[Samba] Multiple A records on my parent domain name are confusing hosts

Scott Goodwin scott at mimicsimulation.com
Mon Oct 14 17:33:59 MDT 2013 

BTW, I commented out the first two lines in dns_update_list, then removed
the "spare" entries from DNS. Now they don't refresh the bad entries.
Problem solved.
(really, I'm only interested in samba keeping the ms-specific dns entries
up to date)


*Scott Goodwin*
IT Lead
Mimic Technologies, Inc
811 First Avenue, Suite 408  |  Seattle, WA 98104
phone: 1.800.918.1670  |  direct: 206.456.9180
fax: 206.623.3491  |  cell: 206.355.7767



On Fri, Oct 11, 2013 at 12:43 PM, Gregory Sloop <gregs at sloop.net> wrote:

>
>
> AB> On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote:
> >> I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz
> >>
> >> My domain is example.com
> >> My Samba4 server is myserver.example.com
> >> myserver has two nics: 10.10.10.5 and 192.168.10.2
> >> My externally hosted web site is www.example.com, and is hosted at
> >> 123.123.123.123
> >> I have an A and CNAME in DNS like so:
> >>
> >>  @     A      123.123.123.123
> >> www   CNAME  example.com.
> >>
> >> The above allows internal web browsers to access the external site via
> >> www.example.com or example.com. This works great.
> >>
> >> The problem is that every ten minutes when samb's dns update happens, it
> >> keeps putting the following two entries in, which points internal hosts
> to
> >> the dns server, instead of  the externally hosted web site:
> >> @     A      10.10.10.5
> >> @     A      192.168.10.2
> >>
> >>
> >> Why do these keep showing up?  I'm sure there is a place that the info
> is
> >> coming from, but I don't know where, and I desperately need to prevent
> this
> >> from happening.  I mean, don't get me wrong, I realize what the records
> >> mean, but what I'm trying to do is prevent them from repopulating and
> >> preventing my internal hosts from browsing the web site.  I didn't have
> >> this problem when I could edit the bind files directly, but now that I'm
> >> using bind_dlz for samba, I'm a little lost.
>
> AB> The issue is that Samba controls that name, and tries to set it to
> match
> AB> the network interfaces of the DC, because AD clients may (few actually
> AB> do, in this specific case) use this name to find a DC.  See
> AB> dns_update_list.
>
> AB> I suggest breaking the CNAME and not using example.com to find your
> AB> website internally.
>
> Wouldn't it make a lot of sense, provided one had the infrastructure
> [extra servers/hardware] to handle DNS like this:
>
> (And at a smaller site, you could do this in a VM like virtualbox on
> the same hardware as the S4/AD server - memory is cheap, and at a
> small site, I/O load is going to be trivial.)
> ---
>
> Setup a DNS+DHCP server, external to/outside of the AD. Say,
> mydomain.local
>
> DHCP and DDNS would apply against mydomain.local
>
> Put the S4/Windows AD in a 3rd level domain - say samba.mydomain.local.
>
> Point all queries for the 3rd level DNS [samba.mydomain.local] to the AD/
> DNS controller. [i.e. A forward zone for samba.mydomain.local -> S4AD
> server]
>
> This resolves issues with DHCP/DDNS - since you're not trying to make
> the AD controller handle it.
>
> Next by using something like .local as your 1st level domain, you don't
> have conflicts with real-world external domains. [And even if you did
> use something like .com - you could tweak the DNS server to handle it
> without messing with the AD domain - provided you didn't use anything
> in that 3rd level domain (samba.mydomain.local) out in the open/public
> internet.]
>
> I know it's extra work, but it just seems to make things a lot cleaner
> and keeps DNS from becoming such a tangle in AD, IMO
>
> Thoughts?
>
> -Greg
>
>

More information about the samba mailing list