use of a DNS cache in front of samba4 internal DNS

[Marc Muehlfeld]

Hello,

Am 13.02.2013 17:58, schrieb David Mansfield:
> In particular I'd like postfix to auth. my users, and as I understand it
> I have two options, one is to join the machine to the domain
> (pam_winbind) and then postfix will authenticate that way (via pam), and
> the other would be to use postfix with SASL and in turn have sasl use
> kerberos5 or ldap.
>
> In case anyone has read this far and has suggestions, I'd love to hear
> them, and also w.r.t using sasl and kerberos5, how do I set up a keytab
> and SPN using samba4?  I've googled and googled and cannot seem to get
> it straight.


This is, how I had solved this:

Here I have in my internal network my samba4 DC and in the DMZ my 
mailserver.

On my mailserver I have installed openLDAP in proxy mode against AD:
https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD


Then I made the AD users available on my mailserver by nslcd over the 
openLDAP proxy:
https://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy


And finally I had configured, that the users where authenticated against 
AD (through the openLDAP proxy):
https://wiki.samba.org/index.php/Samba4/beyond#Authentication_against_AD_through_openLDAP_proxy


This are my HowTos, how I set this up.


The openLDAP proxy in my DMZ prevents me from having a full 
samba/windows installation in my DMZ with all services (kerberos, samba, 
etc.). There's just one open port (389 for ldap) and nothing else. Also 
in the firewall I have only to allow the openLDAP proxy to connect to 
the DCs 389 port (no kerberos, etc.). No domain join, no pam_winbind, no 
kerberos, etc. required.

But this proxy allows, me to access all attributes in AD and of course 
to authenticate against it.

Here my postfix get e. g. the information from AD, which user owns which 
mailaddress. Also postfix, cyrus and other logins are authenticated 
trough the openLDAP proxy. Users have only their AD password. Also 
everything is administrated with ADUC.





 > The reason is that I'd like my mail server to authenticate users
 > against samba4, however to do this it must resolve DNS against it.
 > But the mail server gets multiple mails per second and resolves all
 > remote ip addresses and does other header checks etc.  i.e. a ton of
 > DNS traffic.
 >
 > My current configuration is to have a dedicated DNS cache (djbdns
 > dnscache) which resolves for the mail server, and I'd to keep this
 > configuration if possible.
 >
 > djbdns dnscache can be configured to resolve different zones using
 > different servers, so it is possible to configure the cache to
 > resolve "samdom.example.com" against samba4 and other zones as usual.
 >
 > So my question is, does samba4 properly use TTL etc. so that this
 > configuration will work correctly in general?


About DNS: My Mailserver uses only the DNS from my provider. I have no 
requirement that the mailserver has to resolve internal DNS zones (the 
one I use for AD) here. If this is required for your site for some 
reason: I don't know djbdns. Here I use bind for DNS. And bind I can 
tell that a specific zone it has to forward to a different DNS (the one 
on the ADC):
   zone "samdom.example.com" IN {
	type forward;
	forwarders {10.0.0.1; 10.0.0.2;};
   };




I hope, I could help you with that. If you have problems with my HowTos, 
let me know. Then I'll try to write it a bit more detailed. :-)


Regards,
Marc