[Samba] Fwd: Samba4 as AD server

Rowland Penny rowlandpenny at googlemail.com
Thu Nov 20 04:19:06 MST 2014

On 20/11/14 10:41, Morgan Blackthorne wrote:
> So I set up two of my three Linode servers in the Texas datacenter as
> Samba4 domain controllers. (One to provision the domain, and one joining
> it.) These have IPTables in place that allow my home IP address to access
> any protocol/port, and 53 is allowed from everywhere for both tcp and udp.
> The domain that I configured is AD.WINDSOFSTORM.NET, and I have delegated
> NS records for that subdomain to the two servers that are running Samba
> (using the Samba internal DNS server). My understanding, although this was
> not covered explicitly in any of the docs that I found, was that this would
> be sufficient for DNS purposes so that I would not have to repoint my
> workstation to use those servers directly for DNS resolution; the requests
> for anything under that subdomain will get properly routed there instead by
> the normal internet DNS architecture.
> However, I am unable to join the domain. Looking at the logs, I don't see
> anything going on. I tried just manually connecting to \\
> sage.windsofstorm.net, the PDC, and I got "Windows cannot access this
> share". But I can use netcat to reach the server over UDP 139/TCP 389/etc.
> Is there something that I need to specify given that the server is on a
> different network than my home network? (I can't set up a VPN to their
> internal network at this point in time as I already have a VPN in place for
> work. Maybe down the line.)
> I'm a little confused as to what I should be checking at this point. All
> the guides I've found seem to indicate that it should "just work" at this
> point.
> --
> ~*~ StormeRider ~*~
> "Every world needs its heroes [...] They inspire us to be better than we
> are. And they protect from the darkness that's just around the corner."
> (from Smallville Season 6x1: "Zod")
> On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS

Hi, if you go here: https://wiki.samba.org/index.php/Samba_Readme_First

Look under the heading 'Requirements', you will find this:

DNS config: The network configuration of all clients must be set up to 
send all DNS queries only to the AD-server(s). Even the AD-Server(s) 
themselves must be set up to send DNS queries only to their own DNS 
servers. The DNS server that runs on the AD server(s) should forward 
queries for non-AD hosts to a different DNS server that can answer those 

What this means is, your domain clients MUST use the samba4 DNS server 
and anything that this server doesn't know about, it will ask its 
forwarder. Your samba4 DNS server shouldn't really be resolvable from 
the internet.


More information about the samba mailing list