I have 2 DCs at a customer that also run ISC-Kea-DHCP servers. To be able to provide DHCP-Leases I added virtual interfaces to the servers with IPs in each VLAN. In turn there also exist routes to the VLANs: # ip r default via 10.0.0.254 dev enp0s31f6 onlink 10.0.0.0/24 dev enp0s31f6 proto kernel scope link src 10.0.0.230 10.100.40.0/24 dev enp0s31f6.200 proto kernel scope link src 10.100.40.230 192.168.101.0/24 dev enp0s31f6.101 proto kernel scope link src 192.168.101.230 192.168.102.0/24 dev enp0s31f6.102 proto kernel scope link src 192.168.102.230 192.168.103.0/24 dev enp0s31f6.103 proto kernel scope link src 192.168.103.230 In smb.conf I did this: bind interfaces only = yes interfaces = lo enp0s31f6 to only run the DC in the LAN network. Otherwise there were 4 or 5 DNS-entries created for the hostname of the DC, which seemed problematic to me. Maybe it is not? What if a client in LAN gets a DNS reply with a IP in the VLANs? timeouts? - To reply to DHCP-clients in the VLANs I need the specific interfaces + routes. But if a client in a VLAN tries to "gpupdate" things fail: asymmetric routing, the replies don't get to the client. I am not sure how to solve this. Allow the DC to run on all interfaces? And no, we don't have additional hardware to move the DHCP-services to.
18.01.2023 18:45, Stefan G. Weichinger via samba wrote: ..> to only run the DC in the LAN network. > > Otherwise there were 4 or 5 DNS-entries created for the hostname of the DC, which seemed problematic to me. Maybe it is not? > > What if a client in LAN gets a DNS reply with a IP in the VLANs? timeouts?Is it impossible for the client to reach this IP on the VLAN? Quite often in this configuration it is possible, depending on routing and filtering in place. FWIW, this is one of the reasons I prefer to manage DNS elsewhere, without tying it to samba/DC, - this way I can control which records are being used. DNS is mostly static, it changes only when you reconfigure network, when you can update DNS explicitly too, so dynamic DNS isn't really necessary.> To reply to DHCP-clients in the VLANs I need the specific interfaces + routes. > > But if a client in a VLAN tries to "gpupdate" things fail: asymmetric routing, the replies don't get to the client. > > I am not sure how to solve this. > > Allow the DC to run on all interfaces? > > And no, we don't have additional hardware to move the DHCP-services to.You don't need additional hardware. It is trivial these days to run a virtual machine - with either samba or dhcpd or whatever else is needed. But so far, it's difficult to say which problem you're trying to solve. /mjt
Possibly Parallel Threads
- [Bug 3161] New: ssh -J <public IPv6> <LL IPv6%scopeID> doesn't work as expected
- Error starting domain: internal error: Unable to add port vnet0 to OVS bridge br0
- Re: vms doesn't coomunicate via network
- Re: Error starting domain: internal error: Unable to add port vnet0 to OVS bridge br0
- Re: ipv6 NAT; accept_ra errors and about network choice