[Samba] Multiple A records on my parent domain name are confusing hosts
scott at mimicsimulation.com
Mon Oct 14 17:33:59 MDT 2013
BTW, I commented out the first two lines in dns_update_list, then removed
the "spare" entries from DNS. Now they don't refresh the bad entries.
(really, I'm only interested in samba keeping the ms-specific dns entries
up to date)
Mimic Technologies, Inc
811 First Avenue, Suite 408 | Seattle, WA 98104
phone: 1.800.918.1670 | direct: 206.456.9180
fax: 206.623.3491 | cell: 206.355.7767
On Fri, Oct 11, 2013 at 12:43 PM, Gregory Sloop <gregs at sloop.net> wrote:
> AB> On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote:
> >> I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz
> >> My domain is example.com
> >> My Samba4 server is myserver.example.com
> >> myserver has two nics: 10.10.10.5 and 192.168.10.2
> >> My externally hosted web site is www.example.com, and is hosted at
> >> 22.214.171.124
> >> I have an A and CNAME in DNS like so:
> >> @ A 126.96.36.199
> >> www CNAME example.com.
> >> The above allows internal web browsers to access the external site via
> >> www.example.com or example.com. This works great.
> >> The problem is that every ten minutes when samb's dns update happens, it
> >> keeps putting the following two entries in, which points internal hosts
> >> the dns server, instead of the externally hosted web site:
> >> @ A 10.10.10.5
> >> @ A 192.168.10.2
> >> Why do these keep showing up? I'm sure there is a place that the info
> >> coming from, but I don't know where, and I desperately need to prevent
> >> from happening. I mean, don't get me wrong, I realize what the records
> >> mean, but what I'm trying to do is prevent them from repopulating and
> >> preventing my internal hosts from browsing the web site. I didn't have
> >> this problem when I could edit the bind files directly, but now that I'm
> >> using bind_dlz for samba, I'm a little lost.
> AB> The issue is that Samba controls that name, and tries to set it to
> AB> the network interfaces of the DC, because AD clients may (few actually
> AB> do, in this specific case) use this name to find a DC. See
> AB> dns_update_list.
> AB> I suggest breaking the CNAME and not using example.com to find your
> AB> website internally.
> Wouldn't it make a lot of sense, provided one had the infrastructure
> [extra servers/hardware] to handle DNS like this:
> (And at a smaller site, you could do this in a VM like virtualbox on
> the same hardware as the S4/AD server - memory is cheap, and at a
> small site, I/O load is going to be trivial.)
> Setup a DNS+DHCP server, external to/outside of the AD. Say,
> DHCP and DDNS would apply against mydomain.local
> Put the S4/Windows AD in a 3rd level domain - say samba.mydomain.local.
> Point all queries for the 3rd level DNS [samba.mydomain.local] to the AD/
> DNS controller. [i.e. A forward zone for samba.mydomain.local -> S4AD
> This resolves issues with DHCP/DDNS - since you're not trying to make
> the AD controller handle it.
> Next by using something like .local as your 1st level domain, you don't
> have conflicts with real-world external domains. [And even if you did
> use something like .com - you could tweak the DNS server to handle it
> without messing with the AD domain - provided you didn't use anything
> in that 3rd level domain (samba.mydomain.local) out in the open/public
> I know it's extra work, but it just seems to make things a lot cleaner
> and keeps DNS from becoming such a tangle in AD, IMO
More information about the samba