[Samba] Bind flat file support
abartlet at samba.org
Thu Sep 10 00:43:00 UTC 2015
On Wed, 2015-09-09 at 14:12 -0400, Mark Foley wrote:
> I've been following this thread with interest as I have deployed
> Samba4 AD/DC
> with flat files and have had no problems, albeit in a non-multi-DC
> Additional comments and some questions interspersed below ...
> -----Original Message-----
> > From: Andrew Bartlett <abartlet at samba.org>
> > To: John Gardeniers <jgardeniers at objectmastery.com>,
> > samba at lists.samba.org
> > Date: Wed, 09 Sep 2015 21:26:32 +1200
> > Subject: Re: [Samba] Bind flat file support
> > On Tue, 2015-09-08 at 08:02 +1000, John Gardeniers wrote:
> > > Is there any chance that support for Bind flat files will return?
> > >
> > Not really. I expect it to be less supported as time goes on.
> Well, I do hope that support for flat files isn't DROPPED eventually.
> environment is apparently not complex enough for multi-DCs and I
> don't look
> forward to changing from flat files. I also had lots of problems
> trying to get
> DLZ to work, which is why I untimately settled on flat files.
> > > I
> > > understand the various (extremely weak) arguments against it but
> > > DLZ
> > > not
> > > only sucks big time, it limits proper functionality and
> > > inter-operability, necessitating significant design changes for
> > > anything
> > > but the simplest of networks. Additionally, it doesn't work with
> > > the
> > > existing scripts many people use. I know that samba-tool can be
> > > used
> > > in
> > > scripts but due to its inadequate error checking it's incredibly
> > > easy
> > > to
> > > break the DNS.
> > I'm sorry to hear that. Patches to improve it are most welcome -
> > what
> > error checking is inadequate?
> > > There are very good reasons why nearly every admin I know prefers
> > > flat
> > > file. Ultimately, there is nothing easier than editing in text
> > > mode
> > > and
> > > on the extremely rare occasion that an error does creep in it's
> > > ultra
> > > easy to remedy.
> Count me as one of those admins!
> > The flat file backend cannot enforce AD ACLs on the modification of
> > DNS, which in turn makes multi-DC deployment a hack, at best.
> Now I have questions ... why would AD ACL be needed on DNS? Don't get
> that. What
> do you mean by "the modification of DNS"?
> Why would multi-DC deployment be a "hack"? Maybe the answer to the
> question will explain this.
We fill in a file with the principal names of the servers (DCs) that
should have extra privileges, and then expect bind to interpret that.
> With standard bind, any DNS client can get what it needs from the DNS
> server --
> I don't see why ADs would be different. Even if one of the AD is also
> a slave
> DNS server. I don't see the problem. Of course, this may be because
> not tried multiple ADs. A brief explanation would help me understand.
> > It also cannot replicate the DNS information in the directory,
> > where
> > the DNS RPC server modifies it, and where Windows AD servers, which
> > we
> > strive to interoperate with, store their data.
> Cannot replicate the DNS in what directory?
I refer to the sam.ldb contents (the AD DC) as the directory, and in
this case DNS data is included in that.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba