[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Rowland Penny rpenny at samba.org
Fri Apr 28 15:51:33 UTC 2023

On 28/04/2023 15:17, Gary Dale via samba wrote:

> What you are arguing for (and what Samba is now doing) is the former - a 
> single instance of everything - instead of extending the AD strategy to 
> propagate changes between domain controllers and Unix authentication. 
> Given that the AD propagation strategy provides redundancy and better 
> performance, this seems like a strange choice.
> When you combine this with the harm it does to existing Unix 
> infrastructure, the idea appears indefensible.

Whilst looking through my deleted bin for an email that got deleted by 
mistake, I found this post.

Gary, These are just my personal thoughts and have nothing to do with 
any other person or entity.

Samba was from the very start an attempt to emulate the SMB protocol, it 
is in its very name: SaMBa. It was an attempt to connect Windows and Unix.
Now some of what was done in the past was probably not a good idea, but 
you cannot change the past.

Samba (at the moment) can operate as an NT4-style PDC, but they rely on 
SMBv1 and Microsoft stopped supporting NT4 over 20 years ago, they 
replaced it with AD and they are doing all they can to remove SMBv1.

Samba, after a lot of hard work, released their version of AD about 10 
years ago and it was and is a success. It is a success because it 
closely follows Microsoft AD, it has to, or it wouldn't be AD. This 
means that a lot of what used to work is either not required any more 
(local users on Linux) or just doesn't work or make sense.

Running a Samba AD domain is a lot easier than running an NT4-style 
domain, where you could have just one PDC and multiple BDC's, which may 
or not take over (after you make them do it) if the PDC failed. You can 
have multiple AD DC's where the only difference is the FSMO roles and 
they can be easily moved to any DC.

You want Samba changing to do what you want, but I am sorry, this isn't 
likely to happen, you need to change the way you do things and if you 
do, I think you will find things are easier than you think, want to 
change a password ? Just do it in one place, AD, rather than multiple 
places. Want to create users or groups on multiple machines, do it in 
AD. I could go on and on, but I think you get the point, AD beats 
anything else, hands down.

Now, unless you are prepared to accept that Samba AD is never going to 
work like an NT4-style domain, I suggest you go and find another way of 
doing things.


PS you are still on my banned list

More information about the samba mailing list