Ben Cohen
2015-Feb-26 22:15 UTC
[Samba] specify alternative port for samba internal dns server
I asked this question on serverfault serverfault.com/questions/666972/possible-to-make-samba4s-internal-dns-server-listen-on-non-standard-port I would like to be able to configure the internal samba dns server to listen on a port other than 53 so I can easily interoperate the samba internal dns with another dns server on the same host. Many other samba services have configuration to change the default port -- the dns server should as well.
Rowland Penny
2015-Feb-26 22:39 UTC
[Samba] specify alternative port for samba internal dns server
On 26/02/15 22:15, Ben Cohen wrote:> I asked this question on serverfault > serverfault.com/questions/666972/possible-to-make-samba4s-internal-dns-server-listen-on-non-standard-port > > I would like to be able to configure the internal samba dns server to > listen on a port other than 53 so I can easily interoperate the samba > internal dns with another dns server on the same host. > > Many other samba services have configuration to change the default port -- > the dns server should as well.Just like you where told on the link you provided *NO* The kerberos server built into samba4 relies on dns, so the dns server needs to be authorative for the dns domain, anything else it forwards to another dns server outside the domain. Rowland
Rowland Penny
2015-Feb-26 23:06 UTC
[Samba] specify alternative port for samba internal dns server
On 26/02/15 22:58, Ben Cohen wrote:> My goal is for the samba dns server to be authoritative for > 'ad.mydomain.com <ad.mydomain.com>' but not for mydomain.com > <mydomain.com>. The dns server that the clients in my domain > use is statically configured to resolve all requests for > ad.mydomain.com <ad.mydomain.com> via the samba internal dns -- > I believe this is exactly what is required for samba to function ... > Is this incorrect somehow?You should point your domain members to the DC, if the record the client requires is inside the AD domain, the DC will return answer, if it doesn't know, it will forward the request to whatever you have set as the forwarder.> > A whole bunch of other samba services can listen on other than the > default service port through configuration options ... Why should the > dns service uniquely deserve an all-caps *NO* with regard to this > configurability? >You could always try and alter the ldap port that samba4 listens on, oh sorry, you cannot change that either can you. Please stop trying to bend AD to your way of working. Rowland
Steve Ankeny
2015-Feb-26 23:16 UTC
[Samba] specify alternative port for samba internal dns server
I found with my Windows clients it was extremely important to point them to the Samba AD only. No other ip_address for DNS, and as Rowland indicates, anything they need outside the domain is resolved by Samba forwarding the request (in my case, it's our gateway device which in turn forwards outside) On 02/26/2015 06:06 PM, Rowland Penny wrote:> On 26/02/15 22:58, Ben Cohen wrote: >> My goal is for the samba dns server to be authoritative for >> 'ad.mydomain.com <ad.mydomain.com>' but not for mydomain.com >> <mydomain.com>. The dns server that the clients in my domain >> use is statically configured to resolve all requests for >> ad.mydomain.com <ad.mydomain.com> via the samba internal dns >> -- I believe this is exactly what is required for samba to function >> ... Is this incorrect somehow? > > You should point your domain members to the DC, if the record the > client requires is inside the AD domain, the DC will return answer, if > it doesn't know, it will forward the request to whatever you have set > as the forwarder.
Rowland Penny
2015-Feb-27 00:00 UTC
[Samba] specify alternative port for samba internal dns server
On 26/02/15 23:39, Ben Cohen wrote:> Please stop making the assumption that I don't have different problems > than you... > > I support IT environments that are connected via incredibly slow > internet links -- user clients CANNOT use something other than my dns > server as their dns resolver -- I have to implement logic which > controls all internet access, including dns resolution, on a per user > basis per-byte basis -- if I put another dns server in-between me and > the network clients, I lose the information by which my dns > forwarding-resolver can make the identify determination. Perhaps you > have some way of passing forward the identity information regarding > which client is making the dns request in a way that my > network-access-control appliance understands -- oh, right no you don't > do you? > > In my testing my approach seems to work the way I want to do things -- > two servers, one with dnsmasq, one with samba internal dns. Clients > point at my dnsmasq, dnsmasq resolves ad domain via samba dns. Is > this not appropriate for some reason? How does this go against the > 'ad' way? As far as I can tell there is absolutely nothing wrong with > this architecture ... why should the clients need to talk to the samba > dns directly rather than via my intermediary -- is that actually > required? Its my impression that my campus network doesn't do this > with normal active directory -- I believe they run BIND and queries > for ad.foo.com <ad.foo.com> are resolved via authoritative AD > dns servers running on windows server ... Isn't that the normal way? > > The reason I want to run the samba4 dns on a different port than the > default is to avoid having to run an additional OS -- my environments > are very expensive to put equipment in, reducing the hardware and OS > count is desirable, particularly where there is not a good reason that > something needs to have its own OS instance ... > > It seems you reference a straw-man desire to customize the ldap server > port in order to evoke some history of problems surrounding people > trying to use services that don't work with the AD model within > samba. In fact my GOAL is exactly the opposite -- I WANT to USE the > samba integrated dns in order to avoid having any issues with the > required set of magic AD dns behaviours -- rather than trying to hack > those required dns behaviours into my existing dns configuration ... > > I appreciate your thoughts and if my suggested approach (with two > servers) truly isn't going to work, it would be huge if you or someone > else could tell me and give a lot insight why ... because my plan even > with a *NO* on the ability to change the port that samba-dns listens > on, is to use two servers as described above ... If that's not gonna > work for some reason it'd be awesome to find out now ... > > Thanks, > > On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote: > > On 26/02/15 22:58, Ben Cohen wrote: > > My goal is for the samba dns server to be authoritative for > 'ad.mydomain.com <ad.mydomain.com> > <ad.mydomain.com>' but not for mydomain.com > <mydomain.com> <mydomain.com>. The dns server > that the clients in my domain use is statically configured to > resolve all requests for ad.mydomain.com > <ad.mydomain.com> <ad.mydomain.com> via the > samba internal dns -- I believe this is exactly what is > required for samba to function ... Is this incorrect somehow? > > > You should point your domain members to the DC, if the record the > client requires is inside the AD domain, the DC will return > answer, if it doesn't know, it will forward the request to > whatever you have set as the forwarder. > > > A whole bunch of other samba services can listen on other than > the default service port through configuration options ... > Why should the dns service uniquely deserve an all-caps *NO* > with regard to this configurability? > > > You could always try and alter the ldap port that samba4 listens > on, oh sorry, you cannot change that either can you. > > Please stop trying to bend AD to your way of working. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba > >Please stop sending emails directly to me, keep it on list. If you are struggling with resources, you could run another OS inside a VM and point the samba forwarder to a DNS server running on the OS in the VM. Would you try and circumvent the way a windows server works, I do not think so and as samba4 AD works exactly the same as windows AD, you shouldn't try to change the way it works. Note that this is the last I will have to say on this subject. Rowland
Ben Cohen
2015-Feb-27 00:10 UTC
[Samba] specify alternative port for samba internal dns server
Whoops - sorry for responding to you directly rather than via the list -- I only use gmail for extremely high-volume mailing lists, and usually that's just to skim-read them -- so I don't know the gmail web-ui very well (and it seems to change all the time) -- apologies. (Also i have no idea how to not top-post with gmail ... I'll figure that out for next time) You seem to have strong opinions regarding the default port for the dns server - I disagree with you but I'm not going to try to change your deeply held beliefs. While expressing your opinions earlier in the thread, the idea was raised that it is somehow _REQUIRED_ for clients to use the samba internal dns directly rather than receive dns responses via an intermediary dns server -- can someone confirm whether or not this is the case? On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 26/02/15 23:39, Ben Cohen wrote: > >> Please stop making the assumption that I don't have different problems >> than you... >> >> I support IT environments that are connected via incredibly slow internet >> links -- user clients CANNOT use something other than my dns server as >> their dns resolver -- I have to implement logic which controls all internet >> access, including dns resolution, on a per user basis per-byte basis -- if >> I put another dns server in-between me and the network clients, I lose the >> information by which my dns forwarding-resolver can make the identify >> determination. Perhaps you have some way of passing forward the identity >> information regarding which client is making the dns request in a way that >> my network-access-control appliance understands -- oh, right no you don't >> do you? >> >> In my testing my approach seems to work the way I want to do things -- >> two servers, one with dnsmasq, one with samba internal dns. Clients point >> at my dnsmasq, dnsmasq resolves ad domain via samba dns. Is this not >> appropriate for some reason? How does this go against the 'ad' way? As far >> as I can tell there is absolutely nothing wrong with this architecture ... >> why should the clients need to talk to the samba dns directly rather than >> via my intermediary -- is that actually required? Its my impression that >> my campus network doesn't do this with normal active directory -- I believe >> they run BIND and queries for ad.foo.com <ad.foo.com> are >> resolved via authoritative AD dns servers running on windows server ... >> Isn't that the normal way? >> >> The reason I want to run the samba4 dns on a different port than the >> default is to avoid having to run an additional OS -- my environments are >> very expensive to put equipment in, reducing the hardware and OS count is >> desirable, particularly where there is not a good reason that something >> needs to have its own OS instance ... >> >> It seems you reference a straw-man desire to customize the ldap server >> port in order to evoke some history of problems surrounding people trying >> to use services that don't work with the AD model within samba. In fact my >> GOAL is exactly the opposite -- I WANT to USE the samba integrated dns in >> order to avoid having any issues with the required set of magic AD dns >> behaviours -- rather than trying to hack those required dns behaviours into >> my existing dns configuration ... >> >> I appreciate your thoughts and if my suggested approach (with two >> servers) truly isn't going to work, it would be huge if you or someone else >> could tell me and give a lot insight why ... because my plan even with a >> *NO* on the ability to change the port that samba-dns listens on, is to use >> two servers as described above ... If that's not gonna work for some >> reason it'd be awesome to find out now ... >> >> Thanks, >> >> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny < >> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 26/02/15 22:58, Ben Cohen wrote: >> >> My goal is for the samba dns server to be authoritative for >> 'ad.mydomain.com <ad.mydomain.com> >> <ad.mydomain.com>' but not for mydomain.com >> <mydomain.com> <mydomain.com>. The dns server >> that the clients in my domain use is statically configured to >> resolve all requests for ad.mydomain.com >> <ad.mydomain.com> <ad.mydomain.com> via the >> samba internal dns -- I believe this is exactly what is >> required for samba to function ... Is this incorrect somehow? >> >> >> You should point your domain members to the DC, if the record the >> client requires is inside the AD domain, the DC will return >> answer, if it doesn't know, it will forward the request to >> whatever you have set as the forwarder. >> >> >> A whole bunch of other samba services can listen on other than >> the default service port through configuration options ... >> Why should the dns service uniquely deserve an all-caps *NO* >> with regard to this configurability? >> >> >> You could always try and alter the ldap port that samba4 listens >> on, oh sorry, you cannot change that either can you. >> >> Please stop trying to bend AD to your way of working. >> >> >> Rowland >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: lists.samba.org/mailman/options/samba >> >> >> > Please stop sending emails directly to me, keep it on list. > > If you are struggling with resources, you could run another OS inside a VM > and point the samba forwarder to a DNS server running on the OS in the VM. > > Would you try and circumvent the way a windows server works, I do not > think so and as samba4 AD works exactly the same as windows AD, you > shouldn't try to change the way it works. > > Note that this is the last I will have to say on this subject. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >
Ben Cohen
2015-Feb-27 00:14 UTC
[Samba] specify alternative port for samba internal dns server
My goal is for the samba dns server to be authoritative for 'ad.mydomain.com' but not for mydomain.com. The dns server that the clients in my domain use is statically configured to resolve all requests for ad.mydomain.com via the samba internal dns -- I believe this is exactly what is required for samba to function ... Is this incorrect somehow? A whole bunch of other samba services can listen on other than the default service port through configuration options ... Why should the dns service uniquely deserve an all-caps *NO* with regard to this configurability? On Thu, Feb 26, 2015 at 2:39 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 26/02/15 22:15, Ben Cohen wrote: > >> I asked this question on serverfault >> serverfault.com/questions/666972/possible-to- >> make-samba4s-internal-dns-server-listen-on-non-standard-port >> >> I would like to be able to configure the internal samba dns server to >> listen on a port other than 53 so I can easily interoperate the samba >> internal dns with another dns server on the same host. >> >> Many other samba services have configuration to change the default port -- >> the dns server should as well. >> > > Just like you where told on the link you provided *NO* > > The kerberos server built into samba4 relies on dns, so the dns server > needs to be authorative for the dns domain, anything else it forwards to > another dns server outside the domain. > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >
Ben Cohen
2015-Feb-27 00:15 UTC
[Samba] specify alternative port for samba internal dns server
Please stop making the assumption that I don't have different problems than you... I support IT environments that are connected via incredibly slow internet links -- user clients CANNOT use something other than my dns server as their dns resolver -- I have to implement logic which controls all internet access, including dns resolution, on a per user basis per-byte basis -- if I put another dns server in-between me and the network clients, I lose the information by which my dns forwarding-resolver can make the identify determination. Perhaps you have some way of passing forward the identity information regarding which client is making the dns request in a way that my network-access-control appliance understands -- oh, right no you don't do you? In my testing my approach seems to work the way I want to do things -- two servers, one with dnsmasq, one with samba internal dns. Clients point at my dnsmasq, dnsmasq resolves ad domain via samba dns. Is this not appropriate for some reason? How does this go against the 'ad' way? As far as I can tell there is absolutely nothing wrong with this architecture ... why should the clients need to talk to the samba dns directly rather than via my intermediary -- is that actually required? Its my impression that my campus network doesn't do this with normal active directory -- I believe they run BIND and queries for ad.foo.com are resolved via authoritative AD dns servers running on windows server ... Isn't that the normal way? The reason I want to run the samba4 dns on a different port than the default is to avoid having to run an additional OS -- my environments are very expensive to put equipment in, reducing the hardware and OS count is desirable, particularly where there is not a good reason that something needs to have its own OS instance ... It seems you reference a straw-man desire to customize the ldap server port in order to evoke some history of problems surrounding people trying to use services that don't work with the AD model within samba. In fact my GOAL is exactly the opposite -- I WANT to USE the samba integrated dns in order to avoid having any issues with the required set of magic AD dns behaviours -- rather than trying to hack those required dns behaviours into my existing dns configuration ... I appreciate your thoughts and if my suggested approach (with two servers) truly isn't going to work, it would be huge if you or someone else could tell me and give a lot insight why ... because my plan even with a *NO* on the ability to change the port that samba-dns listens on, is to use two servers as described above ... If that's not gonna work for some reason it'd be awesome to find out now ... Thanks, On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 26/02/15 22:58, Ben Cohen wrote: > >> My goal is for the samba dns server to be authoritative for ' >> ad.mydomain.com <ad.mydomain.com>' but not for mydomain.com < >> mydomain.com>. The dns server that the clients in my domain use >> is statically configured to resolve all requests for ad.mydomain.com < >> ad.mydomain.com> via the samba internal dns -- I believe this is >> exactly what is required for samba to function ... Is this incorrect >> somehow? >> > > You should point your domain members to the DC, if the record the client > requires is inside the AD domain, the DC will return answer, if it doesn't > know, it will forward the request to whatever you have set as the forwarder. > > >> A whole bunch of other samba services can listen on other than the >> default service port through configuration options ... Why should the dns >> service uniquely deserve an all-caps *NO* with regard to this >> configurability? >> >> > You could always try and alter the ldap port that samba4 listens on, oh > sorry, you cannot change that either can you. > > Please stop trying to bend AD to your way of working. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >