samba - Jan 2015 - dns/ad domain provisioning and naming

I'm setting up a bind server as well as a samba domain on a machine
(timcserv03). I initially set the local domain up in bind as
thisismycompany.local (already owning the name thisismycompany.com),
however I started to see that there could be issues with using .local, so
wanted to go in a safer direction. It seems the best logical internal
domain name would be local.thisismycompany.com. Note that I'm using the
example of "thisismycompany" because, like the real domain, it too has
a
whopping 15 characters in the name. I can't change the name - stuck with
it. But I'd like to save users from having to type more than necessary
while keeping it sensical. It appears that it might not be a good idea to
have the internal DNS domain be thisismycompany.com, but correct me if I'm
wrong there

So after setting up the dns domain to be local.thisismycompany.com and
looking at the input needed for the samba-tool (samba-tool domain
provision), I had some concerns. I don't mind redoing things a few times,
but I don't want to get too far down the road before I realize my errors.

1) I would like my users to log in to workstations with
flast at thisismycompany.com and/or timc\flast. Given the above domain name,
does that restrict me to logins being flast at local.thisismycompany.com ?
That's a lot of typing and not very intuitive. Is there a way to achieve
the simpler flast at thisismycompany.com with a DNS domain of
local.thisismycompany.com? Can I simply have a realm of
"thisismycompany.com"
and a short domain name of "timc" on a internal domain of "
local.thisismycompany.com"? (eg - just put "thisismycompany.com"
for
"Realm" and "timc" for "domain" in
"samba-tool domain provision")

2) I'm not yet trusting my configuration skills in Bind, so I'd like to
use
samba_internal as the DNS backend for now. Is there any problem with doing
that for now, even though I have this same server setup as a bind DNS? I
still would answer the DNS  question with the machine's own IP address
(point to itself).

Thanks,
-Jeff

Jeff Henze schrieb am 22.01.2015 02:02:
> 1) I would like my users to log in to workstations with
> flast at thisismycompany.com and/or timc\flast. 
If the domain is set up as 

[global]
    workgroup = LOCAL
    realm = local.thisismycompany.com

then the domain users would log in as local\flast. 
I am not sure, whether LOCAL makes up a good domain name... 


> 2) I'm not yet trusting my configuration skills in Bind, so I'd
like to use
> samba_internal as the DNS backend for now. 
Bind is very cool, for isolating the internal DNS from the 
rest of the world. No need to worry for Bind running on the 
DC. If You got a slave DNS, You have to disable forwarders 
for Your internal zone, i.e.:

zone "local.thisismycompany.com" {
        type slave;
        masters { *your DCs go here* };
        file "/etc/bind/namedb/bak.local.thisismycompany.com";
        forwarders{};
};


I always liked Bind... :-)
HTH & Best regards

if this is in smb.conf
>[global]
>    workgroup = LOCAL
>    realm = local.thisismycompany.com 
then you have a problem.

realm needs to be in CAPS

Louis

>-----Oorspronkelijk bericht-----
>Van: peter at serbe.ch [mailto:samba-bounces at lists.samba.org] 
>Namens Peter Serbe
>Verzonden: donderdag 22 januari 2015 10:29
>Aan: samba at lists.samba.org; jeff at henze.us
>Onderwerp: Re: [Samba] dns/ad domain provisioning and naming
>
>
>
>Jeff Henze schrieb am 22.01.2015 02:02:
>
>> 1) I would like my users to log in to workstations with
>> flast at thisismycompany.com and/or timc\flast. 
>
>If the domain is set up as 
>
>[global]
>    workgroup = LOCAL
>    realm = local.thisismycompany.com
>
>then the domain users would log in as local\flast. 
>I am not sure, whether LOCAL makes up a good domain name... 
>
>
>
>> 2) I'm not yet trusting my configuration skills in Bind, so 
>I'd like to use
>> samba_internal as the DNS backend for now. 
>
>Bind is very cool, for isolating the internal DNS from the 
>rest of the world. No need to worry for Bind running on the 
>DC. If You got a slave DNS, You have to disable forwarders 
>for Your internal zone, i.e.:
>
>zone "local.thisismycompany.com" {
>        type slave;
>        masters { *your DCs go here* };
>        file "/etc/bind/namedb/bak.local.thisismycompany.com";
>        forwarders{};
>};
>
>
>I always liked Bind... :-)
>HTH & Best regards
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

zone "local.thisismycompany.com" {
         type slave;
         masters { *your DCs go here* };
         file "/etc/bind/namedb/bak.local.thisismycompany.com";
         forwarders{};
};


If you are setting up bind on the DC like that, you have a problem, you are not
using DLZ.

Rowland

Can work if you use provisioning with BIND9_FLATFILE
anyway i tested that long time ago.. but then you wil be missing the
"Multimaster" dns ability.

Louis


>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 22 januari 2015 11:10
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] dns/ad domain provisioning and naming
>
>
>zone "local.thisismycompany.com" {
>         type slave;
>         masters { *your DCs go here* };
>         file "/etc/bind/namedb/bak.local.thisismycompany.com";
>         forwarders{};
>};
>
>
>If you are setting up bind on the DC like that, you have a 
>problem, you are not using DLZ.
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On Thu, Jan 22, 2015 at 4:29 AM, Peter Serbe <peter at serbe.ch>
wrote:
> If the domain is set up as
> [global]
>     workgroup = LOCAL
>     realm = local.thisismycompany.com
> then the domain users would log in as local\flast.
> I am not sure, whether LOCAL makes up a good domain name...
Thanks for adding clarity Peter. I'm having trouble framing my
questions so maybe I might be able to better explain precisely what
I'm looking for here:

1) Assuming a legitimately registered ICANN domain name of
"thisismycompany.com", Would there be a conflict having the internal
domain's FQDN being structured as "*.thisismycompany.com" with a
workgroup of "myco" and a realm of "thisismycompany.com"?
2) Assuming that first question is "yes", would end users then sign in
as username at thisismycompany.com -and/or- myco\username ?
> zone "local.thisismycompany.com" {
>         type slave;
>         masters { *your DCs go here* };
>         file "/etc/bind/namedb/bak.local.thisismycompany.com";
>         forwarders{};
Excellent - thanks for the bind tip.

-Jeff

L.P.H. van Belle schrieb am 22.01.2015 10:58:
> if this is in smb.conf
> 
>>[global]
>>    workgroup = LOCAL
>>    realm = local.thisismycompany.com 
> then you have a problem.
> 
> realm needs to be in CAPS
Hi Louis, 

are You sure? I would agree, that it must be capitalized 
in the krb5.conf. But in smb.conf?? 
My configuration seems to work just like it is...

Best regards
Peter

Hai, 

The Kerberos realm name is case sensitive, you are not required to have an
uppercase Kerberos realm,
but I would strongly advise it. Lots of other application do require it. 

It also keeps everything more clear to read, and better/easier to troubleshout. 


Greetz, 

Louis

 
>-----Oorspronkelijk bericht-----
>Van: Peter Serbe [mailto:peter at serbe.ch] 
>Verzonden: donderdag 22 januari 2015 15:30
>Aan: samba at lists.samba.org; L.P.H. van Belle
>Onderwerp: Re: [Samba] dns/ad domain provisioning and naming
>
>
>
>L.P.H. van Belle schrieb am 22.01.2015 10:58:
>
>> if this is in smb.conf
>> 
>>>[global]
>>>    workgroup = LOCAL
>>>    realm = local.thisismycompany.com 
>> then you have a problem.
>> 
>> realm needs to be in CAPS
>
>Hi Louis, 
>
>are You sure? I would agree, that it must be capitalized 
>in the krb5.conf. But in smb.conf?? 
>My configuration seems to work just like it is...
>
>Best regards
>Peter
>
>