[Samba] specify alternative port for samba internal dns server

Ben Cohen cohen.ben at gmail.com
Thu Feb 26 17:15:59 MST 2015 

Please stop making the assumption that I don't have different problems than
you...

I support IT environments that are connected via incredibly slow internet
links -- user clients CANNOT use something other than my dns server as
their dns resolver -- I have to implement logic which controls all internet
access, including dns resolution, on a per user basis per-byte basis -- if
I put another dns server in-between me and the network clients, I lose the
information by which my dns forwarding-resolver can make the identify
determination.  Perhaps you have some way of passing forward the identity
information regarding which client is making the dns request in a way that
my network-access-control appliance understands -- oh, right no you don't
do you?

In my testing my approach seems to work the way I want to do things -- two
servers, one with dnsmasq, one with samba internal dns.  Clients point at
my dnsmasq, dnsmasq resolves ad domain via samba dns.  Is this not
appropriate for some reason?  How does this go against the 'ad' way?  As
far as I can tell there is absolutely nothing wrong with this architecture
... why should the clients need to talk to the samba dns directly rather
than via my intermediary -- is that actually required?  Its my impression
that my campus network doesn't do this with normal active directory -- I
believe they run BIND and queries for ad.foo.com are resolved via
authoritative AD dns servers running on windows server ...  Isn't that the
normal way?

The reason I want to run the samba4 dns on a different port than the
default is to avoid having to run an additional OS -- my environments are
very expensive to put equipment in, reducing the hardware and OS count is
desirable, particularly where there is not a good reason that something
needs to have its own OS instance ...

It seems you reference a straw-man desire to customize the ldap server port
in order to evoke some history of problems surrounding people trying to use
services that don't work with the AD model within samba.  In fact my GOAL
is exactly the opposite -- I WANT to USE the samba integrated dns in order
to avoid having any issues with the required set of magic AD dns behaviours
-- rather than trying to hack those required dns behaviours into my
existing dns configuration ...

I appreciate your thoughts and if my suggested approach (with two servers)
truly isn't going to work, it would be huge if you or someone else could
tell me and give a lot insight why ... because my plan even with a *NO* on
the ability to change the port that samba-dns listens on, is to use two
servers as described above ...  If that's not gonna work for some reason
it'd be awesome to find out now ...

Thanks,

On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <rowlandpenny at googlemail.com>
wrote:

> On 26/02/15 22:58, Ben Cohen wrote:
>
>> My goal is for the samba dns server to be authoritative for '
>> ad.mydomain.com <http://ad.mydomain.com>' but not for mydomain.com <
>> http://mydomain.com>. The dns server that the clients in my domain use
>> is statically configured to resolve all requests for ad.mydomain.com <
>> http://ad.mydomain.com> via the samba internal dns -- I believe this is
>> exactly what is required for samba to function ...  Is this incorrect
>> somehow?
>>
>
> You should point your domain members to the DC, if the record the client
> requires is inside the AD domain, the DC will return answer, if it doesn't
> know, it will forward the request to whatever you have set as the forwarder.
>
>
>> A whole bunch of other samba services can listen on other than the
>> default service port through configuration options ...  Why should the dns
>> service uniquely deserve an all-caps *NO* with regard to this
>> configurability?
>>
>>
> You could always try and alter the ldap port that samba4 listens on, oh
> sorry, you cannot change that either can you.
>
> Please stop trying to bend AD to your way of working.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list