[Samba] Samba4 with external bind - best practices?

Elias Pereira empbilly at gmail.com
Thu Aug 4 19:34:11 UTC 2016 

Guys,

In the clients dns settings I configure the Samba4 or external DNS IP?

On Thu, Jul 28, 2016 at 5:57 AM, mathias dufresne <infractory at gmail.com>
wrote:

> Here we (the DNS team of our company, not me ;) chose the zone type forward
> as it is the way DNS works (one resolver on client system, this resolver
> will forward requests to others DNS server to get answer) and also because
> that seemed to them the strongest against failure: there is no data stored
> on the client resolver, there can't be corrupted data on this DNS server
> when with masters / slaves slaves have to wait for synchronization, they
> host data, these data can be corrupted... in addition of the very same
> problems on any masters...
> And we can declare as much zone with type forward as we want so it works
> also with multiple domains, AD or not.
>
> 2016-07-27 21:02 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
>
> > Looking over this thread it got me thinking of multiple domains and then
> > thinking maybe it would be better to setup the external DNS as a slave to
> > the AD domain?
> >
> > Then you could have it resolve from the external DNS for multiple AD
> > domains.
> >
> > On Wed, Jul 27, 2016 at 9:32 AM, Elias Pereira <empbilly at gmail.com>
> wrote:
> >
> > > I found this article about separate samba4 and bind.
> > >
> > >
> > https://quercerjanath.wordpress.com/samba-active-
> directory-with-bind9-on-separate-machines-ubuntu-14-04/
> > >
> > > Em 27/07/2016 9:39 AM, "mathias dufresne" <infractory at gmail.com>
> > escreveu:
> > >
> > > > 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at samba.org>:
> > > >
> > > > > On 26/07/16 09:31, mathias dufresne wrote:
> > > > >
> > > > >> Hi Elias,
> > > > >>
> > > > >> Separating DNS and AD services:
> > > > >> It should be possible to have AD DNS server hosted on a non-DC
> > server.
> > > > >> Samba Wiki explain we just have to include
> > > > >> "/var/lib/samba/private/named.conf" in Bind configuration. This
> > > library
> > > > >> can
> > > > >> be replaced be one of those shipped with Bind, this library will
> > need
> > > > >> configuration for it can deal with remote DC(s).
> > > > >> Please note I never tried that, 'cause I'm a lazy guy, but that
> > should
> > > > be
> > > > >> possible: Bind+DLZ seems to me to be meant for that kind of job.
> > > > >>
> > > > >> One (or more) non-DC DNS server dealing with AD DNS servers:
> > > > >> That is more simple to achieve:
> > > > >> - just configure AD DNS service as you want (please note that few
> > > weeks
> > > > >> ago
> > > > >> Samba's internal DNS server was still not able to work as
> > > multi-masters
> > > > >> which is needed to avoid SPOF in AD, so IMHO the only valid DNS
> > > backend
> > > > is
> > > > >> bind+DLZ if you want high availability)
> > > > >> - add a new zone to your existing DNS server (the one which is not
> > AD
> > > > DC)
> > > > >> like that one:
> > > > >>
> > > > >>
> > > >
> > >
> > ------------------------------------------------------------
> ----------------------------------
> > > > >> zone "ad.domain.tld" IN {
> > > > >>    type forward;
> > > > >>    forward only;
> > > > >>    forwarders {
> > > > >>      <ip of 1st DC>;
> > > > >>      <ip of 2nd DC>;
> > > > >>      ....
> > > > >>      <ip of Nth DC>;
> > > > >>    };
> > > > >> };
> > > > >>
> > > > >>
> > > >
> > >
> > ------------------------------------------------------------
> ----------------------------------
> > > > >> Restart your external non-DC Bind service and it should be able to
> > > > resolve
> > > > >> one more zone: the one from your AD.
> > > > >> What is nice in that is you don't need to take in account _msdcs
> > zone
> > > as
> > > > >> it
> > > > >> is a sub zone of "ad.domain.tld", your external Bind will also
> > forward
> > > > >> requests regarding _msdcs to AD servers.
> > > > >>
> > > > >> I did not played with that for a relatively long time and I'm just
> > > > coming
> > > > >> back from vacations, so I'm not sure if you would need to allow
> > > > forwarding
> > > > >> and recursion on that non-DC DNS server. It could be necessary...
> > > Anyway
> > > > >> as
> > > > >> this DNS should be meant to resolve Internet addresses in addition
> > of
> > > > your
> > > > >> local domain(s) recursion and forwarding should be accepted
> > already...
> > > > >>
> > > > >> Hoping this clarify DNS management a little bit and that helps
> you,
> > > > >>
> > > > >> Mathias
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > > The Samba wiki page:
> > > > >
> > > https://wiki.samba.org/index.php/Configure_BIND_as_backend_
> for_Samba_AD
> > > > >
> > > > > Has these lines:
> > > > >
> > > > >  * Since the BIND DLZ module accesses the AD database directly,
> BIND
> > > > >    for AD zones must be on the same machine.
> > > > >
> > > >
> > > > This, for me, means: as long as we use the BIND DLZ module provided
> by
> > > > Samba, Bind must run on same host as Samba AD DC".
> > > > In other words, you should be able to move Bind to another host if,
> as
> > I
> > > > said yesterday, you accept to use standard module (so not Samba's
> Bind
> > > > module) and configure it correctly. Of course this is more
> complicated
> > to
> > > > achieve, especially compared to the forward zone I described also
> > > > yesterday.
> > > >
> > > >
> > > > >  * Because the BIND DLZ module uses the information already stored
> in
> > > > >    AD, you do not need to create any extra databases.
> > > > >
> > > > > Or to put it another way, if you want to use bind_dlz, you must run
> > > Bind9
> > > > > on the DC and you do not need to create any zones (except the
> reverse
> > > > zone
> > > > > and you have to do this anyway)
> > > > >
> > > > > Rowland
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Elias Pereira

More information about the samba mailing list