[Samba] specify alternative port for samba internal dns server

Ben Cohen cohen.ben at gmail.com
Thu Feb 26 18:01:55 MST 2015 

Ok great -- thanks for the response.  Based on your answer, I'm under the
impression my approach should work fine then.

As for switching to BIND -- my networks are small, BIND is a whole lot more
dns-server than I need ...  dnsmasq has advantages to BIND -- its much
easier to administer, much more flexible, we use it for dhcp, and perhaps
most importantly -- we are already using it ...

With this setup samba-dns should own all dns behaviours that depend on AD,
and the rest of my environment's behaviours will work exactly as before (so
as long as there's not something basic that I'm not understanding).  I
don't see why this should be considered a hard to troubleshoot arrangement,
all the tricky dns stuff should be handled within the samba dns server ...
I know from experience that troubleshooting BIND with external dynamic dns
mutators is not particularly fun ...  This approach requires much less
heavy inter-service dependencies in my opinion -- samba wholly owns the ad
dns, dnsmasq points to ad dns for the ad domain as it would any other dns
server -- no BIND-DDNS synchronization is needed ...

Thanks again for the thoughts -- and I hope I'm not coming across as
someone who's repeatedly disregarding advice.  I'm in a position where I do
want to use the internal samba dns, but I can't point my clients at the
internal dns as their primary dns server.  It seems to me like there might
be a lot of other environments where this same approach would make samba4
integration substantially more straightforward than the two approaches
described in the samba4 documentation ...

On Thu, Feb 26, 2015 at 4:16 PM, John Yocum <jtyocum at uw.edu> wrote:

> On 02/26/2015 04:10 PM, Ben Cohen wrote:
> > Whoops - sorry for responding to you directly rather than via the list
> -- I
> > only use gmail for extremely high-volume mailing lists, and usually
> that's
> > just to skim-read them -- so I don't know the gmail web-ui very well (and
> > it seems to change all the time) -- apologies.  (Also i have no idea how
> to
> > not top-post with gmail ...  I'll figure that out for next time)
> >
> > You seem to have strong opinions regarding the default port for the dns
> > server - I disagree with you but I'm not going to try to change your
> deeply
> > held beliefs.
> >
> > While expressing your opinions earlier in the thread, the idea was raised
> > that it is somehow _REQUIRED_ for clients to use the samba internal dns
> > directly rather than receive dns responses via an intermediary dns server
> > -- can someone confirm whether or not this is the case?
> >
> > On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <
> rowlandpenny at googlemail.com>
> > wrote:
> >
> >> On 26/02/15 23:39, Ben Cohen wrote:
> >>
> >>> Please stop making the assumption that I don't have different problems
> >>> than you...
> >>>
> >>> I support IT environments that are connected via incredibly slow
> internet
> >>> links -- user clients CANNOT use something other than my dns server as
> >>> their dns resolver -- I have to implement logic which controls all
> internet
> >>> access, including dns resolution, on a per user basis per-byte basis
> -- if
> >>> I put another dns server in-between me and the network clients, I lose
> the
> >>> information by which my dns forwarding-resolver can make the identify
> >>> determination.  Perhaps you have some way of passing forward the
> identity
> >>> information regarding which client is making the dns request in a way
> that
> >>> my network-access-control appliance understands -- oh, right no you
> don't
> >>> do you?
> >>>
> >>> In my testing my approach seems to work the way I want to do things --
> >>> two servers, one with dnsmasq, one with samba internal dns.  Clients
> point
> >>> at my dnsmasq, dnsmasq resolves ad domain via samba dns.  Is this not
> >>> appropriate for some reason?  How does this go against the 'ad' way?
> As far
> >>> as I can tell there is absolutely nothing wrong with this architecture
> ...
> >>> why should the clients need to talk to the samba dns directly rather
> than
> >>> via my intermediary -- is that actually required?  Its my impression
> that
> >>> my campus network doesn't do this with normal active directory -- I
> believe
> >>> they run BIND and queries for ad.foo.com <http://ad.foo.com> are
> >>> resolved via authoritative AD dns servers running on windows server ...
> >>> Isn't that the normal way?
> >>>
> >>> The reason I want to run the samba4 dns on a different port than the
> >>> default is to avoid having to run an additional OS -- my environments
> are
> >>> very expensive to put equipment in, reducing the hardware and OS count
> is
> >>> desirable, particularly where there is not a good reason that something
> >>> needs to have its own OS instance ...
> >>>
> >>> It seems you reference a straw-man desire to customize the ldap server
> >>> port in order to evoke some history of problems surrounding people
> trying
> >>> to use services that don't work with the AD model within samba.  In
> fact my
> >>> GOAL is exactly the opposite -- I WANT to USE the samba integrated dns
> in
> >>> order to avoid having any issues with the required set of magic AD dns
> >>> behaviours -- rather than trying to hack those required dns behaviours
> into
> >>> my existing dns configuration ...
> >>>
> >>> I appreciate your thoughts and if my suggested approach (with two
> >>> servers) truly isn't going to work, it would be huge if you or someone
> else
> >>> could tell me and give a lot insight why ... because my plan even with
> a
> >>> *NO* on the ability to change the port that samba-dns listens on, is
> to use
> >>> two servers as described above ...  If that's not gonna work for some
> >>> reason it'd be awesome to find out now ...
> >>>
> >>> Thanks,
> >>>
> >>> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <
> >>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
> wrote:
> >>>
> >>>     On 26/02/15 22:58, Ben Cohen wrote:
> >>>
> >>>         My goal is for the samba dns server to be authoritative for
> >>>         'ad.mydomain.com <http://ad.mydomain.com>
> >>>         <http://ad.mydomain.com>' but not for mydomain.com
> >>>         <http://mydomain.com> <http://mydomain.com>. The dns server
> >>>         that the clients in my domain use is statically configured to
> >>>         resolve all requests for ad.mydomain.com
> >>>         <http://ad.mydomain.com> <http://ad.mydomain.com> via the
> >>>         samba internal dns -- I believe this is exactly what is
> >>>         required for samba to function ...  Is this incorrect somehow?
> >>>
> >>>
> >>>     You should point your domain members to the DC, if the record the
> >>>     client requires is inside the AD domain, the DC will return
> >>>     answer, if it doesn't know, it will forward the request to
> >>>     whatever you have set as the forwarder.
> >>>
> >>>
> >>>         A whole bunch of other samba services can listen on other than
> >>>         the default service port through configuration options ...
> >>>  Why should the dns service uniquely deserve an all-caps *NO*
> >>>         with regard to this configurability?
> >>>
> >>>
> >>>     You could always try and alter the ldap port that samba4 listens
> >>>     on, oh sorry, you cannot change that either can you.
> >>>
> >>>     Please stop trying to bend AD to your way of working.
> >>>
> >>>
> >>>     Rowland
> >>>     --     To unsubscribe from this list go to the following URL and
> read
> >>> the
> >>>     instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>>
> >> Please stop sending emails directly to me, keep it on list.
> >>
> >> If you are struggling with resources, you could run another OS inside a
> VM
> >> and point the samba forwarder to a DNS server running on the OS in the
> VM.
> >>
> >> Would you try and circumvent the way a windows server works, I do not
> >> think so and as samba4 AD works exactly the same as windows AD, you
> >> shouldn't try to change the way it works.
> >>
> >> Note that this is the last I will have to say on this subject.
> >>
> >>
> >> Rowland
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
> Your clients don't have to query your Samba DC's for DNS directly.
> Though, it does make troubleshooting/resolving issues much simpler.
>
> One thought would be, replace dnsmasq with BIND, and use BIND to do
> Samba's DNS along with your other DNS needs.
> --
> John Yocum, Systems Administrator, DEOHS
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list