[Samba] Samba4 DC with Secondary Questions

Nowell Morris nowell29 at gmail.com
Wed Jun 7 17:29:12 UTC 2017 

Hello all.

I am currently working on setting an S4 domain to replace our aging samba 3
setup.  We have found many answers on the net, in various documentation,
but when it comes to setting up beyond one node documentation becomes a
little thinner.

We are setting up a Primary DC with AD, using BIND9_DLZ, also serving dhcp
from Primary, and we want to setup a Secondary that is both a
DNS(bind9_dlz) slave, a kerberos slave, and AD secondary. Our Secondary
will be our file serve, and perhaps a third "member" as our cups server.
We run no Windows in house, except on the desktop, hence the desire for a
domain.  We have been using samba 3 with openldap for some years now and
successfully sync with Google Apps for our mail.

My examples of hostnames in here and related are in my sandbox, so they are
fun names :)

On to the questions.  I cannot seem to find a good answer to these.

First, When doing a join of the Secondary to the domain created by the
Primary, (using this command):

samba-tool domain join hobbiton.shire.middleearth DC
-U"HOBBITON\Administrator" --dns-backend=BIND9_DLZ --server
bagend.shire.middleearth

does this type of join command automatically create this Seconday as
kerberos slave?  The reason I want a slave is so that I have some
redundancy in the network, where Primary (bagend) lives on one VM
hypervisor, and Secondary (bywater) lives on a different VM Hypervisor.
If this does not automatically create Secondary/bywater as a kerberos
slave, are there any 'gotchya's I need to watch our for when I manually add
this secondary as a kerberos slave?  Will doing so automatically update the
domain?

I wondered if during samba install through apt, dpkg prompts to know the
kerberos realm, admin server, and 'space separated list' of kerberos
servers.  Should I have designate during install that this would become a
slave?  I know you guys are samba and not ubuntu support ;)  But I could
not find anywhere on the net an example of anybody using more than just
their kdc for this entry.

I have a lot of linux experience, but my AD knowledge is thin and mostly
from a client perspective.

Second big question, When you join (as in above example) and the Secondary
becomes a domain secondary dc, how should I most appropriately update the
bind zone files to designate that this secondary is also a NS name server?
Or should I at all?

I wasnt sure so what I did do was extend my zone file by adding this as a
second NS like this:

$ORIGIN shire.middleearth.
$TTL 86400      ; 1 day

@ 	    	IN 		SOA  bagend.shire.middleearth. root.bagend.shire.middleearth. (
                                1706031458	 ; serial YYMMDDHHmm
                                5400       ; refresh (1 hour 30 minutes)
                                1800       ; retry (30 minutes)
                                1814400    ; expire (3 weeks)
                                14400      ; minimum (4 hours)
                                )

; name server NS record and following A record
				      IN        NS      bagend.shire.middleearth.
				      IN	NS	bywater.shire.middleearth.

bagend.shire.middleearth. 	      IN	A	192.168.222.10
bywater.shire.middleearth.	      IN	A	192.168.222.11


Did I do this correctly? Should I have left it alone? thoughts?  We will be
using bind intentionally because we have about a dozen subnets in
production that rely on existing DNS and future dns entries.  Resolutions
do work with this currently set as is, but I am asking if this is best
practice.  I would rather not be bit in the future because I did something
unwise now.

Thanks all!


--
Nowell Morris
nowell29
​ at ​
gmail.com

More information about the samba mailing list