[Samba] Samba4 with external bind - best practices?

mathias dufresne infractory at gmail.com
Fri Aug 5 10:02:02 UTC 2016 

You do what you want!

The point is the clients must resolve everything.

You have two options:
A - client resolver is non-DC DNS server: here the non-DC DNS server must
be configured to forward DNS requests about AD to AD DNS servers (to DCs)
B - client resolver is AD DNS server: here AD DNS server(s) used as
resolver(s) must be configured to forward any non-AD DNS request to non-DC
DNS server.

Hoping this is clear enough...

Cheers,

mathias

2016-08-04 21:34 GMT+02:00 Elias Pereira <empbilly at gmail.com>:

> Guys,
>
> In the clients dns settings I configure the Samba4 or external DNS IP?
>
> On Thu, Jul 28, 2016 at 5:57 AM, mathias dufresne <infractory at gmail.com>
> wrote:
>
>> Here we (the DNS team of our company, not me ;) chose the zone type
>> forward
>> as it is the way DNS works (one resolver on client system, this resolver
>> will forward requests to others DNS server to get answer) and also because
>> that seemed to them the strongest against failure: there is no data stored
>> on the client resolver, there can't be corrupted data on this DNS server
>> when with masters / slaves slaves have to wait for synchronization, they
>> host data, these data can be corrupted... in addition of the very same
>> problems on any masters...
>> And we can declare as much zone with type forward as we want so it works
>> also with multiple domains, AD or not.
>>
>> 2016-07-27 21:02 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
>>
>> > Looking over this thread it got me thinking of multiple domains and then
>> > thinking maybe it would be better to setup the external DNS as a slave
>> to
>> > the AD domain?
>> >
>> > Then you could have it resolve from the external DNS for multiple AD
>> > domains.
>> >
>> > On Wed, Jul 27, 2016 at 9:32 AM, Elias Pereira <empbilly at gmail.com>
>> wrote:
>> >
>> > > I found this article about separate samba4 and bind.
>> > >
>> > >
>> > https://quercerjanath.wordpress.com/samba-active-directory-
>> with-bind9-on-separate-machines-ubuntu-14-04/
>> > >
>> > > Em 27/07/2016 9:39 AM, "mathias dufresne" <infractory at gmail.com>
>> > escreveu:
>> > >
>> > > > 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at samba.org>:
>> > > >
>> > > > > On 26/07/16 09:31, mathias dufresne wrote:
>> > > > >
>> > > > >> Hi Elias,
>> > > > >>
>> > > > >> Separating DNS and AD services:
>> > > > >> It should be possible to have AD DNS server hosted on a non-DC
>> > server.
>> > > > >> Samba Wiki explain we just have to include
>> > > > >> "/var/lib/samba/private/named.conf" in Bind configuration. This
>> > > library
>> > > > >> can
>> > > > >> be replaced be one of those shipped with Bind, this library will
>> > need
>> > > > >> configuration for it can deal with remote DC(s).
>> > > > >> Please note I never tried that, 'cause I'm a lazy guy, but that
>> > should
>> > > > be
>> > > > >> possible: Bind+DLZ seems to me to be meant for that kind of job.
>> > > > >>
>> > > > >> One (or more) non-DC DNS server dealing with AD DNS servers:
>> > > > >> That is more simple to achieve:
>> > > > >> - just configure AD DNS service as you want (please note that few
>> > > weeks
>> > > > >> ago
>> > > > >> Samba's internal DNS server was still not able to work as
>> > > multi-masters
>> > > > >> which is needed to avoid SPOF in AD, so IMHO the only valid DNS
>> > > backend
>> > > > is
>> > > > >> bind+DLZ if you want high availability)
>> > > > >> - add a new zone to your existing DNS server (the one which is
>> not
>> > AD
>> > > > DC)
>> > > > >> like that one:
>> > > > >>
>> > > > >>
>> > > >
>> > >
>> > ------------------------------------------------------------
>> ----------------------------------
>> > > > >> zone "ad.domain.tld" IN {
>> > > > >>    type forward;
>> > > > >>    forward only;
>> > > > >>    forwarders {
>> > > > >>      <ip of 1st DC>;
>> > > > >>      <ip of 2nd DC>;
>> > > > >>      ....
>> > > > >>      <ip of Nth DC>;
>> > > > >>    };
>> > > > >> };
>> > > > >>
>> > > > >>
>> > > >
>> > >
>> > ------------------------------------------------------------
>> ----------------------------------
>> > > > >> Restart your external non-DC Bind service and it should be able
>> to
>> > > > resolve
>> > > > >> one more zone: the one from your AD.
>> > > > >> What is nice in that is you don't need to take in account _msdcs
>> > zone
>> > > as
>> > > > >> it
>> > > > >> is a sub zone of "ad.domain.tld", your external Bind will also
>> > forward
>> > > > >> requests regarding _msdcs to AD servers.
>> > > > >>
>> > > > >> I did not played with that for a relatively long time and I'm
>> just
>> > > > coming
>> > > > >> back from vacations, so I'm not sure if you would need to allow
>> > > > forwarding
>> > > > >> and recursion on that non-DC DNS server. It could be necessary...
>> > > Anyway
>> > > > >> as
>> > > > >> this DNS should be meant to resolve Internet addresses in
>> addition
>> > of
>> > > > your
>> > > > >> local domain(s) recursion and forwarding should be accepted
>> > already...
>> > > > >>
>> > > > >> Hoping this clarify DNS management a little bit and that helps
>> you,
>> > > > >>
>> > > > >> Mathias
>> > > > >>
>> > > > >>
>> > > > >>
>> > > > >>
>> > > > > The Samba wiki page:
>> > > > >
>> > > https://wiki.samba.org/index.php/Configure_BIND_as_backend_f
>> or_Samba_AD
>> > > > >
>> > > > > Has these lines:
>> > > > >
>> > > > >  * Since the BIND DLZ module accesses the AD database directly,
>> BIND
>> > > > >    for AD zones must be on the same machine.
>> > > > >
>> > > >
>> > > > This, for me, means: as long as we use the BIND DLZ module provided
>> by
>> > > > Samba, Bind must run on same host as Samba AD DC".
>> > > > In other words, you should be able to move Bind to another host if,
>> as
>> > I
>> > > > said yesterday, you accept to use standard module (so not Samba's
>> Bind
>> > > > module) and configure it correctly. Of course this is more
>> complicated
>> > to
>> > > > achieve, especially compared to the forward zone I described also
>> > > > yesterday.
>> > > >
>> > > >
>> > > > >  * Because the BIND DLZ module uses the information already
>> stored in
>> > > > >    AD, you do not need to create any extra databases.
>> > > > >
>> > > > > Or to put it another way, if you want to use bind_dlz, you must
>> run
>> > > Bind9
>> > > > > on the DC and you do not need to create any zones (except the
>> reverse
>> > > > zone
>> > > > > and you have to do this anyway)
>> > > > >
>> > > > > Rowland
>> > > > >
>> > > > > --
>> > > > > To unsubscribe from this list go to the following URL and read the
>> > > > > instructions:  https://lists.samba.org/mailman/options/samba
>> > > > >
>> > > > --
>> > > > To unsubscribe from this list go to the following URL and read the
>> > > > instructions:  https://lists.samba.org/mailman/options/samba
>> > > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> Elias Pereira
>

More information about the samba mailing list