[Samba] specify alternative port for samba internal dns server

Rowland Penny rowlandpenny at googlemail.com
Thu Feb 26 17:00:19 MST 2015

On 26/02/15 23:39, Ben Cohen wrote:
> Please stop making the assumption that I don't have different problems 
> than you...
> I support IT environments that are connected via incredibly slow 
> internet links -- user clients CANNOT use something other than my dns 
> server as their dns resolver -- I have to implement logic which 
> controls all internet access, including dns resolution, on a per user 
> basis per-byte basis -- if I put another dns server in-between me and 
> the network clients, I lose the information by which my dns 
> forwarding-resolver can make the identify determination.  Perhaps you 
> have some way of passing forward the identity information regarding 
> which client is making the dns request in a way that my 
> network-access-control appliance understands -- oh, right no you don't 
> do you?
> In my testing my approach seems to work the way I want to do things -- 
> two servers, one with dnsmasq, one with samba internal dns.  Clients 
> point at my dnsmasq, dnsmasq resolves ad domain via samba dns.  Is 
> this not appropriate for some reason?  How does this go against the 
> 'ad' way? As far as I can tell there is absolutely nothing wrong with 
> this architecture ... why should the clients need to talk to the samba 
> dns directly rather than via my intermediary -- is that actually 
> required?  Its my impression that my campus network doesn't do this 
> with normal active directory -- I believe they run BIND and queries 
> for ad.foo.com <http://ad.foo.com> are resolved via authoritative AD 
> dns servers running on windows server ...  Isn't that the normal way?
> The reason I want to run the samba4 dns on a different port than the 
> default is to avoid having to run an additional OS -- my environments 
> are very expensive to put equipment in, reducing the hardware and OS 
> count is desirable, particularly where there is not a good reason that 
> something needs to have its own OS instance ...
> It seems you reference a straw-man desire to customize the ldap server 
> port in order to evoke some history of problems surrounding people 
> trying to use services that don't work with the AD model within 
> samba.  In fact my GOAL is exactly the opposite -- I WANT to USE the 
> samba integrated dns in order to avoid having any issues with the 
> required set of magic AD dns behaviours -- rather than trying to hack 
> those required dns behaviours into my existing dns configuration ...
> I appreciate your thoughts and if my suggested approach (with two 
> servers) truly isn't going to work, it would be huge if you or someone 
> else could tell me and give a lot insight why ... because my plan even 
> with a *NO* on the ability to change the port that samba-dns listens 
> on, is to use two servers as described above ...  If that's not gonna 
> work for some reason it'd be awesome to find out now ...
> Thanks,
> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>     On 26/02/15 22:58, Ben Cohen wrote:
>         My goal is for the samba dns server to be authoritative for
>         'ad.mydomain.com <http://ad.mydomain.com>
>         <http://ad.mydomain.com>' but not for mydomain.com
>         <http://mydomain.com> <http://mydomain.com>. The dns server
>         that the clients in my domain use is statically configured to
>         resolve all requests for ad.mydomain.com
>         <http://ad.mydomain.com> <http://ad.mydomain.com> via the
>         samba internal dns -- I believe this is exactly what is
>         required for samba to function ...  Is this incorrect somehow?
>     You should point your domain members to the DC, if the record the
>     client requires is inside the AD domain, the DC will return
>     answer, if it doesn't know, it will forward the request to
>     whatever you have set as the forwarder.
>         A whole bunch of other samba services can listen on other than
>         the default service port through configuration options ... 
>         Why should the dns service uniquely deserve an all-caps *NO*
>         with regard to this configurability?
>     You could always try and alter the ldap port that samba4 listens
>     on, oh sorry, you cannot change that either can you.
>     Please stop trying to bend AD to your way of working.
>     Rowland
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba

Please stop sending emails directly to me, keep it on list.

If you are struggling with resources, you could run another OS inside a 
VM and point the samba forwarder to a DNS server running on the OS in 
the VM.

Would you try and circumvent the way a windows server works, I do not 
think so and as samba4 AD works exactly the same as windows AD, you 
shouldn't try to change the way it works.

Note that this is the last I will have to say on this subject.


More information about the samba mailing list