[Samba] AD DC without integrated DNS

Magnus Holmgren holmgren at lysator.liu.se
Mon May 4 17:35:56 UTC 2020

Hi all,

(Samba 4.9.5-Debian (buster) with BIND 9.11.5.P4)

I'm wondering, is it really strictly necessary to use the built-in DNS backend 
or the BIND9 DLZ plugin, at least in a forest with no Windows Server DCs? The 
LDAP and Kerberos I can understand, but DNS is just a bunch of records, right? 
There are a number of records that need to be in place in order for clients to 
find the DCs and the DCs to find each other, but they rarely change, do they, 
unless you regularly add and remove DCs, or change their IP addresses, which 
seems to be a relatively involved procedure?

I can configure BIND9 with a normal dynamic zone, set tkey-gssapi-credential, 
tkey-domain, and tkey-gssapi-keytab (except this doesn't seem to work the way 
the manual says; named still only reads the system keytab, so I put the keytab 
from /var/lib/samba/bind-dns/dns.keytab there), along with the update-policy 
from /var/lib/samba/bind-dns/named.conf.update, and that kinda works; 
samba_dnsupdate can insert all the records from dns_update_cache, *except* the 
NS record for the _msdcs zone (since the aforementioned update-policy doesn't 
allow NS records), and if I set up that as a separate zone, samba_dnsupdate 
starts using a different ticket with a corresponding SPN, which is logical, 
but that one is not in the keytab, so I wonder how that works when using the 
BIND9_DLZ backend, which I thought samba_dnsupdate talked to in exactly the 
same way.
https://lists.samba.org/archive/samba/2016-March/198033.html discusses 
disabling DNS services altogether on a Samba DC, but that was in an 
environment with dozens of other DCs. I'm working at a small business and are 
hardly planning to join any Windows machines to this domain, except for one or 
two for the purpose of testing software that we can't install on multiple 
personal laptops (most of which were bought with Windows Home pre-installed), 
and which it would be kinda neat to be able to use centralized accounts to 
logon to. Other than that, the main goal is to implement Kerberos/GSSAPI 
authentication for services running on Debian (including one Samba file 
server), and setting up a Samba AD DC seemed easier than configuring and 
integrating OpenLDAP+Kerberos by hand (and choosing between MIT and Heimdal), 
but perhaps not more convenient for Windows users unless their computers are 
joined to the domain? Currently we're running DHCP on a pfSense firewall, 
dynamically updating a normal BIND9 zone, and I don't want to mess with that; 
making manual changes is much easier with a plain text zone file. I could make 
the AD domain a separate zone and keep it to a minimum. I have done this 
provisionally, and it works - SPNs can be anything and Linux machines with 
FQDNs outside the AD domain can still be joined to it with net ads join - but 
I'm still exploring my options.

So in summary, my questions are: Under these circumstances, if I manually add 
the required DNS records to the right zone (and disable the dnsupdate 
service), what works and what will break (besides joining new DCs, I guess)? 
Alternatively, is it possible to get GSS-TSIG updates working fully with a 
standard zone, or can it work well enough without _msdcs as a separate zone? 
Can I hack the dns_update_list?

The documentation talks a lot about special requirements and limitations when 
running Samba as an AD DC, but it doesn't go into much technical detail as to 
the reasons for those, and I guess it's because AD is complicated.

Magnus Holmgren        holmgren at lysator.liu.se (this is not my work email)

More information about the samba mailing list