jan Heupink
sys admin
unu-merit - www.merit.unu.edu
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
David Bear
Mar 19, 2014, 11:50:02 AM3/19/14
to
if you are using bind then then isn't the syntax
forwarders { 8.8.8.8; 8.8.4.4};
the semi-colon is required everywhere.
On Wed, Mar 19, 2014 at 3:39 AM, mourik jan heupink
<heu...@merit.unu.edu>wrote:
--
David Bear
mobile: (602) 903-6476
forwarders { 8.8.8.8; 8.8.4.4};
the semi-colon is required everywhere.
On Wed, Mar 19, 2014 at 3:39 AM, mourik jan heupink
<heu...@merit.unu.edu>wrote:
David Bear
mobile: (602) 903-6476
Rowland Penny
Mar 19, 2014, 12:10:03 PM3/19/14
to
On 19/03/14 10:39, mourik jan heupink wrote:
> Hi,
>
> To make our AD more robust, I'd like to provide more than one dns
> forwarder, like for example:
>
> dns forwarder = 8.8.8.8 8.8.4.4
>
> However, this seems to break dns resolution completely (and without
> logging errors in the logs!):
>
> # Host test.com not found: 3(NXDOMAIN)
>
> With only one forwarder things work:
>
> $ test.com has address 208.64.121.161
>
> Am I really allowed to specify only one forwarder? And if I really
> cannot enter two ip's, should samba not log an error?
>
> Regards,
> MJ
>
If you are using the internal DNS, you can only have one forwarder, if
> Hi,
>
> To make our AD more robust, I'd like to provide more than one dns
> forwarder, like for example:
>
> dns forwarder = 8.8.8.8 8.8.4.4
>
> However, this seems to break dns resolution completely (and without
> logging errors in the logs!):
>
> # Host test.com not found: 3(NXDOMAIN)
>
> With only one forwarder things work:
>
> $ test.com has address 208.64.121.161
>
> Am I really allowed to specify only one forwarder? And if I really
> cannot enter two ip's, should samba not log an error?
>
> Regards,
> MJ
>
you need more than one, you will have to use bind.
Rowland
mourik jan heupink - merit
Mar 19, 2014, 1:30:02 PM3/19/14
to
Hi David, DNK, Rowland,
Thanks for your responses. I'm using the internal dns, as it seems
simpler to setup. I understand now that this limits me to only one
forwarder.
I'll think about switching to bind as a backend later, for now I'm
trying to keep things simple. :-)
MJ
Thanks for your responses. I'm using the internal dns, as it seems
simpler to setup. I understand now that this limits me to only one
forwarder.
I'll think about switching to bind as a backend later, for now I'm
trying to keep things simple. :-)
MJ
DNK
Mar 19, 2014, 1:40:02 PM3/19/14
to
On Mar 19, 2014, at 10:27 AM, mourik jan heupink - merit <heu...@merit.unu.edu> wrote:
> Hi David, DNK, Rowland,
>
> Thanks for your responses. I'm using the internal dns, as it seems simpler to setup. I understand now that this limits me to only one forwarder.
>
> I'll think about switching to bind as a backend later, for now I'm trying to keep things simple. :-)
>
> MJ
I just started with Samba 4.x last week, and getting it going under Bind DLZ was not bad at all. It’s a pretty forward process it seems.
D
Marc Muehlfeld
Mar 19, 2014, 2:20:01 PM3/19/14
to
Am 19.03.2014 18:27, schrieb mourik jan heupink - merit:
> Thanks for your responses. I'm using the internal dns, as it seems
> simpler to setup. I understand now that this limits me to only one
> forwarder.
>
> I'll think about switching to bind as a backend later, for now I'm
> trying to keep things simple. :-)
Here you find everything you need for a BIND_DLZ setup:
> Thanks for your responses. I'm using the internal dns, as it seems
> simpler to setup. I understand now that this limits me to only one
> forwarder.
>
> I'll think about switching to bind as a backend later, for now I'm
> trying to keep things simple. :-)
https://wiki.samba.org/index.php/Dns-backend_bind
Regards,
Marc
steve
Mar 19, 2014, 2:40:02 PM3/19/14
to
On Wed, 2014-03-19 at 19:10 +0100, Marc Muehlfeld wrote:
> Am 19.03.2014 18:27, schrieb mourik jan heupink - merit:
> > Thanks for your responses. I'm using the internal dns, as it seems
> > simpler to setup. I understand now that this limits me to only one
> > forwarder.
> >
> > I'll think about switching to bind as a backend later, for now I'm
> > trying to keep things simple. :-)
>
> Here you find everything you need for a BIND_DLZ setup:
> https://wiki.samba.org/index.php/Dns-backend_bind
>
Hi
> Am 19.03.2014 18:27, schrieb mourik jan heupink - merit:
> > Thanks for your responses. I'm using the internal dns, as it seems
> > simpler to setup. I understand now that this limits me to only one
> > forwarder.
> >
> > I'll think about switching to bind as a backend later, for now I'm
> > trying to keep things simple. :-)
>
> Here you find everything you need for a BIND_DLZ setup:
> https://wiki.samba.org/index.php/Dns-backend_bind
>
But the OP has already provisioned.
Maybe you could include a section in your howto for those moving to bind
from internal?
samba_upgradedns --dns-backend=BIND9_DLZ
gets us started but then there's also the gotchas of permissions to
allow bind access to stuff under private:
the dns partition at sam.ldb.d (and so the folder itself)
dns
dns.keytab
Just a thought.
Cheers,
Steve
Marc Muehlfeld
Mar 19, 2014, 2:50:02 PM3/19/14
to
Am 19.03.2014 19:29, schrieb steve:
> Maybe you could include a section in your howto for those moving to bind
> from internal?
How you switch the backends, you can find in the general DNS HowTo:
> Maybe you could include a section in your howto for those moving to bind
> from internal?
https://wiki.samba.org/index.php/DNS#Changing_the_DNS_backend
> samba_upgradedns --dns-backend=BIND9_DLZ
> gets us started but then there's also the gotchas of permissions to
> allow bind access to stuff under private:
> the dns partition at sam.ldb.d (and so the folder itself)
> dns
> dns.keytab
private"? All file permissions were set during provisioning in a way,
that named get what it requires. The steps in the HowTo are all you
need. I do the switch quite often on my test environment. At least I
answer user DNS questions I want to verify. Never need to change
permissions yet.
Regards,
Marc
steve
Mar 19, 2014, 2:50:02 PM3/19/14
to
On Wed, 2014-03-19 at 19:43 +0100, Marc Muehlfeld wrote:
> Am 19.03.2014 19:29, schrieb steve:
> > Maybe you could include a section in your howto for those moving to bind
> > from internal?
>
> How you switch the backends, you can find in the general DNS HowTo:
> https://wiki.samba.org/index.php/DNS#Changing_the_DNS_backend
>
Never knew it existed. 'Publicise' it on the bind howto?
> Am 19.03.2014 19:29, schrieb steve:
> > Maybe you could include a section in your howto for those moving to bind
> > from internal?
>
> How you switch the backends, you can find in the general DNS HowTo:
> https://wiki.samba.org/index.php/DNS#Changing_the_DNS_backend
>
>
>
> > samba_upgradedns --dns-backend=BIND9_DLZ
> > gets us started but then there's also the gotchas of permissions to
> > allow bind access to stuff under private:
> > the dns partition at sam.ldb.d (and so the folder itself)
> > dns
> > dns.keytab
>
> What do you mean with "permissions to allow bind access to stuff under
> private"?
We just explained: after samba_upgradedns all files under private were
>
> > samba_upgradedns --dns-backend=BIND9_DLZ
> > gets us started but then there's also the gotchas of permissions to
> > allow bind access to stuff under private:
> > the dns partition at sam.ldb.d (and so the folder itself)
> > dns
> > dns.keytab
>
> What do you mean with "permissions to allow bind access to stuff under
> private"?
root:root
Rob
Marc Muehlfeld
Mar 19, 2014, 3:30:03 PM3/19/14
to
Am 19.03.2014 19:48, schrieb steve:
>> How you switch the backends, you can find in the general DNS HowTo:
>> https://wiki.samba.org/index.php/DNS#Changing_the_DNS_backend
>>
> Never knew it existed. 'Publicise' it on the bind howto?
There are a lot of information in the HowTos. And all stuff I wrote, I
>> How you switch the backends, you can find in the general DNS HowTo:
>> https://wiki.samba.org/index.php/DNS#Changing_the_DNS_backend
>>
> Never knew it existed. 'Publicise' it on the bind howto?
had linked on the main pages (most on
https://wiki.samba.org/index.php/Samba). Often visit the Wiki. It's
growing. :-)
I don't think this should go to the BIND HowTo. The general DNS HowTo is
a better place for that. But I've added a link in the BIND HowTo to it.
>> What do you mean with "permissions to allow bind access to stuff under
>> private"?
>
> We just explained: after samba_upgradedns all files under private were
> root:root
- The files in /usr/local/samba/private/dns/sam.ldb.d/ belong to group
named (This was done on provisioning).
- I switch over to internal. group is still named.
- I set root:root to all of that files
- Switch back to bind backend.
- Group is set to named automatically when I run samba_upgradedns.
See:
https://cpaste.org/pkrvtsdp9
So I can't follow you. Or do you mean something else?
Regards,
Marc
steve
Mar 19, 2014, 3:50:02 PM3/19/14
to
named needs access to other files too.
Thanks.
Chris Smith
Mar 19, 2014, 4:00:02 PM3/19/14
to
Why not use Unbound as a cache for the network? It's a validating,
recursive, caching DNS resolver that's quite flexible. Can setup as
many forwarders as you like or have it resolve from the root servers.
recursive, caching DNS resolver that's quite flexible. Can setup as
many forwarders as you like or have it resolve from the root servers.
Rowland Penny
Mar 19, 2014, 4:10:01 PM3/19/14
to
with samba 4 and I don't think that you can get dhcp to work with it and
samba4
Rowland
Chris Smith
Mar 19, 2014, 4:40:01 PM3/19/14
to
On Wed, Mar 19, 2014 at 4:01 PM, Rowland Penny
<rowlan...@googlemail.com> wrote:
> Two reasons I can think of, It doesn't have the modifications to work with
> samba 4 and I don't think that you can get dhcp to work with it and samba4
It doesn't need to "work with samba 4" that's what the internal DNS is
<rowlan...@googlemail.com> wrote:
> Two reasons I can think of, It doesn't have the modifications to work with
> samba 4 and I don't think that you can get dhcp to work with it and samba4
for. And there should be no DHCP issues either.
Chris
Rowland Penny
Mar 19, 2014, 4:50:01 PM3/19/14
to
On 19/03/14 20:30, Chris Smith wrote:
> On Wed, Mar 19, 2014 at 4:01 PM, Rowland Penny
> <rowlan...@googlemail.com> wrote:
>> Two reasons I can think of, It doesn't have the modifications to work with
>> samba 4 and I don't think that you can get dhcp to work with it and samba4
> It doesn't need to "work with samba 4" that's what the internal DNS is
> for. And there should be no DHCP issues either.
>
> Chris
The OP was referring to the internal DNS server and forwarding to an
> On Wed, Mar 19, 2014 at 4:01 PM, Rowland Penny
> <rowlan...@googlemail.com> wrote:
>> Two reasons I can think of, It doesn't have the modifications to work with
>> samba 4 and I don't think that you can get dhcp to work with it and samba4
> It doesn't need to "work with samba 4" that's what the internal DNS is
> for. And there should be no DHCP issues either.
>
> Chris
external DNS server, which, as you say, you could do with unbound. The
conversation then turned to using bind instead, at which point, you
brought up using unbound. I do not think that you can replace, note that
I say replace, the internal DNS server with unbound, it does not have
the required mods to work with Samba 4, unless you know different.
Rowland
Chris Smith
Mar 19, 2014, 5:00:01 PM3/19/14
to
On Wed, Mar 19, 2014 at 4:46 PM, Rowland Penny
<rowlan...@googlemail.com> wrote:
> The OP was referring to the internal DNS server and forwarding to an
> external DNS server, which, as you say, you could do with unbound. The
> conversation then turned to using bind instead, at which point, you brought
> up using unbound. I do not think that you can replace, note that I say
> replace, the internal DNS server with unbound, it does not have the required
> mods to work with Samba 4, unless you know different.
I brought up using Unbound as a cache/resolver, not as a replacement
<rowlan...@googlemail.com> wrote:
> The OP was referring to the internal DNS server and forwarding to an
> external DNS server, which, as you say, you could do with unbound. The
> conversation then turned to using bind instead, at which point, you brought
> up using unbound. I do not think that you can replace, note that I say
> replace, the internal DNS server with unbound, it does not have the required
> mods to work with Samba 4, unless you know different.
for the internal DNS server, nor as a replacement for an external BIND
in place of the internal DNS server. It will do just fine in that
role, if not better than most, and solves the problem of desiring
multiple forwarders and keeping Samba's internal DNS intact.
Chris
mourik jan heupink
Mar 20, 2014, 6:10:01 AM3/20/14
to
Hi all,
Interesting discussion! For now, I'll stick with the samba internal dns,
and I know I can always switch to bind once everything works as expected.
First keep it simple (with only one resolver) and when everything has
been stable and working for a few weeks, switching to bind (and back)
should be easy.
Further to unbound: I have always used dnsmasq as a caching dns server
for internal queries. But my original question was about making samba's
internal dns resolving more robust, by providing more external dns
servers in smb.conf. (which I understand now is not currently possible)
Anyway, thanks for the ineresting discussion!
MJ
Interesting discussion! For now, I'll stick with the samba internal dns,
and I know I can always switch to bind once everything works as expected.
First keep it simple (with only one resolver) and when everything has
been stable and working for a few weeks, switching to bind (and back)
should be easy.
Further to unbound: I have always used dnsmasq as a caching dns server
for internal queries. But my original question was about making samba's
internal dns resolving more robust, by providing more external dns
servers in smb.conf. (which I understand now is not currently possible)
Anyway, thanks for the ineresting discussion!
MJ
0 new messages