[Samba] accidentally upgraded DC to 4.17.3 ... didn't work
Michael Tokarev
mjt at tls.msk.ru
Thu Dec 1 14:31:14 UTC 2022
01.12.2022 17:12, Rowland Penny via samba wrote:
> On 01/12/2022 14:01, Michael Tokarev via samba wrote:
>
>> I think this is a bit wrong view, and it *is* a way for a disaster you describe
>> in your other email.
>
> No it isn't, I have been doing this for years on Samba AD DC's.
"I've been smoking at a gas station for years, there was no single issue,
it is not dangerous". This something they refer to as a "mistake of the
survived".
>> When you keep systemd-resolved running, when *some* parts of the system (the
>> ones who uses its own resolver lib talking directly to systemd-resolver)
>> will ask it for the DNS resolution, and the other parts will ask whateve
>> resolver is configured in /etc/resolv.conf. *This* is a way to disaster,
>> to debugging which names resolve to which addresses in which services.
>
> Nothing should be asking systemd-resolved for anything, its only job (just like resolvconf) should be to update /etc/resolv.conf, everything else
> should check /etc/resolv.conf for what nameserver to use.
systemd-resolved exposes its own API over dbus, which is different
from using /etc/resolv.conf. So anything using this API *will* use
systemd-resolved if it is running.
Eg, https://news.ycombinator.com/item?id=14655444
The job of systemd-resolved is to *resolve* names. It is nameserver
(caching nameserver, caching stub resolver, whatever).
And its job is *not* to update /etc/resolv.conf, - this is just not
true. It does not touch /etc/resolv.conf, it maintains /run/systemd/
resolved/resolv.conf and a few other files in there, - which you, as
a system admin, can point to from /etc/resolv.conf.
>> When you turn systemd-resolved off, stuff will query nameservers from
>> /etc/resolv.conf only, and things will be at least consistent within the
>> same host.
>
> Exactly, as it should be on a Samba AD DC.
>
>>
>> Whenever samba resolver or DNS should be used at all is another question,
>> and here, it looks like we have entirely different opinions wiht Rowland.
>> Samba resolvers have many limitations which don't exist in systemd-resolved
>> (eg, for stuff like dynamic addresses on a laptop, different networks etc).
>
> If you run a Samba AD DC on a laptop, or move it around, then you are asking for trouble. I was talking about something that will not move.
It's quite common to run eg, some virtual machine on a (moving!) laptop, for
which samba on the laptop itself will act as a domain controller or whatever.
This configuration has to work in the changing environment. And it actually
works quite well if everything is set up correctly.
>> But this is a different topic. The main thing I wanted to point out is
>> consistency (or lack thereof) when using multiple services, exactly like
>> you already noticed with the logging and systemd-resolved. So far,
>> systemd-resolved is not mandatory and /etc/resolv.conf works still.
>
> This is Linux and very little should be mandatory, if you want mandatory, go and run Windows.
Well, systemd-journald *is* de-facto mandatory with systemd, since many of
its own services perform only one way of logging.
If you don't like mandatory, don't use linux (at least with systemd).
(I'm find with journald and with resolved and with linux in general,
fwiw)
/mjt
More information about the samba
mailing list