[Samba] Keeping DNS out of Samba

Michael Tokarev mjt at tls.msk.ru
Thu Dec 19 09:31:53 UTC 2024


Hi!

There has been a few questions on the samba mailing list, some of which
(eg https://bugzilla.samba.org/show_bug.cgi?id=14518) are reoccurring
often, some aren't.

And I, once again, want to remind that there's another approach to DNS
in samba, which avoids all these and many other issues, but it requires
a bit of work.  The benefit is to have DNS under control again as in
the old good times.

The base for my setup is the fact that for an AD, the set of DNS records
which is required for operations, is actually static most of the time.
There are basically a few SRV records pointing at the DCs, which only
changes when the DCs changes, but for the rest of the operations, it
does not change in any way.  And to manage this set of records, you
don't need samba internal DNS at all.

The other part - like dynamic DNS for workstation registration - is not
covered here, since we don't use it.

Samba "publishes" DNS records in an intermediate file on each server,
in /var/lib/samba/private/dns_update_cache -- this is the file it pushes
to dynamic DNS on every DNS update.  It has format very similar to a
fragment of a regular zone file.

A combination of all these files from all servers of interest can be
fed into named or nsd or whatever DNS nameserver of choice with a
trivial script.  And you have to keep this in mind when changing your
set of DCs (at least), - this part needs to be re-pushed to actual
nameserver after each next change (this can be automated by
replacing dns update script with something more appropriate).

Next, I've a trivial Makefile-based zone generation script which
combines these pieces into actual nameserver, adding dnssec records,
distributing to secondary servers, and all the other things you'd
expect from a real nameserver.

Once loaded int a regular nameserver of choice, and having this
nameserver of choice in /etc/resolv.conf (and only it, no samba internal
dns!), everything will work.  With all the samba-specific DNS issues are
gone, too.

I understand some people on this list don't found this approach good,
but I haven't seen an explanation of their opinion, despite numerous
questions about this.  To me, this is much more reliable, manageable
and bug- and hassle-free than using samba internal DNS.  Especially
with "don't re-invent the wheel" theme, - named is a complex thing,
it's unlikely samba will repeat it in a good way.

Thanks,

/mjt



More information about the samba mailing list