[Samba] Bind flat file support

Andrew Bartlett abartlet at samba.org
Thu Sep 10 00:43:00 UTC 2015 

On Wed, 2015-09-09 at 14:12 -0400, Mark Foley wrote:
> I've been following this thread with interest as I have deployed 
> Samba4 AD/DC
> with flat files and have had no problems, albeit in a non-multi-DC 
> environment. 
> 
> Additional comments and some questions interspersed below ...
> 
> --Mark
> 
> -----Original Message-----
> > From: Andrew Bartlett <abartlet at samba.org>
> > To: John Gardeniers <jgardeniers at objectmastery.com>, 
> > samba at lists.samba.org
> > Date: Wed, 09 Sep 2015 21:26:32 +1200
> > Subject: Re: [Samba] Bind flat file support
> > 
> > On Tue, 2015-09-08 at 08:02 +1000, John Gardeniers wrote:
> > > Is there any chance that support for Bind flat files will return? 
> > > 
> > 
> > Not really.  I expect it to be less supported as time goes on.
> 
> Well, I do hope that support for flat files isn't DROPPED eventually. 
> My
> environment is apparently not complex enough for multi-DCs and I 
> don't look
> forward to changing from flat files. I also had lots of problems 
> trying to get
> DLZ to work, which is why I untimately settled on flat files.

OK.

> > > I 
> > > understand the various (extremely weak) arguments against it but 
> > > DLZ
> > > not 
> > > only sucks big time, it limits proper functionality and 
> > > inter-operability, necessitating significant design changes for
> > > anything 
> > > but the simplest of networks. Additionally, it doesn't work with 
> > > the 
> > > existing scripts many people use. I know that samba-tool can be 
> > > used
> > > in 
> > > scripts but due to its inadequate error checking it's incredibly 
> > > easy
> > > to 
> > > break the DNS.
> > 
> > I'm sorry to hear that.  Patches to improve it are most welcome - 
> > what
> > error checking is inadequate?
> > 
> > > There are very good reasons why nearly every admin I know prefers
> > > flat 
> > > file. Ultimately, there is nothing easier than editing in text 
> > > mode
> > > and 
> > > on the extremely rare occasion that an error does creep in it's 
> > > ultra
> > > easy to remedy.
> 
> Count me as one of those admins!
> 
> > 
> > The flat file backend cannot enforce AD ACLs on the modification of
> > DNS, which in turn makes multi-DC deployment a hack, at best.
> 
> Now I have questions ... why would AD ACL be needed on DNS? Don't get 
> that. What
> do you mean by "the modification of DNS"?
> 
> Why would multi-DC deployment be a "hack"? Maybe the answer to the 
> previous
> question will explain this.

We fill in a file with the principal names of the servers (DCs) that
should have extra privileges, and then expect bind to interpret that.

> With standard bind, any DNS client can get what it needs from the DNS 
> server --
> I don't see why ADs would be different. Even if one of the AD is also 
> a slave
> DNS server. I don't see the problem. Of course, this may be because 
> I've
> not tried multiple ADs. A brief explanation would help me understand.
> 
> > 
> > It also cannot replicate the DNS information in the directory, 
> > where
> > the DNS RPC server modifies it, and where Windows AD servers, which 
> > we
> > strive to interoperate with, store their data.
> 
> Cannot replicate the DNS in what directory?

I refer to the sam.ldb contents (the AD DC) as the directory, and in
this case DNS data is included in that.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list