[Samba] Samba 4 Restrict User Create

Rowland Penny rowlandpenny at googlemail.com
Mon Nov 17 16:09:22 MST 2014 

On 17/11/14 22:43, Greg Zartman wrote:
> On Mon, Nov 17, 2014 at 12:49 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     Samba does not use dnsmasq, the internal dns server does not have
>     anything to do with dnsmasq. There are only two DNS servers
>     supported by samba, the internal DNS server and Bind 9. You need
>     to use the 'nsupdate' command to create and update client dns
>     records, will this work with dnscache/tinydns ??
>
>
> Yes, but the Samba tried to get dnsmasq to provide this as opposed to 
> writing their own DNS: 
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q1/003552.html 
>

Good grief, that post was written nearly two years before samba 4.0.0 
was released, a very lot changed between that post and the release. One 
of which was that it was found that dnsmasq wasn't suitable.

>
> I was just saying that they'd have been better off if they would have 
> looked at dnscache/tinydns, but that's probably under the bridge now.  
> Yes, dnscache/tiny DNS would have provided the support Samba needs and 
> it wouldn't be has heavy as BIND.

I do not think that your setup would have worked as easily as what you 
think, there is secure updates with kerberos, for one thing.
I use Bind (along with dhcpd) and I do not find that it overloads my 
computer, but then, it is only dealing with my samba4 domain and 
forwards anything that is outside the samba4 domain and then caches the 
resultant records.

>
>
>
>     When anybody has DNS problems, it usually turns out to be them
>     trying to use an unsupported DNS setup. I will repeat, in case you
>     haven't got it yet, without a proper DNS server, Active Directory
>     will not work correctly, if at all.
>
>
> Andrew Bartlett said it's perfectly acceptable to put dnscache in 
> front of Samba DNS: 
> https://lists.samba.org/archive/samba-technical/2013-February/090461.html
>
I read it different, he was replying to a guy that was using bind 9 with 
flat files and was forwarding anything unknown to an outside DNS server. 
I think that he was saying that this was the right thing to do. Also you 
posted this:

dnscache->sambsdns->dnscache.forwarder.

I think that it should be;

sambsdns->dnscache->dnscache.forwarder.

Your AD clients first point of call needs to be the AD dns server, where 
if they are trying to get info for a domain computer, it will be 
returned quickly, if they are trying to get info for a machine outside 
the domain, the AD dns server would forward it to another dns server, in 
your case, the dnscache. If the cache doesn't know, it would then ask 
its forwarder and cache the results, OH look, this is what Bind does.


> In practice, dnscache is a very thing layer between client machines 
> and Samba DNS.
>
Yes but it is another layer.

Rowland

> Greg
>
> -- 
> Greg J. Zartman
> Board Member
>
> Koozali SME Server
>
> SME Server user and community member since 2000

More information about the samba mailing list