[Samba] Setting up new samba-ac-dc on Ubuntu 18.04 - KDC not FOUND
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 6 07:06:58 UTC 2018
Hai,
> Define *better*.
> AFAICT, using Samba's internal DNS works fine with multple
> DC's. But perhaps I've missed something.
Bind, its just more mature, much more flexible.
For example, what i did here for our company network. The this setup.
DC1=DNS1
DC2=DNS2
Proxy1/2=dns3/4 (caching and forwarding) and available for client in the network as a read only dns. ( can be slave zone also )
Mailrelay1 about the same a slave zone of my primary and caching setup but not available for client in the network, only running on localhost.
Can you create a "blacklist" zone in samba dns, maybe it can, mabye not, never looked that up if that exists/is possible with samba dns.
It can with bind. These things make me use bind dns.
The dns on the proxy, has a forwaring zone to my internal side, and a forwaring for the external side.
And this in a caching setup, it offloads the DNS1/2, DNS1/2 dont support DNSSEC, the proxy DNS does.
DC DNS does not support ipv6 requests, the proxy does.
Try this with samba internal dns, you here is a bit you difference by example.
Now, dont get me wrong, internal DNS is for most people sufficient, i just like to be flexible.
Ok, and now, i must do some work first here. ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Gregory Sloop via samba
> Verzonden: maandag 6 augustus 2018 1:43
> Aan: Robert Steinmetz AIA via samba
> Onderwerp: Re: [Samba] Setting up new samba-ac-dc on Ubuntu
> 18.04 - KDC not FOUND
>
>
>
> RSAvs> Rowland Penny via samba wrote:
> >> If you are only going to have one DC, then the internal
> DNS server is
> >> okay, it just doesn't work as well as Bind9. Once you have
> more than
> >> one DC (which is the recommendation), then it is better to
> use Bind9.
>
> Define *better*.
> AFAICT, using Samba's internal DNS works fine with multple
> DC's. But perhaps I've missed something.
>
> RSAvs> I have two other servers. Once the ad-cd server is up
> the I plan to have
> RSAvs> the other servers moved to ad and act as alternate dcs
> >> Louis went down the same path as you, least amount of changes,
> RSAvs> Louis however also used Bind9 in his recent notes. I'm
> somewhat
> RSAvs> concerned that removing systemd-resolvd will create
> other issues.
> >> You pays your money and makes your choices ;-)
> RSAvs> You still have to live with them later. B-)
> >> Rowland
> RSAvs> One question. Can I simply re-provision the server and
> overwrite the
> RSAvs> existing configuration if I decide to go to bind9?
>
> Well, you won't be able to "reprovision" without destroying
> your domain configuration and all the Kerberos trust
> relationships between the Windows clients and the DC. But I
> believe you can modify your samba config and change from
> using internal DNS to BIND. [I'm not sure about re-creation
> of all the DNS entries - that may be something you have to do
> by hand.]
>
> But IMO internal DNS works fine [at least if you don't need
> to act as an auth dns zone for a zone outside of the dc's dns scope.]
> Disable systemd.resolvd and it works fine. [Or use Louis'
> method - I'm pretty sure it works, but I had difficulty with
> it and found it easier to simply nuke systemd.resolvd.]
>
>
> RSAvs> --
> RSAvs> Rob Steinmetz
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list