[Samba] samba_dlz: Failed to configure zone... already exists

Thu Sep 3 16:12:36 UTC 2015

On 03/09/15 16:46, Jim Seymour wrote:
> On Thu, 3 Sep 2015 16:18:21 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
>> On 03/09/15 15:57, Jim Seymour wrote:
>>> On Thu, 3 Sep 2015 15:07:37 +0100
>>> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>>>
>>> [snip]
>>>> The kerberos default_realm must be the samba AD DC domain name and
>>>> usually
>>> So if I put the Samba AD DC in, say, "addc.example.com,"
>>> "addc.example.com" must be the Kerberos default_realm?
>> Yes
> Very well.  But I expect this may well soon become a non-issue,
> because...
>
> [snip]
>>> Yes, but I need example.com's zone to be a "normal" (i.e.: static)
>>> zone.  It is now, and will remain, *the* zone for the corporate LAN
>>> at this location.
>> Then use another machine for the main zone.
> Not. Going. To. Happen.
>
> [snip]
>> If you are using this in a corporate environment, you probably
>> shouldn't be running the main DNS server on the Samba4 machine. Just
>> because you can do something is not a good reason to do it! What will
>> happen if the Samba4 machines crashes (don't say it wont, it may)
> If Samba4 can, and particularly if it's likely to, crash this machine:
> Then Samba4 will not be used, and that's the end of that.  If we wanted
> to run machines that can't walk and chew gum at the same time, we'd run
> MS-Win servers and be done with it.
>
> I've had what is a, by now, archaic Sun Sparc Solaris box, running for
> about a decade, serving as:
>
>      . File server (NFS and SMB/CIFS) (about 1TB of file storage)
>      . Mail server (mostly been moved to an outside server, now)
>      . Web (intranet) server, with some active content
>      . NIS+ and LDAP directory services server
>      . RADIUS server
>      . DNS server
>      . DHCP server
>      . RDBMS server (two different RDBMS', low-volume, very
>        lightly-loaded)
>      . Applications license server
>      . CVS (source code versioning system) server
>      . NTP server
>      . Print server
>      . SSH server
>
> and probably some things I'm forgetting, atm.
>
> For the entire operation, inside-and-out, I have only four servers (two
> inside and two out), plus a firewall box.  And the only reason there
> are that many is because the manufacturing system had to run on RHEL,
> which we don't use anywhere else.
>
> None of them ever crash.  None of them ever have services just fall
> over and die for no good reason.  I don't run crashy, undependable
> servers or provide crashy, undependable services.  If I wanted to run
> crashy, undependable stuff, I'd be running MS-Win servers.
>
> If the new server can't replace the old one, on its own, running Samba4
> as an AD DC, then I'll fall back to running it as a plain old workgroup
> server and, if the company ever want AD, they can buy a MS-Win server.
>
> [snip]
>> Now, if you put the main DNS
>> server on another machine and the samba4 machine goes down, DNS
>> should still work.
> Do you know how long it'd take before my "phone would melt" if the AD
> server went down?
>
> What I'm taking away, from your comments, is more-or-less reinforcing
> my earlier concerns: That this Samba/BIND_DLZ/Kerberos/etc. lash-up is
> not exceedingly stable--only now you're suggesting that it can *crash my
> server*?!?!
>
> Yeah.... no.
>
> I'm thinking perhaps it's time to rethink this entire plan.
>
> Regards,
> Jim

This 'thing' as you call it, is stable and you can run everything on one 
box if you like, but what if something does go wrong? I am not saying it 
will, but what if ?
You remind me of a lot of H&S experts I have run across, they come up 
with risk assessments but *never* ask 'but what if this happens' :-)

You can run samba4 with a domain name of 'example.com' , but, if you 
have machines that will not be in the AD domain, you will have to come 
up with a way to add them to the AD records. This is not particularly 
hard, DHCP can do this for you, if you have static IP machines, you will 
have to add them with samba-tool or other means.

You just have to remember that the samba4 AD mode is based heavily on 
microsoft AD and has to work the same way, you can bend the way it 
works, but if you bend it that much that it breaks, you get to pick up 
the pieces :-D

Rowland