[Samba] Samba4 using existing DNS and LDAP

Matthieu Patou mat at samba.org
Wed Aug 7 11:34:33 MDT 2013 

On 08/07/2013 12:02 AM, Olivier Nicole wrote:
> Thank you Matthieu,
>
>>> I have been using Samba3 (and 2) for years, with an openLDAP backend for
>>> authentication. This is working fine, my directory includes a number of
>>> local settings for my specific needs.
>>>
>>> Now I would like to move to Samba4.
>>>
>>> I understand that Samba4 comes with its own DNS and LDAP servers.
>>>
>>> By provisioning Samba4 with --dns-backend=NONE and including the
>>> necessary to my existing DNS zone, is that enough to get rid of the DNS
>>> server included with Samba4?
>> Well you can use the bind-dlz plugins so that samba use bind instead of
>> its own internal server.
>> Another option is to configure your global DNS to use Samba as the
>> source of authority just for the domain of your AD.
>>>    What kind of updates does Samba need to
>>> perform to DNS? The one at the provisioning and the machine name that
>>> join the domain (this is already taken care of by DHCP). Is there
>>> anything I oversee?
> What about this question? What reccords are added in the DNS by Samba,
> beside all the SRV reccords?
Well it depends, pretty much anything client asks to update, with 
bind-dlz or the internal DNS server DDNS from the client are controlled 
by the same kind of ACLs as a Windows client would have in a Windows AD 
domain.
So most of the time clients update A, AAAA and PTR records but some also 
set SRV records (windows server with terminal server for instance) and 
well maybe exchange is setting up the MX record (I don't know). As long 
as ACL didn't prevent to do so you are able to do it.

That's great plus if you compare to the quite limited ACL that bind 9.x 
has builtin.

>
>>> Now regarding LDAP, is there a way to tell Samba to replicate the
>>> directory from my existing openLDAP?
>> No.
>> Our LDAP Server support schema upgrade so if the stuff that you have in
>> your OL has a schema that is compatible to Samba you can update Samba's
>> schema and then load the data by export/import in Samba.
>> Another way of doing is by using overlays in OL to present in the
>> desired way the information coming from both OL and Samba 4.
> I have seen that, but that was after I posted my question. I think I
> will resolve to keep both Samba and OL in parallel and update the
> accounts on bot at same time (it's just a minor change in the existing
> scripts used to update OL).
You might want to have a script that is polling samba from time to time 
to see if OL needs update, the dirsync control is designed for that.
There is a small test/demo script in source4/scripting/devel/demodirsync.py

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba mailing list