[Samba] Samba4 with external bind - best practices?

Elias Pereira empbilly at gmail.com
Wed Jul 27 15:32:34 UTC 2016


I found this article about separate samba4 and bind.
https://quercerjanath.wordpress.com/samba-active-directory-with-bind9-on-separate-machines-ubuntu-14-04/

Em 27/07/2016 9:39 AM, "mathias dufresne" <infractory at gmail.com> escreveu:

> 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at samba.org>:
>
> > On 26/07/16 09:31, mathias dufresne wrote:
> >
> >> Hi Elias,
> >>
> >> Separating DNS and AD services:
> >> It should be possible to have AD DNS server hosted on a non-DC server.
> >> Samba Wiki explain we just have to include
> >> "/var/lib/samba/private/named.conf" in Bind configuration. This library
> >> can
> >> be replaced be one of those shipped with Bind, this library will need
> >> configuration for it can deal with remote DC(s).
> >> Please note I never tried that, 'cause I'm a lazy guy, but that should
> be
> >> possible: Bind+DLZ seems to me to be meant for that kind of job.
> >>
> >> One (or more) non-DC DNS server dealing with AD DNS servers:
> >> That is more simple to achieve:
> >> - just configure AD DNS service as you want (please note that few weeks
> >> ago
> >> Samba's internal DNS server was still not able to work as multi-masters
> >> which is needed to avoid SPOF in AD, so IMHO the only valid DNS backend
> is
> >> bind+DLZ if you want high availability)
> >> - add a new zone to your existing DNS server (the one which is not AD
> DC)
> >> like that one:
> >>
> >>
> ----------------------------------------------------------------------------------------------
> >> zone "ad.domain.tld" IN {
> >>    type forward;
> >>    forward only;
> >>    forwarders {
> >>      <ip of 1st DC>;
> >>      <ip of 2nd DC>;
> >>      ....
> >>      <ip of Nth DC>;
> >>    };
> >> };
> >>
> >>
> ----------------------------------------------------------------------------------------------
> >> Restart your external non-DC Bind service and it should be able to
> resolve
> >> one more zone: the one from your AD.
> >> What is nice in that is you don't need to take in account _msdcs zone as
> >> it
> >> is a sub zone of "ad.domain.tld", your external Bind will also forward
> >> requests regarding _msdcs to AD servers.
> >>
> >> I did not played with that for a relatively long time and I'm just
> coming
> >> back from vacations, so I'm not sure if you would need to allow
> forwarding
> >> and recursion on that non-DC DNS server. It could be necessary... Anyway
> >> as
> >> this DNS should be meant to resolve Internet addresses in addition of
> your
> >> local domain(s) recursion and forwarding should be accepted already...
> >>
> >> Hoping this clarify DNS management a little bit and that helps you,
> >>
> >> Mathias
> >>
> >>
> >>
> >>
> > The Samba wiki page:
> > https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
> >
> > Has these lines:
> >
> >  * Since the BIND DLZ module accesses the AD database directly, BIND
> >    for AD zones must be on the same machine.
> >
>
> This, for me, means: as long as we use the BIND DLZ module provided by
> Samba, Bind must run on same host as Samba AD DC".
> In other words, you should be able to move Bind to another host if, as I
> said yesterday, you accept to use standard module (so not Samba's Bind
> module) and configure it correctly. Of course this is more complicated to
> achieve, especially compared to the forward zone I described also
> yesterday.
>
>
> >  * Because the BIND DLZ module uses the information already stored in
> >    AD, you do not need to create any extra databases.
> >
> > Or to put it another way, if you want to use bind_dlz, you must run Bind9
> > on the DC and you do not need to create any zones (except the reverse
> zone
> > and you have to do this anyway)
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list