[Samba] samba 4 and external dns(bind)

Taylor, Jonn jonnt at taylortelephone.com
Fri Oct 18 14:26:04 MDT 2013 

On 10/18/2013 03:08 PM, Amaury Viera Hernández wrote:
> On 10/18/2013 03:04 PM, Taylor, Jonn wrote:
>> On 10/18/2013 12:40 PM, Amaury Viera Hernández wrote:
>>> On 10/18/2013 01:22 PM, Taylor, Jonn wrote:
>>>> On 10/18/2013 10:34 AM, Amaury Viera Hernández wrote:
>>>>> On 10/18/2013 10:23 AM, Taylor, Jonn wrote:
>>>>>> On 10/18/2013 09:10 AM, Amaury Viera Hernández wrote:
>>>>>>> Hi everyone,
>>>>>>> I need to use samba 4 server, but I need to install a server with a
>>>>>>> dns service(bind9.8) in other server.
>>>>>>> Is that possible?
>>>>>>> If yes, There is any documentation for it?
>>>>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Dns-backend_bind
>>>>>>
>>>>>
>>>>> Well,
>>>>> Yes, That's the tutorial for using bind with samba,
>>>>> but if I use samba in the server01.domain.anything and I need to use
>>>>> bind in the server02.domain.anything.
>>>>> There are some steps in the tutorial that I can't understand, for
>>>>> example:
>>>>>
>>>>>  Bind 9.8 / 9.9
>>>>>
>>>>> A DNS keytab file was automatically created during
>>>>> provisioning/updating. Add the following' tkey-gssapi-keytab' option
>>>>> to the 'options' section of your named.conf:
>>>>>
>>>>> options {
>>>>>      [...]
>>>>>      tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>>>>>      [...]
>>>>> };
>>>>>
>>>>> Note that /usr/local/samba/private/dns.keytab is in other server
>>>>>
>>>>> and
>>>>>
>>>>> During provisioning/upgrading, a file
>>>>> ('/usr/local/samba/private/named.conf') was created, that must be
>>>>> included in your Bind named.conf:
>>>>>
>>>>> include "/usr/local/samba/private/named.conf";
>>>>>
>>>>> Note that: /usr/local/samba/private/named.conf is in other server
>>>>>
>>>>> Besides, the content of include 
>>>>> "/usr/local/samba/private/named.conf";
>>>>> is:
>>>>> database "dlopen  ...  dlz_bind9.so" and this is in other server
>>>>>
>>>> Need a little more info on what you are trying to do. If the second
>>>> server is a second domain controller the provision will create 
>>>> these for
>>>> you when you join the domain. If you are running a file server that is
>>>> part of domain you can setup bind and do zone transfers from the 
>>>> domain
>>>> controller.
>>>>
>>>> If you need help with the setup let me know and I can post configs
>>>> for you.
>>>>
>>>> Jonn
>>>>
>>>> ________________________________________________________________________________________________ 
>>>>
>>>>
>>>>
>>>> III Escuela Internacional de Invierno en la UCI del 17 al 28 de 
>>>> febrero
>>>> del 2014. Ver www.uci.cu
>>>
>>> Well, Yes, is a domain controller with bind
>>> The principal problem is that if I have a principal domain controller
>>> (Active directory with dns OR samba4 + dns bind or internal dns) and
>>> join samba4 as a domain controller,
>>> This new samba4 does not use a dns server and yes, the data
>>> replication works fine but:
>>> When a transfer the five roles in active directory and demote the
>>> principal domain controller(Active directory with dns OR samba4 + dns
>>> bind or internal dns) the users that were using the principal active
>>> directory domain controller can't login in this new domain controller,
>>> but I think that the principal problem is that this new samba4 server
>>> primary domain controller does not have a dns server.
>>>
>>> I don't speak english, Apologize me for it.
>>> Regards, Amaury.
>> Each samba4 AD server must have a dns server. When you you did the join
>> if you did not specify that you wanted to use bind it will default to
>> the internal one. This can be changed with out any problems. As for dns
>> to the clients you need to make sure the dns they have point to both
>> your AD servers. You will also need to make sure that your SOA records
>> point to the new AD servers.
>>
>> One more thing, you need to copy your sysvol directory from the old
>> server to the new one and the run "samba-tool ntacl sysvolreset" to get
>> the permissions correct. Samba 4 does not replicate the sysvol as of 
>> yet.
>>
>> Jonn
>>
>> FYI... your written english is fine.
>
> Well, I have been using the information located at:
>
> http://wiki.samba.org/index.php/Samba4/HOWTO
> https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
>
> https://wiki.samba.org/index.php/Dns-backend_bind
> https://wiki.samba.org/index.php/Samba_4_OS_Requirements
> https://wiki.samba.org/index.php/Build_Samba#Step_2:_Compile_Samba4
> https://wiki.samba.org/index.php/Samba4/InitScript
> https://wiki.samba.org/index.php/DNS_Administration
>
> Everything works fine, and I'm very happy with all the tests, except 
> for joining a Samba4 as a domain controller:
>
> For beginning we need to join samba4 as a domain controller:
>
> /usr/local/samba/bin/samba-tool domain join samdom.example.com DC 
> -Uadministrator --realm=samdom.example.com -> for using internal dns 
> as dns backend
>
> OR
>
> /usr/local/samba/bin/samba-tool domain join samdom.example.com DC 
> -Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ -> 
> for using bind as dns backend
>
> And all the other things in this information works fine for me(the dns 
> records creation and more, including the test replications).
Make sure that /etc/resolv.conf has nameserver 127.0.0.1
>
> The main problem is that:
> If I use the internal dns as backend, When I try to connect me with de 
> administration pack of windows(Windows XP), I get a message saying 
> that there is not dns server(although the 53 port is running in the 
> samba4 server)
run netstat -aenp | grep ":53" to see who is using port 53.
>
> If I use the bind dns as backend, When I try to restart bind, i get an 
> error in syslog that says that bind9 couldn't load the dlz driver.
Did the dlz drive get compiled?
>
> I'm using ubuntu server 12.04 for samba4(testng 4.0.9 y 4.0.10).
> Windows server 2003 for active directory
> Admin pack administration of Windows XP for managing active directory 
> and samba4
>
> In both situations, I'm having troubles with the dns server and I have 
> not idea about it
Check firewalls and se-linux.
>
> Regards, Amaury.
> ________________________________________________________________________________________________ 
>
> III Escuela Internacional de Invierno en la UCI del 17 al 28 de 
> febrero del 2014. Ver www.uci.cu

More information about the samba mailing list