[Samba] Bind flat file support

Mark Foley mfoley at ohprs.org
Wed Sep 9 18:12:29 UTC 2015


I've been following this thread with interest as I have deployed Samba4 AD/DC
with flat files and have had no problems, albeit in a non-multi-DC environment. 

Additional comments and some questions interspersed below ...

--Mark

-----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> To: John Gardeniers <jgardeniers at objectmastery.com>, samba at lists.samba.org
> Date: Wed, 09 Sep 2015 21:26:32 +1200
> Subject: Re: [Samba] Bind flat file support
>
> On Tue, 2015-09-08 at 08:02 +1000, John Gardeniers wrote:
> > Is there any chance that support for Bind flat files will return? 
>
> Not really.  I expect it to be less supported as time goes on.

Well, I do hope that support for flat files isn't DROPPED eventually. My
environment is apparently not complex enough for multi-DCs and I don't look
forward to changing from flat files. I also had lots of problems trying to get
DLZ to work, which is why I untimately settled on flat files.

> > I 
> > understand the various (extremely weak) arguments against it but DLZ
> > not 
> > only sucks big time, it limits proper functionality and 
> > inter-operability, necessitating significant design changes for
> > anything 
> > but the simplest of networks. Additionally, it doesn't work with the 
> > existing scripts many people use. I know that samba-tool can be used
> > in 
> > scripts but due to its inadequate error checking it's incredibly easy
> > to 
> > break the DNS.
>
> I'm sorry to hear that.  Patches to improve it are most welcome - what
> error checking is inadequate?
>
> > There are very good reasons why nearly every admin I know prefers
> > flat 
> > file. Ultimately, there is nothing easier than editing in text mode
> > and 
> > on the extremely rare occasion that an error does creep in it's ultra
> > easy to remedy.

Count me as one of those admins!

>
> The flat file backend cannot enforce AD ACLs on the modification of
> DNS, which in turn makes multi-DC deployment a hack, at best.

Now I have questions ... why would AD ACL be needed on DNS? Don't get that. What
do you mean by "the modification of DNS"?

Why would multi-DC deployment be a "hack"? Maybe the answer to the previous
question will explain this.

With standard bind, any DNS client can get what it needs from the DNS server --
I don't see why ADs would be different. Even if one of the AD is also a slave
DNS server. I don't see the problem. Of course, this may be because I've
not tried multiple ADs. A brief explanation would help me understand.

>
> It also cannot replicate the DNS information in the directory, where
> the DNS RPC server modifies it, and where Windows AD servers, which we
> strive to interoperate with, store their data.

Cannot replicate the DNS in what directory?

AD clients in Windows do want to update the zone files, in the case of Samaba4,
this is readily done by configuring e.g.

allow-update { 192.168.0/24; 127.0.0.1; };

in the Domain zone and reverse zones (/etc/samba/private/named.conf).  If the
Domain DNS clients can update DNS, how is this different from the replication
you describe? Again, I'm sure I don't understand the elements well enough, so a
bit of explanation migh help me, and even John!

THX - Mark

>
> That is why we developed the DLZ plugin, and then the internal DNS
> server.
>
> Thanks,
>
> Andrew Bartlett
>
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list