[Samba] Setting up new samba-ac-dc on Ubuntu 18.04 - KDC not FOUND

L.P.H. van Belle belle at bazuin.nl
Mon Aug 6 07:06:58 UTC 2018 

Hai, 


> Define *better*. 
> AFAICT, using Samba's internal DNS works fine with multple 
> DC's. But perhaps I've missed something.

Bind, its just more mature, much more flexible. 
For example, what i did here for our company network. The this setup. 
DC1=DNS1
DC2=DNS2

Proxy1/2=dns3/4 (caching and forwarding) and available for client in the network as a read only dns. ( can be slave zone also )
Mailrelay1 about the same a slave zone of my primary and caching setup but not available for client in the network, only running on localhost.
Can you create a "blacklist" zone in samba dns, maybe it can, mabye not, never looked that up if that exists/is possible with samba dns.
It can with bind. These things make me use bind dns. 

The dns on the proxy, has a forwaring zone to my internal side, and a forwaring for the external side.
And this in a caching setup, it offloads the DNS1/2, DNS1/2 dont support DNSSEC, the proxy DNS does. 
DC DNS does not support ipv6 requests, the proxy does. 

Try this with samba internal dns, you here is a bit you difference by example. 
Now, dont get me wrong, internal DNS is for most people sufficient, i just like to be flexible. 
Ok, and now, i must do some work first here. ;-) 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Gregory Sloop via samba
> Verzonden: maandag 6 augustus 2018 1:43
> Aan: Robert Steinmetz AIA via samba
> Onderwerp: Re: [Samba] Setting up new samba-ac-dc on Ubuntu 
> 18.04 - KDC not FOUND
> 
> 
> 
> RSAvs> Rowland Penny via samba wrote:
> >> If you are only going to have one DC, then the internal 
> DNS server is
> >> okay, it just doesn't work as well as Bind9. Once you have 
> more than
> >> one DC (which is the recommendation), then it is better to 
> use Bind9.
> 
> Define *better*. 
> AFAICT, using Samba's internal DNS works fine with multple 
> DC's. But perhaps I've missed something.
> 
> RSAvs> I have two other servers. Once the ad-cd server is up 
> the I plan to have
> RSAvs> the other servers moved to ad and act as alternate dcs
> >> Louis went down the same path as you, least amount of changes,
> RSAvs> Louis however also used Bind9 in his recent notes. I'm 
> somewhat 
> RSAvs> concerned that removing systemd-resolvd will create 
> other issues.
> >> You pays your money and makes your choices ;-)
> RSAvs> You still have to live with them later. B-)
> >> Rowland
> RSAvs> One question. Can I simply re-provision the server and 
> overwrite the 
> RSAvs> existing configuration if I decide to go to bind9?
> 
> Well, you won't be able to "reprovision" without destroying 
> your domain configuration and all the Kerberos trust 
> relationships between the Windows clients and the DC. But I 
> believe you can modify your samba config and change from 
> using internal DNS to BIND. [I'm not sure about re-creation 
> of all the DNS entries - that may be something you have to do 
> by hand.]
> 
> But IMO internal DNS works fine [at least if you don't need 
> to act as an auth dns zone for a zone outside of the dc's dns scope.]
> Disable systemd.resolvd and it works fine. [Or use Louis' 
> method - I'm pretty sure it works, but I had difficulty with 
> it and found it easier to simply nuke systemd.resolvd.]
> 
> 
> RSAvs> -- 
> RSAvs> Rob Steinmetz
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list