samba - Nov 2014 - Fwd: Samba4 as AD server

So I set up two of my three Linode servers in the Texas datacenter as
Samba4 domain controllers. (One to provision the domain, and one joining
it.) These have IPTables in place that allow my home IP address to access
any protocol/port, and 53 is allowed from everywhere for both tcp and udp.
The domain that I configured is AD.WINDSOFSTORM.NET, and I have delegated
NS records for that subdomain to the two servers that are running Samba
(using the Samba internal DNS server). My understanding, although this was
not covered explicitly in any of the docs that I found, was that this would
be sufficient for DNS purposes so that I would not have to repoint my
workstation to use those servers directly for DNS resolution; the requests
for anything under that subdomain will get properly routed there instead by
the normal internet DNS architecture.

However, I am unable to join the domain. Looking at the logs, I don't see
anything going on. I tried just manually connecting to \\
sage.windsofstorm.net, the PDC, and I got "Windows cannot access this
share". But I can use netcat to reach the server over UDP 139/TCP 389/etc.
Is there something that I need to specify given that the server is on a
different network than my home network? (I can't set up a VPN to their
internal network at this point in time as I already have a VPN in place for
work. Maybe down the line.)

I'm a little confused as to what I should be checking at this point. All
the guides I've found seem to indicate that it should "just work"
at this
point.

--
~*~ StormeRider ~*~

"Every world needs its heroes [...] They inspire us to be better than we
are. And they protect from the darkness that's just around the corner."

(from Smallville Season 6x1: "Zod")

On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS

On 20/11/14 10:41, Morgan Blackthorne wrote:
> So I set up two of my three Linode servers in the Texas datacenter as
> Samba4 domain controllers. (One to provision the domain, and one joining
> it.) These have IPTables in place that allow my home IP address to access
> any protocol/port, and 53 is allowed from everywhere for both tcp and udp.
> The domain that I configured is AD.WINDSOFSTORM.NET, and I have delegated
> NS records for that subdomain to the two servers that are running Samba
> (using the Samba internal DNS server). My understanding, although this was
> not covered explicitly in any of the docs that I found, was that this would
> be sufficient for DNS purposes so that I would not have to repoint my
> workstation to use those servers directly for DNS resolution; the requests
> for anything under that subdomain will get properly routed there instead by
> the normal internet DNS architecture.
>
> However, I am unable to join the domain. Looking at the logs, I don't
see
> anything going on. I tried just manually connecting to \\
> sage.windsofstorm.net, the PDC, and I got "Windows cannot access this
> share". But I can use netcat to reach the server over UDP 139/TCP
389/etc.
> Is there something that I need to specify given that the server is on a
> different network than my home network? (I can't set up a VPN to their
> internal network at this point in time as I already have a VPN in place for
> work. Maybe down the line.)
>
> I'm a little confused as to what I should be checking at this point.
All
> the guides I've found seem to indicate that it should "just
work" at this
> point.
>
> --
> ~*~ StormeRider ~*~
>
> "Every world needs its heroes [...] They inspire us to be better than
we
> are. And they protect from the darkness that's just around the
corner."
>
> (from Smallville Season 6x1: "Zod")
>
> On why I hate the phrase "that's so lame"...
http://bit.ly/Ps3uSS
Hi, if you go here: https://wiki.samba.org/index.php/Samba_Readme_First

Look under the heading 'Requirements', you will find this:

DNS config: The network configuration of all clients must be set up to 
send all DNS queries only to the AD-server(s). Even the AD-Server(s) 
themselves must be set up to send DNS queries only to their own DNS 
servers. The DNS server that runs on the AD server(s) should forward 
queries for non-AD hosts to a different DNS server that can answer those 
queries.

What this means is, your domain clients MUST use the samba4 DNS server 
and anything that this server doesn't know about, it will ask its 
forwarder. Your samba4 DNS server shouldn't really be resolvable from 
the internet.

Rowland