Default DNS server for Samba 4.0

Ricky Nance ricky.nance at
Wed Sep 5 16:23:57 MDT 2012

Well done indeed, while bind9 + dlz worked quite well, however it could be
a little tricky to get everything 'just right'. It is most complicated part
of the samba 4 setup in my opinion, not because of the configuration
options, but because different distro's handled the named.conf differently
(some default to only listen on localhost), not to mention on distro's like
gentoo where stuff is built from source you had to make sure you passed the
right build options to named so gssapi and dlz were enabled. In my opinion
this was the last missing piece to a very nice looking puzzle.  I think
making the internal dns default is a great idea, but when that gets done,
don't forget to touch up on the provision and classicupgrade code to not
mention to the user about bind9 configs unless specifically requested to
use bind9.

Anyway, thats just my 2 cents,

On Sep 5, 2012 11:27 AM, "Jeremy Allison" <jra at> wrote:

> On Wed, Sep 05, 2012 at 02:02:42PM +0200, Kai Blin wrote:
> > Hi folks,
> >
> > if you watched the patch stream, you might have noticed that I pushed a
> > set of patches this morning that get the internal DNS server to a point
> > where it can correctly negotiate GSS-based TKEYs and then use those
> > TKEYs to verify TSIG signatures, e.g. for updates. I have tested this
> > with a Samba3 client and a Win7 client, and both can successfully update
> > their DNS records using GSS-TSIG signed update requests. (I actually
> > pushed a messy set and have reverted it, sorry about that. I'll have a
> > clean version up later today.)
> >
> > With this code in place, I would suggest that we switch to the internal
> > DNS as default for new Samba provisions. Seeing how much of our support
> > burden is caused by the BIND setup, I'm hoping to make life easier for
> > our users with this step. Defaulting to the internal DNS is something
> > that we have discussed a couple of times in the past, and usually the
> > only blocker people came up with was the lack of GSS-TSIG support. With
> > the blocker gone, let's make the switch.
> >
> > What do you think?
> +1 and well done Kai !
> Jeremy.

More information about the samba-technical mailing list