[Samba] Samba4 with external bind - best practices?
Elias Pereira
empbilly at gmail.com
Fri Aug 5 16:07:22 UTC 2016
mathias, I believe I get it. :D
The "A" option can be "resolved" with the inclusion of the zone that you
suggested me, right?
zone "ad.domain.tld" IN {
> type forward;
> forward only;
> forwarders {
> <ip of 1st DC>;
> <ip of 2nd DC>;
> ....
> <ip of Nth DC>;
> };
> };
And in the "B" option I set up in "DNS DC" each zone belonging to the "DNS
non-DC"?
E.g:
> zone "domain.tld" {
> type forward;
> type forward;
> forward only;
> forwarders {
> <ip of DNS non-DC>;
> };
> };
The reverse zones also will be this way?
E.g:
> zone "0.168.192.in-addr.arpa" {
> type forward;
> type forward;
> forward only;
> forwarders {
> <ip of DNS non-DC>;
> };
> };
Sorry for so many questions, but maybe this will help others who are having
the same doubts. Thanks again!
On Fri, Aug 5, 2016 at 7:02 AM, mathias dufresne <infractory at gmail.com>
wrote:
> You do what you want!
>
> The point is the clients must resolve everything.
>
> You have two options:
> A - client resolver is non-DC DNS server: here the non-DC DNS server must
> be configured to forward DNS requests about AD to AD DNS servers (to DCs)
> B - client resolver is AD DNS server: here AD DNS server(s) used as
> resolver(s) must be configured to forward any non-AD DNS request to non-DC
> DNS server.
>
> Hoping this is clear enough...
>
> Cheers,
>
> mathias
>
> 2016-08-04 21:34 GMT+02:00 Elias Pereira <empbilly at gmail.com>:
>
>> Guys,
>>
>> In the clients dns settings I configure the Samba4 or external DNS IP?
>>
>> On Thu, Jul 28, 2016 at 5:57 AM, mathias dufresne <infractory at gmail.com>
>> wrote:
>>
>>> Here we (the DNS team of our company, not me ;) chose the zone type
>>> forward
>>> as it is the way DNS works (one resolver on client system, this resolver
>>> will forward requests to others DNS server to get answer) and also
>>> because
>>> that seemed to them the strongest against failure: there is no data
>>> stored
>>> on the client resolver, there can't be corrupted data on this DNS server
>>> when with masters / slaves slaves have to wait for synchronization, they
>>> host data, these data can be corrupted... in addition of the very same
>>> problems on any masters...
>>> And we can declare as much zone with type forward as we want so it works
>>> also with multiple domains, AD or not.
>>>
>>> 2016-07-27 21:02 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
>>>
>>> > Looking over this thread it got me thinking of multiple domains and
>>> then
>>> > thinking maybe it would be better to setup the external DNS as a slave
>>> to
>>> > the AD domain?
>>> >
>>> > Then you could have it resolve from the external DNS for multiple AD
>>> > domains.
>>> >
>>> > On Wed, Jul 27, 2016 at 9:32 AM, Elias Pereira <empbilly at gmail.com>
>>> wrote:
>>> >
>>> > > I found this article about separate samba4 and bind.
>>> > >
>>> > >
>>> > https://quercerjanath.wordpress.com/samba-active-directory-w
>>> ith-bind9-on-separate-machines-ubuntu-14-04/
>>> > >
>>> > > Em 27/07/2016 9:39 AM, "mathias dufresne" <infractory at gmail.com>
>>> > escreveu:
>>> > >
>>> > > > 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at samba.org>:
>>> > > >
>>> > > > > On 26/07/16 09:31, mathias dufresne wrote:
>>> > > > >
>>> > > > >> Hi Elias,
>>> > > > >>
>>> > > > >> Separating DNS and AD services:
>>> > > > >> It should be possible to have AD DNS server hosted on a non-DC
>>> > server.
>>> > > > >> Samba Wiki explain we just have to include
>>> > > > >> "/var/lib/samba/private/named.conf" in Bind configuration. This
>>> > > library
>>> > > > >> can
>>> > > > >> be replaced be one of those shipped with Bind, this library will
>>> > need
>>> > > > >> configuration for it can deal with remote DC(s).
>>> > > > >> Please note I never tried that, 'cause I'm a lazy guy, but that
>>> > should
>>> > > > be
>>> > > > >> possible: Bind+DLZ seems to me to be meant for that kind of job.
>>> > > > >>
>>> > > > >> One (or more) non-DC DNS server dealing with AD DNS servers:
>>> > > > >> That is more simple to achieve:
>>> > > > >> - just configure AD DNS service as you want (please note that
>>> few
>>> > > weeks
>>> > > > >> ago
>>> > > > >> Samba's internal DNS server was still not able to work as
>>> > > multi-masters
>>> > > > >> which is needed to avoid SPOF in AD, so IMHO the only valid DNS
>>> > > backend
>>> > > > is
>>> > > > >> bind+DLZ if you want high availability)
>>> > > > >> - add a new zone to your existing DNS server (the one which is
>>> not
>>> > AD
>>> > > > DC)
>>> > > > >> like that one:
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> > ------------------------------------------------------------
>>> ----------------------------------
>>> > > > >> zone "ad.domain.tld" IN {
>>> > > > >> type forward;
>>> > > > >> forward only;
>>> > > > >> forwarders {
>>> > > > >> <ip of 1st DC>;
>>> > > > >> <ip of 2nd DC>;
>>> > > > >> ....
>>> > > > >> <ip of Nth DC>;
>>> > > > >> };
>>> > > > >> };
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> > ------------------------------------------------------------
>>> ----------------------------------
>>> > > > >> Restart your external non-DC Bind service and it should be able
>>> to
>>> > > > resolve
>>> > > > >> one more zone: the one from your AD.
>>> > > > >> What is nice in that is you don't need to take in account _msdcs
>>> > zone
>>> > > as
>>> > > > >> it
>>> > > > >> is a sub zone of "ad.domain.tld", your external Bind will also
>>> > forward
>>> > > > >> requests regarding _msdcs to AD servers.
>>> > > > >>
>>> > > > >> I did not played with that for a relatively long time and I'm
>>> just
>>> > > > coming
>>> > > > >> back from vacations, so I'm not sure if you would need to allow
>>> > > > forwarding
>>> > > > >> and recursion on that non-DC DNS server. It could be
>>> necessary...
>>> > > Anyway
>>> > > > >> as
>>> > > > >> this DNS should be meant to resolve Internet addresses in
>>> addition
>>> > of
>>> > > > your
>>> > > > >> local domain(s) recursion and forwarding should be accepted
>>> > already...
>>> > > > >>
>>> > > > >> Hoping this clarify DNS management a little bit and that helps
>>> you,
>>> > > > >>
>>> > > > >> Mathias
>>> > > > >>
>>> > > > >>
>>> > > > >>
>>> > > > >>
>>> > > > > The Samba wiki page:
>>> > > > >
>>> > > https://wiki.samba.org/index.php/Configure_BIND_as_backend_f
>>> or_Samba_AD
>>> > > > >
>>> > > > > Has these lines:
>>> > > > >
>>> > > > > * Since the BIND DLZ module accesses the AD database directly,
>>> BIND
>>> > > > > for AD zones must be on the same machine.
>>> > > > >
>>> > > >
>>> > > > This, for me, means: as long as we use the BIND DLZ module
>>> provided by
>>> > > > Samba, Bind must run on same host as Samba AD DC".
>>> > > > In other words, you should be able to move Bind to another host
>>> if, as
>>> > I
>>> > > > said yesterday, you accept to use standard module (so not Samba's
>>> Bind
>>> > > > module) and configure it correctly. Of course this is more
>>> complicated
>>> > to
>>> > > > achieve, especially compared to the forward zone I described also
>>> > > > yesterday.
>>> > > >
>>> > > >
>>> > > > > * Because the BIND DLZ module uses the information already
>>> stored in
>>> > > > > AD, you do not need to create any extra databases.
>>> > > > >
>>> > > > > Or to put it another way, if you want to use bind_dlz, you must
>>> run
>>> > > Bind9
>>> > > > > on the DC and you do not need to create any zones (except the
>>> reverse
>>> > > > zone
>>> > > > > and you have to do this anyway)
>>> > > > >
>>> > > > > Rowland
>>> > > > >
>>> > > > > --
>>> > > > > To unsubscribe from this list go to the following URL and read
>>> the
>>> > > > > instructions: https://lists.samba.org/mailman/options/samba
>>> > > > >
>>> > > > --
>>> > > > To unsubscribe from this list go to the following URL and read the
>>> > > > instructions: https://lists.samba.org/mailman/options/samba
>>> > > >
>>> > > --
>>> > > To unsubscribe from this list go to the following URL and read the
>>> > > instructions: https://lists.samba.org/mailman/options/samba
>>> > >
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions: https://lists.samba.org/mailman/options/samba
>>> >
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>> --
>> Elias Pereira
>>
>
>
--
Elias Pereira
More information about the samba
mailing list