[Samba] /etc/hosts and DHCP

Ross Boylan rossboylan at stanfordalumni.org
Fri Sep 25 21:44:45 UTC 2015

It's sounding as if maybe I should stick with some earlier server model
because the AD I participate in is not one I administer.  Even if I did, I
wouldn't want all the accounts on my local machine to be in the AD.

Is it technically possible for me to have a subdomain within the larger
one?  E.g., if the overall realm is ucsf.edu, I'd administer ross.ucsf.edu?

I have been looking for a way to centralize account management within my
linux machines, but doing so via AD sounds very indirect.

On Fri, Sep 25, 2015 at 9:18 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:

> On 25/09/15 17:05, Ross Boylan wrote:
>> On Fri, Sep 25, 2015 at 12:49 AM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
>> wrote:
>>     On 24/09/15 22:08, Ross Boylan wrote:
>>         I am trying to follow the advice on
>>         https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server.
>>         Among
>>         other things, it says "Make sure that your /etc/hosts has a
>>         valid entry for
>>         resolving your hostname to its public IP (not!),
>>         when you join
>>         the domain:"
>>         But my machine is using DHCP and so I can't hard code this.
>>    What to do?
>>     Ignore the wiki and don't put anything in /etc/hosts, if (like on
>>     ubuntu) you have pointing to your hostname, remove or
>>     comment out this line, but you really should give a member server
>>     a fixed ip
>>         I am using Debian's resolvconf and bind.  I suspect I'll need
>>         to use bind
>>         to manage things properly, but perhaps I could let samba do
>>         the name
>>         resolution.
>>     you need to use the internal DNS or bind DNS, you cannot use both.
>> Understood.  My meaning was using samba in place of bind.
>> Things are even messier, because the VM is relying on DNS from the
>> virtual network (libvirt's internal dnsmasq) at the moment.
>>         A possibly related issue is that the machine has 2 network
>>         interfaces, one
>>         for a private network and one for the public one that
>>         participates in the
>>         AD.  So there is not one right answer for the name -> IP
>>         resolution, though
>>         possibly the fully qualified domain name that goes with active
>>         directory
>>         could be reserved for the external IP.
>>     This could be interesting, how are you going to authenticate the
>>     private network users to a machine that is joined to a domain?
>> I don't follow.  The machine has Unix users and a mapping between AD
>> users and Unix users.  Are you saying I can't have both, and that my users
>> must come either from AD or from local sources, but not both?
> With samba3 you could have Unix users and Samba users which were synced
> together, if you set up Samba4 and join it to an AD domain, then all your
> user & group info is stored in AD, you cannot have a local Unix user on the
> AD joined machine with the same name as an AD user. This means that if you
> have a user in your private network called 'fred' and he connects to your
> AD member server (fileserver, client, call it what you will) and there is a
> user called 'fred' in AD, the user 'may' be able to connect, but not if
> either of the users was to change their password, because now the user
> wouldn't have the same password as the AD user 'fred'. I hope you get my
> drift, the whole idea behind AD is centralisation  of authentication etc.
> Rowland
>>         I'm going on the assumption that "AD Member Server" is what I
>>         want, because
>>         I want to join the domain, use it for authentication, and
>>         server files.
>>         Originally I thought "Member Server" meant I was publicly
>>         serving up
>>         members of the domain; that is not my intention.
>>     The term 'member server' is a bit of a misnomer, it really should
>>     be 'a Linux client that serves files', any Linux client is
>>     basically set up in the same way, what you do with it after, is
>>     what defines its role.
>> Thanks.  So it's a server that's a domain member, not a server that
>> serves member identities (which would make it a controller).
>> Ross
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list