[Samba] DNS frustration

Scott Goodwin scott at mimicsimulation.com
Tue Oct 8 23:59:03 MDT 2013 

I'm getting fed up with the whole DNS scenario with Samba4. I'm literally
about to go insane. I've spent about 60 hours in the last two weeks and I
can't seem to figure out a solution that meets my requirements.  So what
are my requirements?

* A Samba4 AD domain.
* A DHCP server for approx 100 windows clients/devices
* A DNS server whose forward and reverse zones get updated when Windows
clients' ip addresses change (I don't care if this is via signed updates
between bind and isc-dhcp, via windows client kerberos updates to the AD
controller, or via carrier pigeon).

I am running Centos 6.4 x64, and sernet-samba 4.0.9

Simple, right?  Good lord, I've grown gray hair trying to figure this out,
so either I have a huge blind spot, or it really is complex!
Here's what I've tried, and the problems I've had with each scenario:

* Samba4 with Internal DNS.
This, to my knowledge, addresses all my requirements except for
one<https://bugzilla.samba.org/show_bug.cgi?id=9409>.
 An absolute deal breaker, since we use google apps, and I have to be able
to CNAME mail.mydomain.com to ghs.google.com.   Unless anyone can think of
a workaround? I thought about installing bind on another server that
Internal DNS would forward to, but this just seems silly. I really don't
want the extra maintenance either.

* Samba4 with BIND_DLZ (with windows clients updating AD via kerberos)
Dammit this is so close! But Windows client dns updates do not work.
 Actually, they worked at first, then they stopped working. Errors like
this:
Oct  8 21:38:16 earl named[7695]: samba_dlz: starting transaction on zone
mydomain.com
Oct  8 21:38:16 earl named[7695]: client 10.2.2.227#52980: update '
mydomain.com/IN' denied
Oct  8 21:38:16 earl named[7695]: samba_dlz: cancelling transaction on zone
mydomain.com
This is a decidedly ubiquitous problem out there, and one can google on
this for hours, with no solid fixes or answers.  Per this guy's
advice<http://article.gmane.org/gmane.network.samba.general/131081/match=>I
downloaded and compiled bind 9.8, and also 9.9 (just for good measure)
using the proper flags ( --with-dlopen=yes,
 --with-gssapi=/usr/include/gssapi, and WITHOUT the flag
--disable-isc-spnego). After I did this, it actually worked for a few
hours!  Then all of a sudden, stopped working with the above errors
littering my named.log again.

* So finally, I give up on windows clients using kerberos to update the DNS
server.  I'll tackle this by having dhcp update dns, right?  OK, first off,
I have dhcp served off of our Meraki MX60 security appliance.  I like the
easy management interface, but hell, I'm certainly not married to it.
Mainly I like it because when dhcp goes down, all hell breaks loose, so I
like to keep that off of the same server that everything else is on.  So,
ok, I disable dhcp on the meraki and install and configure isc-dhcp on my
AD server.  But now, I can't for the life of me figure out how to have it
and bind work together, while at the same time, have bind serve as a back
end for samba4.  If samba4's dns stuff is all stored in the tdb files, and
the dlz module is the "glue" between bind and AD, then where does isc-dhcp
fit into the picture? I mean, the zone files aren't even in the picture,
because they are in the tdb's.  To be honest, I would really prefer to just
have regular bind zone files to do my dns. This is a familiar format, and I
don't mind the command line fu that goes along with it, but it seems like
this is not possible now (has BIND9_FLATFILE backend been deprecated? Can I
hack it to work?)

I'm desperate now, and even considered this post:
http://edoceo.com/howto/samba4 which has an old (probably outdated) script
to allow dnsmasq to work with samba4.  Frankly, I don't see that as a
viable option, but I'd take it if it worked.

I'm happy to give more detail on any configs, settings, etc, but I'm hoping
this question is general enough that someone might be able to relay a
scenario that worked for them.  Have you been in my shoes, and can you
suggest a solution that works?
I can't imagine I'm the only one out there who is using samba4 with these
requirements!  Tell me I'm a dumb-a** and show me an obvious solution!!
Thanks to all,
Scott

More information about the samba mailing list