[Samba] Multiple A records on my parent domain name are confusing hosts

Gregory Sloop gregs at sloop.net
Fri Oct 11 13:43:06 MDT 2013 


AB> On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote:
>> I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz
>> 
>> My domain is example.com
>> My Samba4 server is myserver.example.com
>> myserver has two nics: 10.10.10.5 and 192.168.10.2
>> My externally hosted web site is www.example.com, and is hosted at
>> 123.123.123.123
>> I have an A and CNAME in DNS like so:
>> 
>>  @     A      123.123.123.123
>> www   CNAME  example.com.
>> 
>> The above allows internal web browsers to access the external site via
>> www.example.com or example.com. This works great.
>> 
>> The problem is that every ten minutes when samb's dns update happens, it
>> keeps putting the following two entries in, which points internal hosts to
>> the dns server, instead of  the externally hosted web site:
>> @     A      10.10.10.5
>> @     A      192.168.10.2
>> 
>> 
>> Why do these keep showing up?  I'm sure there is a place that the info is
>> coming from, but I don't know where, and I desperately need to prevent this
>> from happening.  I mean, don't get me wrong, I realize what the records
>> mean, but what I'm trying to do is prevent them from repopulating and
>> preventing my internal hosts from browsing the web site.  I didn't have
>> this problem when I could edit the bind files directly, but now that I'm
>> using bind_dlz for samba, I'm a little lost.

AB> The issue is that Samba controls that name, and tries to set it to match
AB> the network interfaces of the DC, because AD clients may (few actually
AB> do, in this specific case) use this name to find a DC.  See
AB> dns_update_list. 

AB> I suggest breaking the CNAME and not using example.com to find your
AB> website internally. 

Wouldn't it make a lot of sense, provided one had the infrastructure
[extra servers/hardware] to handle DNS like this:

(And at a smaller site, you could do this in a VM like virtualbox on
the same hardware as the S4/AD server - memory is cheap, and at a
small site, I/O load is going to be trivial.)
---

Setup a DNS+DHCP server, external to/outside of the AD. Say,
mydomain.local

DHCP and DDNS would apply against mydomain.local

Put the S4/Windows AD in a 3rd level domain - say samba.mydomain.local.

Point all queries for the 3rd level DNS [samba.mydomain.local] to the AD/
DNS controller. [i.e. A forward zone for samba.mydomain.local -> S4AD
server]

This resolves issues with DHCP/DDNS - since you're not trying to make
the AD controller handle it.

Next by using something like .local as your 1st level domain, you don't
have conflicts with real-world external domains. [And even if you did
use something like .com - you could tweak the DNS server to handle it
without messing with the AD domain - provided you didn't use anything
in that 3rd level domain (samba.mydomain.local) out in the open/public
internet.]

I know it's extra work, but it just seems to make things a lot cleaner
and keeps DNS from becoming such a tangle in AD, IMO

Thoughts?

-Greg

More information about the samba mailing list