Samba 4 from internal DNS to named and GPOs issue

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Tue Oct 23 12:52:26 MDT 2012 

On Tue, Oct 23, 2012 at 1:31 PM, <admin at blackpenguin.org> wrote:

> On 2012-10-23 12:04, Ricky Nance wrote:
>
>> Bogdon,
>>
>>      The wiki is fairly straight forward on joining a second DC,
>> and the mailing list has had several emails on the DNS changes (as do
>> the change logs) as well as the samba backup/restore process. I am
>> guessing that English is not your primary language, but please be
>> careful on the wording that you use in emails as some of the things
>> you have written could easily be taken personal. If the howtos are
>>
>> lacking, please register on the wiki and you will likely be granted
>> access to change them, also there should be sufficient help in the man
>> pages.
>>
>
> Thank you for your answer - it is much appreciated. I do understand
> English, so that's not the issue. There are several scenarios that people
> will encounter and they are not covered in the howtos. I know named was not
> an awesome choice and it's always fun to make it work with samba, but since
> the migration to internal DNS, switching the DNS solution is not
> documented. However, once I get thing rolling I will consider on writing
> some howtos for samba, but I'm still in a learning phase.
>
>       With my rant out of the way, first please give us a bit more
>> information, did you install from tarball or from git? Second, in
>> order to get your second machine setup you can do this in one of 2
>> ways: 1) make a backup of samba, have samba 4 installed on the new
>> machine, then copy over the samba/private, samba/etc, and your sysvol
>> directories from old to new, then start samba, and test it. 2) setup
>> samba 4 on your new machine, and join it to your existing samba 4
>> machine as a DC using the following
>>
>> method, http://wiki.samba.org/**index.php/Samba4/HOWTO/Join_a_**
>> domain_as_a_DC<http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC>
>> [1] then run samba-tool domain demote on the first DC, you will need
>>
>> to manually copy over your sysvol directory over as well and re-setup
>> all of your shares as they wont exist on the new DC.
>>
>
> I installed samba 4 RC3 from the tarball to be able to test different
> scenarios. It is running on Fedora 17 as the primary and only domain
> controller and the windows clients are windows 7 pro sp1. I stopped samba
> and performed a backup with the provided script and I hope I got a valid
> backup. I installed samba 4 rc3 on a physical machine from tarball and
> provisioned a new domain (with named as backend) to see if there are main
> differences in the config and there are.
>
>       In order to change the DNS backend there is no easy straight
>> forward way to do this yet (as far as I know), I know at one point in
>> the past 2-3 weeks there was a discussion on the dns-DOMAIN user not
>> being created when you provision with samba_internal, also I dont
>>
>> think it creates the samba/private/dns directory or the
>> samba/private/named.conf file, so the configuration change that Andrew
>> mentioned may not be enough to make this work, however, the option he
>> was speaking of will be in the [global] section of your smb.conf, you
>> will need to add the line server services = -dns then comment out the
>> dns forwarder = line if it exists in your config, then run
>> samba_dnsupgrade and restart samba.
>>
>
> There are way more files in a named provisioning and there is a
> samba/private/dns in the new provisioning too, so I tried to overlap the
> new provisioning content with the new one, but kept the private folder
> where I think the database is stored (I know it sounds stupid). Unless I
> have specific instructions on how to do that to make it easy, I have no way
> of doing the dns migration. Anyway, the plan was to play and make the
> physical machine primary dns (for that I need to move the samba from vm to
> physical but samba on vm is using internal dns), then provision a secondary
> dns (in place where the original dc was - on the vm) where I was hoping I
> can setup the file shares for tests. I would put the primary dns on a
> machine that has limited hdd space, but I would put the secondary domain
> controller where I have a bigger hdd, so I can give users lots of space for
> shares. I think this should be possible. Correct me if I'm wrong. But I
> fail on changing the internal to external DNS. The vm thing is just for lab
> work only - not for production.
>
>       As for your earlier mail, you made the comment "I will
>> probably have bind as primary dns and samba as secondary dns and on
>> separate machines". I dont think you can do this really, if windows
>>
>> finds the primary dns is an active dns, then the secondary will never
>> be touched, so your secure dns updates will not happen at all, and any
>> tool that you use that needs the dns of any machine AD wise will not
>> work properly. Itd be best to leave the second dns in place and use
>>
>> samba_internal, which you are currently using, and a line in your
>> smb.conf "dns forwarder = ip.to.pri.dns". You may need to move some
>> things from your existing bind to your AD server, but this shouldnt be
>>
>> that hard, unless you have a BUNCH of entries, in which case I would
>> just try it and see if it works.
>>
>
> The way it is setup right now, I have a linux box doing DNS with named
> where I have the domain, email and web services. I have a VM in the same
> LAN where samba 4 resides running on internal dns. The windows machines are
> set to dns1 (samba server) and dns1 (gateway) and for some odd reason it
> works. I thought it won't initially. From what I understand, you want me to
> keep named primary (on the gateway) and have the "dns forwarder =
> ip.to.pri.dns" in the smb.conf. From what I can tell samba 4 and named they
> cannot live on the same machine. I need 2 separate machines and the windows
> clients will all have primary dns samba 4 that will forward the request to
> the primary dns. Right?
>
>

Samba 4 internal DNS can forward to any dns you need it to by setting the
"dns forwarder = " in the smb.conf.


What exactly do I need to remove from bind and move to the samba dns? Why
> would I need to move stuff out of named? What are the samba dns files and
> where are they located? I only found a named.conf.update or something like
> that in the provisioning. Having samba 4 running on internal dns is great,
> but I need to integrate it further with other solutions. I am planning to
> deploy samba 4 in production as soon as I get the GPOs working that seem to
> have a bug in RC3 still.
>
>
I am not fully understanding why you want to move back to the bind_dlz
backend I guess. Don't get me wrong there is nothing wrong with it, but I
just don't understand the reason you need to switch. Maybe if I understood
why you need named running I could help more on this.


>       Hopefully this has answered your questions, but please dont
>> hesitate to ask if it didnt.
>>
>> Good luck,
>> Ricky
>>
>
> Thank you Ricky!
>
>  On Tue, Oct 23, 2012 at 7:29 AM, <admin at blackpenguin.org [2]> wrote:
>>
>>  On 2012-10-22 05:19, Andrew Bartlett wrote:
>>>
>>>  On Sun, 2012-10-21 at 08:59 -0700, bogdan_bartos wrote:
>>>>
>>>>  Hi,
>>>>>
>>>>> I am running Samba 4 RC3 on a VM and I want to backup the whole
>>>>> thing and
>>>>> restore it onto a physical machine. I know there is a script
>>>>> for that, but
>>>>> currently I have it running by using the internal DNS and I
>>>>> want to have it
>>>>> running with named. Would the script carry the DNS confog over?
>>>>> How do I
>>>>> make it swicth from internal to named?
>>>>>
>>>>
>>>> My understanding is that you:
>>>>
>>>>  - Change the smb.conf settings, and then run samba_dnsupgrade
>>>>
>>>
>>> 1. I ran the backup successfully. However, I do not know how to
>>> restore the backup.
>>> 2. What exactly do I change in smb.conf?
>>>
>>>  I also have several GPOs set, but the client machines will not
>>>>> pick them up.
>>>>> I disabled the shutdown, control panel and other things, but as
>>>>> soon as I
>>>>> access the GPO with GPMC, it says that the SYSVOL data is not
>>>>> in sync with
>>>>> the AD data and it just doesnt work. Is this a bug in Samba 4
>>>>> RC3?
>>>>>
>>>>
>>>> Is this against your second DC?  Remember, you have to sync your
>>>> sysvol
>>>> files manually.
>>>>
>>>> Andrew Bartlett
>>>>
>>>
>>> 3. I do not have 2 DCs. I am willing to try this out, but the
>>> howtos are not that great.
>>>
>>> First I need to be able to do basic things like backing it up,
>>> restoring it, upgrading it, replicating it. Then I can say that is
>>> meant to be easy, but up to now its not. Ive been using samba 3 for
>>>
>>> a long time now, but samba4 is not that well documented. A regular
>>> person will be able to install it, provision it, but then it will
>>> come time to change things and play. If I would be in aproduction
>>> environment, this would be a really tought job to recover from a
>>> loss without the proper documentation.
>>>
>>> I bet programming samba was a tought job, but to make a software
>>> "fly", you really need an awesome tutorial. Or better step-by-step
>>> explanations.
>>>
>>
>

Ricky
--

More information about the samba-technical mailing list