[Samba] Samba 4 Restrict User Create
rowlandpenny at googlemail.com
Mon Nov 17 16:09:22 MST 2014
On 17/11/14 22:43, Greg Zartman wrote:
> On Mon, Nov 17, 2014 at 12:49 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
> Samba does not use dnsmasq, the internal dns server does not have
> anything to do with dnsmasq. There are only two DNS servers
> supported by samba, the internal DNS server and Bind 9. You need
> to use the 'nsupdate' command to create and update client dns
> records, will this work with dnscache/tinydns ??
> Yes, but the Samba tried to get dnsmasq to provide this as opposed to
> writing their own DNS:
Good grief, that post was written nearly two years before samba 4.0.0
was released, a very lot changed between that post and the release. One
of which was that it was found that dnsmasq wasn't suitable.
> I was just saying that they'd have been better off if they would have
> looked at dnscache/tinydns, but that's probably under the bridge now.
> Yes, dnscache/tiny DNS would have provided the support Samba needs and
> it wouldn't be has heavy as BIND.
I do not think that your setup would have worked as easily as what you
think, there is secure updates with kerberos, for one thing.
I use Bind (along with dhcpd) and I do not find that it overloads my
computer, but then, it is only dealing with my samba4 domain and
forwards anything that is outside the samba4 domain and then caches the
> When anybody has DNS problems, it usually turns out to be them
> trying to use an unsupported DNS setup. I will repeat, in case you
> haven't got it yet, without a proper DNS server, Active Directory
> will not work correctly, if at all.
> Andrew Bartlett said it's perfectly acceptable to put dnscache in
> front of Samba DNS:
I read it different, he was replying to a guy that was using bind 9 with
flat files and was forwarding anything unknown to an outside DNS server.
I think that he was saying that this was the right thing to do. Also you
I think that it should be;
Your AD clients first point of call needs to be the AD dns server, where
if they are trying to get info for a domain computer, it will be
returned quickly, if they are trying to get info for a machine outside
the domain, the AD dns server would forward it to another dns server, in
your case, the dnscache. If the cache doesn't know, it would then ask
its forwarder and cache the results, OH look, this is what Bind does.
> In practice, dnscache is a very thing layer between client machines
> and Samba DNS.
Yes but it is another layer.
> Greg J. Zartman
> Board Member
> Koozali SME Server
> SME Server user and community member since 2000
More information about the samba