[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
Rowland Penny
rpenny at samba.org
Fri Apr 28 15:51:33 UTC 2023
On 28/04/2023 15:17, Gary Dale via samba wrote:
> What you are arguing for (and what Samba is now doing) is the former - a
> single instance of everything - instead of extending the AD strategy to
> propagate changes between domain controllers and Unix authentication.
> Given that the AD propagation strategy provides redundancy and better
> performance, this seems like a strange choice.
>
> When you combine this with the harm it does to existing Unix
> infrastructure, the idea appears indefensible.
>
>
Whilst looking through my deleted bin for an email that got deleted by
mistake, I found this post.
Gary, These are just my personal thoughts and have nothing to do with
any other person or entity.
Samba was from the very start an attempt to emulate the SMB protocol, it
is in its very name: SaMBa. It was an attempt to connect Windows and Unix.
Now some of what was done in the past was probably not a good idea, but
you cannot change the past.
Samba (at the moment) can operate as an NT4-style PDC, but they rely on
SMBv1 and Microsoft stopped supporting NT4 over 20 years ago, they
replaced it with AD and they are doing all they can to remove SMBv1.
Samba, after a lot of hard work, released their version of AD about 10
years ago and it was and is a success. It is a success because it
closely follows Microsoft AD, it has to, or it wouldn't be AD. This
means that a lot of what used to work is either not required any more
(local users on Linux) or just doesn't work or make sense.
Running a Samba AD domain is a lot easier than running an NT4-style
domain, where you could have just one PDC and multiple BDC's, which may
or not take over (after you make them do it) if the PDC failed. You can
have multiple AD DC's where the only difference is the FSMO roles and
they can be easily moved to any DC.
You want Samba changing to do what you want, but I am sorry, this isn't
likely to happen, you need to change the way you do things and if you
do, I think you will find things are easier than you think, want to
change a password ? Just do it in one place, AD, rather than multiple
places. Want to create users or groups on multiple machines, do it in
AD. I could go on and on, but I think you get the point, AD beats
anything else, hands down.
Now, unless you are prepared to accept that Samba AD is never going to
work like an NT4-style domain, I suggest you go and find another way of
doing things.
Rowland
PS you are still on my banned list
More information about the samba
mailing list