[Samba] specify alternative port for samba internal dns server
cohen.ben at gmail.com
Thu Feb 26 17:10:44 MST 2015
Whoops - sorry for responding to you directly rather than via the list -- I
only use gmail for extremely high-volume mailing lists, and usually that's
just to skim-read them -- so I don't know the gmail web-ui very well (and
it seems to change all the time) -- apologies. (Also i have no idea how to
not top-post with gmail ... I'll figure that out for next time)
You seem to have strong opinions regarding the default port for the dns
server - I disagree with you but I'm not going to try to change your deeply
While expressing your opinions earlier in the thread, the idea was raised
that it is somehow _REQUIRED_ for clients to use the samba internal dns
directly rather than receive dns responses via an intermediary dns server
-- can someone confirm whether or not this is the case?
On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlandpenny at googlemail.com>
> On 26/02/15 23:39, Ben Cohen wrote:
>> Please stop making the assumption that I don't have different problems
>> than you...
>> I support IT environments that are connected via incredibly slow internet
>> links -- user clients CANNOT use something other than my dns server as
>> their dns resolver -- I have to implement logic which controls all internet
>> access, including dns resolution, on a per user basis per-byte basis -- if
>> I put another dns server in-between me and the network clients, I lose the
>> information by which my dns forwarding-resolver can make the identify
>> determination. Perhaps you have some way of passing forward the identity
>> information regarding which client is making the dns request in a way that
>> my network-access-control appliance understands -- oh, right no you don't
>> do you?
>> In my testing my approach seems to work the way I want to do things --
>> two servers, one with dnsmasq, one with samba internal dns. Clients point
>> at my dnsmasq, dnsmasq resolves ad domain via samba dns. Is this not
>> appropriate for some reason? How does this go against the 'ad' way? As far
>> as I can tell there is absolutely nothing wrong with this architecture ...
>> why should the clients need to talk to the samba dns directly rather than
>> via my intermediary -- is that actually required? Its my impression that
>> my campus network doesn't do this with normal active directory -- I believe
>> they run BIND and queries for ad.foo.com <http://ad.foo.com> are
>> resolved via authoritative AD dns servers running on windows server ...
>> Isn't that the normal way?
>> The reason I want to run the samba4 dns on a different port than the
>> default is to avoid having to run an additional OS -- my environments are
>> very expensive to put equipment in, reducing the hardware and OS count is
>> desirable, particularly where there is not a good reason that something
>> needs to have its own OS instance ...
>> It seems you reference a straw-man desire to customize the ldap server
>> port in order to evoke some history of problems surrounding people trying
>> to use services that don't work with the AD model within samba. In fact my
>> GOAL is exactly the opposite -- I WANT to USE the samba integrated dns in
>> order to avoid having any issues with the required set of magic AD dns
>> behaviours -- rather than trying to hack those required dns behaviours into
>> my existing dns configuration ...
>> I appreciate your thoughts and if my suggested approach (with two
>> servers) truly isn't going to work, it would be huge if you or someone else
>> could tell me and give a lot insight why ... because my plan even with a
>> *NO* on the ability to change the port that samba-dns listens on, is to use
>> two servers as described above ... If that's not gonna work for some
>> reason it'd be awesome to find out now ...
>> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <
>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>> On 26/02/15 22:58, Ben Cohen wrote:
>> My goal is for the samba dns server to be authoritative for
>> 'ad.mydomain.com <http://ad.mydomain.com>
>> <http://ad.mydomain.com>' but not for mydomain.com
>> <http://mydomain.com> <http://mydomain.com>. The dns server
>> that the clients in my domain use is statically configured to
>> resolve all requests for ad.mydomain.com
>> <http://ad.mydomain.com> <http://ad.mydomain.com> via the
>> samba internal dns -- I believe this is exactly what is
>> required for samba to function ... Is this incorrect somehow?
>> You should point your domain members to the DC, if the record the
>> client requires is inside the AD domain, the DC will return
>> answer, if it doesn't know, it will forward the request to
>> whatever you have set as the forwarder.
>> A whole bunch of other samba services can listen on other than
>> the default service port through configuration options ...
>> Why should the dns service uniquely deserve an all-caps *NO*
>> with regard to this configurability?
>> You could always try and alter the ldap port that samba4 listens
>> on, oh sorry, you cannot change that either can you.
>> Please stop trying to bend AD to your way of working.
>> -- To unsubscribe from this list go to the following URL and read
>> instructions: https://lists.samba.org/mailman/options/samba
> Please stop sending emails directly to me, keep it on list.
> If you are struggling with resources, you could run another OS inside a VM
> and point the samba forwarder to a DNS server running on the OS in the VM.
> Would you try and circumvent the way a windows server works, I do not
> think so and as samba4 AD works exactly the same as windows AD, you
> shouldn't try to change the way it works.
> Note that this is the last I will have to say on this subject.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba