[Samba] Samba AD with multiple DC and multiple NICs

Stefano Vargiu vstefanoxx at gmail.com
Tue Oct 20 15:55:18 UTC 2020


Hello everyone,

can someone please tell me if the configuration previously shown is
eventually going to work?

Stefano

Il giorno lun 19 ott 2020 alle ore 18:56 Stefano Vargiu <
vstefanoxx at gmail.com> ha scritto:

> I add some additional information I didn't give in my previous email,
> specifically how I tried to force DC1 and DC2 to contact each other only
> with their VPN IPs.
> I did so using dnsmasq as a DNS proxy.
>
> # DC1 configuration
> IP NIC1: 172.16.0.2
> IP NIC2: 172.20.0.1
> IP VPN: 172.19.1.173
>
> ---
> /etc/resolv.conf:
> search domain.local
> domain domain.local
> nameserver 172.19.1.173
> ---
>
> I configured dnsmasq to listen on the VPN interface 172.19.1.173 (while
> samba listen on all other interfaces, 172.16.0.1, 172.20.0.1 and lo
> 127.0.0.1)
>
> ---
> /etc/dnsmasq.conf:
> listen-address=172.19.1.173
> server=127.0.0.1  (dnsmasq's dns forwarder: samba is listening on
> 127.0.0.1)
> host-record=DC2.domain.local,172.19.1.174
> host-record=domain.local,127.0.0.1
> ---
>
> In this way, any dns lookup to DC2.domain.local from DC1 gives me the VPN
> IP of DC2:
> $ dig +short DC2.domain.local
> 172.19.1.174
> ---
>
> All other DNS queries are forwarded by dnsmasq to 127.0.0.1, where the
> Samba's DNS server is listening.
>
> Same configuration in DC2, with dnsmasq that resolve DC1.domain.local to
> 172.19.1.173.
> I'm not sure if domain.local in DC2 should resolve to 127.0.0.1 or to
> 172.19.1.173: considered they are multi-master, for symmetry maybe better
> to use 127.0.0.1, also if in my first attempts I used the VPN IP of DC1.
>
> > DC is authoritative for the dns domain, this is called multi-master and
> means that each DC is the dns master
> I know that. Maybe I didn't explain well what I was trying to achieve, but
> I already knew most of the information you gave me.
>
> The most important thing I didn't know was that multi-homed is strongly
> discouraged.
>
> Is such configuration with a dns proxy going to work?
> As I said, with it I was able to make kinit and the join works.
> Replication from DC2 to DC1 works, but doesn't work from DC1 to DC2.
>
> I should keep trying it or is it a lost cause?
>
> Il giorno lun 19 ott 2020 alle ore 14:08 Rowland penny via samba <
> samba at lists.samba.org> ha scritto:
>
>> On 19/10/2020 12:40, Stefano Vargiu via samba wrote:
>> > Hello everyone,
>> >
>> > I'm trying to add a second DC to a Samba 4 AD: they both have multiple
>> NICs
>> > and for this reason cannot find a way to make it work.
>> > They communicate through VPN and both have one of the bound interfaces
>> set
>> > to the same IP address, 172.20.0.1, which doesn't allow me to route to
>> the
>> > correct DC, and that is only part of the problem.
>> >
>> > Here is the configuration:
>> > * DC1.domain.local
>> >    IP NIC1: 172.16.0.2
>> >    IP NIC2: 172.20.0.1
>> >    IP VPN: 172.19.1.173
>> >
>> > * DC2.domain.local
>> >    IP NIC1: 192.168.0.1
>> >    IP NIC2: 172.20.0.1
>> >    IP VPN: 172.19.1.174
>> >
>> I don't think you really understand dns and AD =-O
>>
>> You cannot have two computers with the same IP (how would DNS
>> differentiate between them), each DC is authoritative for the dns
>> domain, this is called multi-master and means that each DC is the dns
>> master. Each DC should use itself as its first nameserver and /etc/hosts
>> is only used by the DC itself. You seem to be trying to use what is
>> called multi-homed devices and this doesn't work very well (if at all)
>> with AD. You shouldn't be trying to point VPN at your DC's, VPN should
>> just use the DC's for authentication.
>>
>> I think you need to explain just what you are trying to achieve and how
>> you are doing it now.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
Il giorno lun 19 ott 2020 alle ore 18:56 Stefano Vargiu <
vstefanoxx at gmail.com> ha scritto:

> I add some additional information I didn't give in my previous email,
> specifically how I tried to force DC1 and DC2 to contact each other only
> with their VPN IPs.
> I did so using dnsmasq as a DNS proxy.
>
> # DC1 configuration
> IP NIC1: 172.16.0.2
> IP NIC2: 172.20.0.1
> IP VPN: 172.19.1.173
>
> ---
> /etc/resolv.conf:
> search domain.local
> domain domain.local
> nameserver 172.19.1.173
> ---
>
> I configured dnsmasq to listen on the VPN interface 172.19.1.173 (while
> samba listen on all other interfaces, 172.16.0.1, 172.20.0.1 and lo
> 127.0.0.1)
>
> ---
> /etc/dnsmasq.conf:
> listen-address=172.19.1.173
> server=127.0.0.1  (dnsmasq's dns forwarder: samba is listening on
> 127.0.0.1)
> host-record=DC2.domain.local,172.19.1.174
> host-record=domain.local,127.0.0.1
> ---
>
> In this way, any dns lookup to DC2.domain.local from DC1 gives me the VPN
> IP of DC2:
> $ dig +short DC2.domain.local
> 172.19.1.174
> ---
>
> All other DNS queries are forwarded by dnsmasq to 127.0.0.1, where the
> Samba's DNS server is listening.
>
> Same configuration in DC2, with dnsmasq that resolve DC1.domain.local to
> 172.19.1.173.
> I'm not sure if domain.local in DC2 should resolve to 127.0.0.1 or to
> 172.19.1.173: considered they are multi-master, for symmetry maybe better
> to use 127.0.0.1, also if in my first attempts I used the VPN IP of DC1.
>
> > DC is authoritative for the dns domain, this is called multi-master and
> means that each DC is the dns master
> I know that. Maybe I didn't explain well what I was trying to achieve, but
> I already knew most of the information you gave me.
>
> The most important thing I didn't know was that multi-homed is strongly
> discouraged.
>
> Is such configuration with a dns proxy going to work?
> As I said, with it I was able to make kinit and the join works.
> Replication from DC2 to DC1 works, but doesn't work from DC1 to DC2.
>
> I should keep trying it or is it a lost cause?
>
> Il giorno lun 19 ott 2020 alle ore 14:08 Rowland penny via samba <
> samba at lists.samba.org> ha scritto:
>
>> On 19/10/2020 12:40, Stefano Vargiu via samba wrote:
>> > Hello everyone,
>> >
>> > I'm trying to add a second DC to a Samba 4 AD: they both have multiple
>> NICs
>> > and for this reason cannot find a way to make it work.
>> > They communicate through VPN and both have one of the bound interfaces
>> set
>> > to the same IP address, 172.20.0.1, which doesn't allow me to route to
>> the
>> > correct DC, and that is only part of the problem.
>> >
>> > Here is the configuration:
>> > * DC1.domain.local
>> >    IP NIC1: 172.16.0.2
>> >    IP NIC2: 172.20.0.1
>> >    IP VPN: 172.19.1.173
>> >
>> > * DC2.domain.local
>> >    IP NIC1: 192.168.0.1
>> >    IP NIC2: 172.20.0.1
>> >    IP VPN: 172.19.1.174
>> >
>> I don't think you really understand dns and AD =-O
>>
>> You cannot have two computers with the same IP (how would DNS
>> differentiate between them), each DC is authoritative for the dns
>> domain, this is called multi-master and means that each DC is the dns
>> master. Each DC should use itself as its first nameserver and /etc/hosts
>> is only used by the DC itself. You seem to be trying to use what is
>> called multi-homed devices and this doesn't work very well (if at all)
>> with AD. You shouldn't be trying to point VPN at your DC's, VPN should
>> just use the DC's for authentication.
>>
>> I think you need to explain just what you are trying to achieve and how
>> you are doing it now.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list