[Samba] specify alternative port for samba internal dns server
Ben Cohen
cohen.ben at gmail.com
Thu Feb 26 17:10:44 MST 2015
Whoops - sorry for responding to you directly rather than via the list -- I
only use gmail for extremely high-volume mailing lists, and usually that's
just to skim-read them -- so I don't know the gmail web-ui very well (and
it seems to change all the time) -- apologies. (Also i have no idea how to
not top-post with gmail ... I'll figure that out for next time)
You seem to have strong opinions regarding the default port for the dns
server - I disagree with you but I'm not going to try to change your deeply
held beliefs.
While expressing your opinions earlier in the thread, the idea was raised
that it is somehow _REQUIRED_ for clients to use the samba internal dns
directly rather than receive dns responses via an intermediary dns server
-- can someone confirm whether or not this is the case?
On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 26/02/15 23:39, Ben Cohen wrote:
>
>> Please stop making the assumption that I don't have different problems
>> than you...
>>
>> I support IT environments that are connected via incredibly slow internet
>> links -- user clients CANNOT use something other than my dns server as
>> their dns resolver -- I have to implement logic which controls all internet
>> access, including dns resolution, on a per user basis per-byte basis -- if
>> I put another dns server in-between me and the network clients, I lose the
>> information by which my dns forwarding-resolver can make the identify
>> determination. Perhaps you have some way of passing forward the identity
>> information regarding which client is making the dns request in a way that
>> my network-access-control appliance understands -- oh, right no you don't
>> do you?
>>
>> In my testing my approach seems to work the way I want to do things --
>> two servers, one with dnsmasq, one with samba internal dns. Clients point
>> at my dnsmasq, dnsmasq resolves ad domain via samba dns. Is this not
>> appropriate for some reason? How does this go against the 'ad' way? As far
>> as I can tell there is absolutely nothing wrong with this architecture ...
>> why should the clients need to talk to the samba dns directly rather than
>> via my intermediary -- is that actually required? Its my impression that
>> my campus network doesn't do this with normal active directory -- I believe
>> they run BIND and queries for ad.foo.com <http://ad.foo.com> are
>> resolved via authoritative AD dns servers running on windows server ...
>> Isn't that the normal way?
>>
>> The reason I want to run the samba4 dns on a different port than the
>> default is to avoid having to run an additional OS -- my environments are
>> very expensive to put equipment in, reducing the hardware and OS count is
>> desirable, particularly where there is not a good reason that something
>> needs to have its own OS instance ...
>>
>> It seems you reference a straw-man desire to customize the ldap server
>> port in order to evoke some history of problems surrounding people trying
>> to use services that don't work with the AD model within samba. In fact my
>> GOAL is exactly the opposite -- I WANT to USE the samba integrated dns in
>> order to avoid having any issues with the required set of magic AD dns
>> behaviours -- rather than trying to hack those required dns behaviours into
>> my existing dns configuration ...
>>
>> I appreciate your thoughts and if my suggested approach (with two
>> servers) truly isn't going to work, it would be huge if you or someone else
>> could tell me and give a lot insight why ... because my plan even with a
>> *NO* on the ability to change the port that samba-dns listens on, is to use
>> two servers as described above ... If that's not gonna work for some
>> reason it'd be awesome to find out now ...
>>
>> Thanks,
>>
>> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <
>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>> On 26/02/15 22:58, Ben Cohen wrote:
>>
>> My goal is for the samba dns server to be authoritative for
>> 'ad.mydomain.com <http://ad.mydomain.com>
>> <http://ad.mydomain.com>' but not for mydomain.com
>> <http://mydomain.com> <http://mydomain.com>. The dns server
>> that the clients in my domain use is statically configured to
>> resolve all requests for ad.mydomain.com
>> <http://ad.mydomain.com> <http://ad.mydomain.com> via the
>> samba internal dns -- I believe this is exactly what is
>> required for samba to function ... Is this incorrect somehow?
>>
>>
>> You should point your domain members to the DC, if the record the
>> client requires is inside the AD domain, the DC will return
>> answer, if it doesn't know, it will forward the request to
>> whatever you have set as the forwarder.
>>
>>
>> A whole bunch of other samba services can listen on other than
>> the default service port through configuration options ...
>> Why should the dns service uniquely deserve an all-caps *NO*
>> with regard to this configurability?
>>
>>
>> You could always try and alter the ldap port that samba4 listens
>> on, oh sorry, you cannot change that either can you.
>>
>> Please stop trying to bend AD to your way of working.
>>
>>
>> Rowland
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> Please stop sending emails directly to me, keep it on list.
>
> If you are struggling with resources, you could run another OS inside a VM
> and point the samba forwarder to a DNS server running on the OS in the VM.
>
> Would you try and circumvent the way a windows server works, I do not
> think so and as samba4 AD works exactly the same as windows AD, you
> shouldn't try to change the way it works.
>
> Note that this is the last I will have to say on this subject.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list