[Samba] dns/ad domain provisioning and naming

[Rowland Penny]

On 22/01/15 12:55, Jeff Henze wrote:
> On Thu, Jan 22, 2015 at 4:29 AM, Peter Serbe <peter at serbe.ch> wrote:
>> If the domain is set up as
>> [global]
>>      workgroup = LOCAL
>>      realm = local.thisismycompany.com
>> then the domain users would log in as local\flast.
>> I am not sure, whether LOCAL makes up a good domain name...
> Thanks for adding clarity Peter. I'm having trouble framing my
> questions so maybe I might be able to better explain precisely what
> I'm looking for here:
>
> 1) Assuming a legitimately registered ICANN domain name of
> "thisismycompany.com", Would there be a conflict having the internal
> domain's FQDN being structured as "*.thisismycompany.com" with a
> workgroup of "myco" and a realm of "thisismycompany.com"?
> 2) Assuming that first question is "yes", would end users then sign in
> as username at thisismycompany.com -and/or- myco\username ?

OK, you can call your Samba AD domain anything you want, but you 
shouldn't use just your registered domain name.

 From your example 'thisismycompany.com', 'internal.thisismycompany.com' 
or 'myco.thisismycompany.com', would be ok, but 'thisismycompany.com' 
wouldn't, you can then call your workgroup anything you like i.e 
'INTERNAL' or 'MYCO' etc

As for username, it would generally be in the form of 
WORKGROUP\username, but on a member server, winbind can be setup so you 
would only require the username.

>
>> zone "local.thisismycompany.com" {
>>          type slave;
>>          masters { *your DCs go here* };
>>          file "/etc/bind/namedb/bak.local.thisismycompany.com";
>>          forwarders{};
> Excellent - thanks for the bind tip.
>
> -Jeff
Don't do this, set up bind to use the DLZ zones in AD, I take it that 
you realise you need to run bind on the samba4 AD server and forward 
everything that is outside the AD domain to another DNS server.

Rowland