[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 12 15:31:42 MDT 2015


On 12/03/15 21:08, Matthias Busch wrote:
>> Hi, please don't use .local, you say that no apple devices will come
>> near, but what about an iphone ? and what about avahi ?
>
>> When you ran configure, you might as well just run it like this: 
>> ./configure
>
>> All the rest are defaults and you do not really need debug.
>
>> You only need to alter /etc/nsswitch.conf (yes that's the one) if you
>> want/need your users to log into the DC.
>
>> Rowland
>
> Peter convinced me to not use .local from now on.
>
> But the .local should not be able to cause my problems?
>
> And yeah, for now, this is for testing/learning purposes, if it works 
> (good/reliable enough) I plan to use it for my home network, maybe add 
> radius for wifi
> And I can guarantee that no apple devices are coming near that 
> network. and if some guest would bring one, he can survive without 
> bonjour and zeroconf
> Avahi is running, ive seen that. wouldnt miss it if it were gone either.
>
> When configure, I did not know which were the default switches. and 
> since I had trouble in the first place I enabled debug
>
> my nsswitch.conf I posted down below. I have no clue how to interpret 
> the content...
>
> ---
>
>> At least w.r.t. the Bind backend this fear is not necessary. It is 
>> indeed
>> exactly what I do. The AD-DNS is only authoritative to 
>> "domain.samdom.com",
>> not to "samdom.com". There is only one little trick necessary if You got
>> a slave nameserver, which is tied to Your AD-DC server.
>
>> Note the line "forwarders{}", which will ensure, that the local DNS 
>> server
>> doesn't ask the public DNS, which is authoritative for the public
>> "samdom.com". You would then get the IP of "samdom.com" when looking up
>> a local host.
>
>> But I agree, that this is a bit of perfectionsm. One can do things 
>> simpler.
>> On the other hand: one of my two DCs was down for a week (the one 
>> 70km away
>> in the "weekend"-appartment), but the whole network worked 
>> flawlessly. These
>> Arm based appliances are definitely less reliable than ordinary PC 
>> H/W. I
>> use slave DNS servers on my file servers, which keep at least DNS 
>> working
>> whatever the Raspi or the Cubieboard do (better: don't do...).
>
> As I said before, I would like to stay clear of bind if I can. At 
> least for now. It adds one more level to configure, administer and 
> troubleshoot.
>
> I think adding components like a 2nd DC or a slave ns or a second 
> dhcp* for redundancy may be a great idea later when the system is in 
> production and does not perform as reliable as expected.
> In the meantime, Clients still work without DC, static ips or router 
> dhcp can push corrected ip/dns settings and radius can be configured 
> to use fallback user/pass if AD goes down...
>
> *DHCP: Still havent decided if I should change router dhcp to push out 
> AD DNS and domain name or disable router dhcp and get my own dhcp 
> going - including dynamic dns updates...
>

The AD dns must be handled by the DC, you can use either the internal 
dns server or bind9, the choice is yours. DHCP can be from your router 
or on the DC, but if you do go down the later path, you will need to use 
Bind9 as there seems to be a problem with the internal dns server & DHCP.

> ---
>
> kerberos still isnt working and I dont know enough about kerberos yet 
> to really trouble shoot or see problems in logs...
>
> after further googling I think I may have been in the wrong when I 
> copied the samba supplied krb5.conf over the one in /etc.
> so i restored the one in etc and added the samba one...
>

No you weren't wrong, put krb5.conf back to how you had it, you only 
need 4 lines.

> the change(s) in the krb5.conf did not help...
>
> --- this is my /etc/krb5.conf
>
> [libdefaults]
>         default_realm = MY-DOMAIN.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
> [realms]
>         MY-DOMAIN.LOCAL = {
>                 kdc = adserver.my-domain.local            <-- tried 
> with adserver
>                 admin_server = adserver.my-domain.local        and 
> adserver.my-domain.local
>             }
>
>     ... lots of .MIT.EDU entries ...
>
> [domain_realm]
>         .mit.edu = ATHENA.MIT.EDU
>         mit.edu = ATHENA.MIT.EDU
>         .media.mit.edu = MEDIA-LAB.MIT.EDU
>         media.mit.edu = MEDIA-LAB.MIT.EDU
>         .csail.mit.edu = CSAIL.MIT.EDU
>         csail.mit.edu = CSAIL.MIT.EDU
>         .whoi.edu = ATHENA.MIT.EDU
>         whoi.edu = ATHENA.MIT.EDU
>         .stanford.edu = stanford.edu
>         .slac.stanford.edu = SLAC.STANFORD.EDU
>         .toronto.edu = UTORONTO.CA
>         .utoronto.ca = UTORONTO.CA
>
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>
>
>
> --- this is my /etc/nsswitch.conf:
>
> passwd:         compat
> group:          compat
> shadow:         compat
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> ---
>
> Matze
>

Have a look here: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

particularly the 'Make domain users/groups available locally through 
Winbind' part

Rowland


More information about the samba mailing list