Samba4 BDC with Samba4 PDC

Sun Jun 3 10:30:32 MDT 2012

On 03/06/2012 17:01, Mike Howard wrote:
> On 03/06/2012 11:15, Andrew Bartlett wrote:
>> On Sun, 2012-06-03 at 09:59 +0100, Mike Howard wrote:
>>> I have had samba4 (Version 4.0.0alpha21-GIT-073666e) up and running as
>>> the PDC on my network, currently with BIND9_DLZ and Bind9.9, working
>>> well for a little while.
>>>
>>> For redundancy, I'd like to add a Samba 4 BDC, also BIND9_DLZ with
>>> Bind9.9. To this end I grabbed the latest from git (Version
>>> 4.0.0alpha22-GIT-29a51a2) and installed it, however there is not a lot
>>> (any?) info out there on how things should be done _properly_ from a
>>> configuration point of view, i.e. on the BDC is there a smb.conf or 
>>> not,
>>> how is the krb5.conf configured, how is /etc/resolv.conf configured?
>>>
>>> Anyway, I can join the the BDC to the domain with;
>> ...
>>> Joined domain MYDOMAIN (SID S-1-5-21-2874647136-1364824720-2698236840)
>>> as a DC
>>>
>>> The process of joining the BDC to the domain seems to shutdown bind on
>>> the PDC and neither '/usr/local/samba/private/named.conf' nor
>>> '/usr/local/samba/private/dns/' are created on the BDC.
>>>
>>> I can (and did) add the followong to my 'named.conf.local'.
>>>
>>> dlz "AD DNS Zone" {
>>>       # For BIND 9.9.0
>>>           database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
>>> };
>>>
>>> but bind will not restart as '/usr/local/samba/private/dns/' and it's
>>> contents are missing.
>>>
>>> Can anybody give me some pointers or point me at any info that will 
>>> help
>>> with the correct configuration?
>> See the other posts on this list about ensuring the DNS partitions are
>> replicated, then run samba_upgradedns to populate the DNS directory for
>> the second DC.
>>
>> There is a fair bit of info in the list archives on this.  Hopefully we
>> can make this more automatic in the future.
>>
>> Andrew Bartlett
> Hi,
>
> Sorry, I obviously need to improve my search techniques. Thanks for 
> the pointers.
>
> Sadly, none of them worked but not to worry, it is after all only 
> alpha software.
>
> What is the the time scale for samba4 actually being usable in a 
> 'real' environment, or more specifically, being able to provide what 
> windows server currently provides from an AD/DNS point of view? Whilst 
> I've been running samba4 for a while (and quite impressive it is too), 
> obviously high availability is really important and being able to 
> 'just' install and go ala MS (despite all it's drawbacks) is pretty 
> key. A BDC is a key component.
>
> Mike Howard.
>
Following up my own post, sorry, but if I was to provision the the PDC 
with no dns (--dns-backend=NONE) and relied totally on bind9 (as I would 
like to) for dns/ddns, what are the potential pitfalls? There must be 
some or this particular set up would not be described as 'not 
recommended' but what are they?

Being a bit of an AD 'desert' I don't understand the consequences of 
this but if it's purely a security issue as opposed to operational, I'd 
be happy to take care of the security aspect myself, or at least weigh 
up the consequences.

Actually, I might as well just set it up that way and see :)

Cheers,
Mike.
-- 
Any question is easy if you know the answer!