[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems

Matthias Busch catwiesel at gmx.net
Thu Mar 12 15:08:13 MDT 2015

>Hi, please don't use .local, you say that no apple devices will come
>near, but what about an iphone ? and what about avahi ?

>When you ran configure, you might as well just run it like this: ./configure

>All the rest are defaults and you do not really need debug.

>You only need to alter /etc/nsswitch.conf (yes that's the one) if you
>want/need your users to log into the DC.


Peter convinced me to not use .local from now on.

But the .local should not be able to cause my problems?

And yeah, for now, this is for testing/learning purposes, if it works (good/reliable enough) I plan to use it for my home network, maybe add radius for wifi
And I can guarantee that no apple devices are coming near that network. and if some guest would bring one, he can survive without bonjour and zeroconf
Avahi is running, ive seen that. wouldnt miss it if it were gone either.

When configure, I did not know which were the default switches. and since I had trouble in the first place I enabled debug

my nsswitch.conf I posted down below. I have no clue how to interpret the content...


>At least w.r.t. the Bind backend this fear is not necessary. It is indeed
>exactly what I do. The AD-DNS is only authoritative to "domain.samdom.com",
>not to "samdom.com". There is only one little trick necessary if You got
>a slave nameserver, which is tied to Your AD-DC server.

>Note the line "forwarders{}", which will ensure, that the local DNS server
>doesn't ask the public DNS, which is authoritative for the public
>"samdom.com". You would then get the IP of "samdom.com" when looking up
>a local host.

>But I agree, that this is a bit of perfectionsm. One can do things simpler.
>On the other hand: one of my two DCs was down for a week (the one 70km away
>in the "weekend"-appartment), but the whole network worked flawlessly. These
>Arm based appliances are definitely less reliable than ordinary PC H/W. I
>use slave DNS servers on my file servers, which keep at least DNS working
>whatever the Raspi or the Cubieboard do (better: don't do...).

As I said before, I would like to stay clear of bind if I can. At least for now. It adds one more level to configure, administer and troubleshoot.

I think adding components like a 2nd DC or a slave ns or a second dhcp* for redundancy may be a great idea later when the system is in production and does not perform as reliable as expected.
In the meantime, Clients still work without DC, static ips or router dhcp can push corrected ip/dns settings and radius can be configured to use fallback user/pass if AD goes down...

*DHCP: Still havent decided if I should change router dhcp to push out AD DNS and domain name or disable router dhcp and get my own dhcp going - including dynamic dns updates...


kerberos still isnt working and I dont know enough about kerberos yet to really trouble shoot or see problems in logs...

after further googling I think I may have been in the wrong when I copied the samba supplied krb5.conf over the one in /etc.
so i restored the one in etc and added the samba one...

the change(s) in the krb5.conf did not help...

--- this is my /etc/krb5.conf

         default_realm = MY-DOMAIN.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 plain = {
                         something = something-else
         fcc-mit-ticketflags = true

         MY-DOMAIN.LOCAL = {
                 kdc = adserver.my-domain.local			<-- tried with adserver
                 admin_server = adserver.my-domain.local		and adserver.my-domain.local

	... lots of .MIT.EDU entries ...

         .mit.edu = ATHENA.MIT.EDU
         mit.edu = ATHENA.MIT.EDU
         .media.mit.edu = MEDIA-LAB.MIT.EDU
         media.mit.edu = MEDIA-LAB.MIT.EDU
         .csail.mit.edu = CSAIL.MIT.EDU
         csail.mit.edu = CSAIL.MIT.EDU
         .whoi.edu = ATHENA.MIT.EDU
         whoi.edu = ATHENA.MIT.EDU
         .stanford.edu = stanford.edu
         .slac.stanford.edu = SLAC.STANFORD.EDU
         .toronto.edu = UTORONTO.CA
         .utoronto.ca = UTORONTO.CA

         krb4_convert = true
         krb4_get_tickets = false

--- this is my /etc/nsswitch.conf:

passwd:         compat
group:          compat
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis



More information about the samba mailing list