Harry Busch (bh@hs-furtwangen.de)
2015-Mar-20 13:20 UTC
[Samba] Samba AD with external DNS server
Hallo, We have Samba4 (Sernet, Version4.1) on a Debian Wheezy server. There we try to use our Infoblox (It is our primary and secondary DNS server) as an external DNS server for the active directory on the samba4 server. It doesn?t matter which setup option (Samba_internal, bind_dlz, none) we use it doesn?t work. Harry
On 20/03/15 13:20, Harry Busch (bh at hs-furtwangen.de) wrote:> Hallo, > > We have Samba4 (Sernet, Version4.1) on a Debian Wheezy server. There we try to > use our Infoblox (It is our primary and secondary DNS server) as an external DNS > server for the active directory on the samba4 server. It doesn?t matter which > setup option (Samba_internal, bind_dlz, none) we use it doesn?t work. > > HarryYes, you are quite correct, it will not work. You need to set the Samba 4 AD DC as the DNS server for the AD domain and then forward anything outside the AD domain to the infoblox device. Rowland
On 2015-03-20 14:20, Harry Busch (bh at hs-furtwangen.de) wrote:> Hallo, > > We have Samba4 (Sernet, Version4.1) on a Debian Wheezy server. There we try to > use our Infoblox (It is our primary and secondary DNS server) as an external DNS > server for the active directory on the samba4 server. It doesn?t matter which > setup option (Samba_internal, bind_dlz, none) we use it doesn?t work."Doesn't work" is not a problem description, it's shorthand for "please ridicule me". -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167 http://software.tao.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150320/cd908b49/attachment.pgp>
add to your named.conf.options.
on the MASTER (DC)
before the options add: ( and change the ranged to your ranges or ips..
acl all-networks {
192.168.0.0/24; 10.249.0.0/16;
};
in the options..
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "all-networks"; 127.0.0.1/32; };
// Add any subnets or hosts you want to allow to use recursive queries
allow-recursion { "all-networks"; 127.0.0.1/32; };
and in the "slave dns server"
add in named.conf.local
///// ZONE SLAVE
zone "your.domain.tld" IN {
type slave;
masters { HERE_IP_OF_DC; };
file "/var/cache/bind/db.your.domain.tld.hosts";
notify no;
allow-transfer { HERE_IP_OF_DC; 127.0.0.1; ::1; };
};
zone "0.168.192.in-addr.arpa" {
type slave;
masters { HERE_IP_OF_DC; };
file "/var/cache/bind/db.your.domain.tld.rev";
notify no;
allow-transfer { HERE_IP_OF_DC; 127.0.0.1; ::1; };
};
and try again.
this works fine for me.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: Harry.Busch at hs-furtwangen.de
>[mailto:samba-bounces at lists.samba.org] Namens Harry Busch
>(bh at hs-furtwangen.de)
>Verzonden: vrijdag 20 maart 2015 14:20
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba AD with external DNS server
>
>Hallo,
>
>We have Samba4 (Sernet, Version4.1) on a Debian Wheezy server.
>There we try to
>use our Infoblox (It is our primary and secondary DNS server)
>as an external DNS
>server for the active directory on the samba4 server. It
>doesn?t matter which
>setup option (Samba_internal, bind_dlz, none) we use it doesn?t work.
>
>Harry
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
Ow sorry, i didnt read it correct.. forget my previous mail.. Rowland is right. Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: vrijdag 20 maart 2015 14:34 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Samba AD with external DNS server > >On 20/03/15 13:20, Harry Busch (bh at hs-furtwangen.de) wrote: >> Hallo, >> >> We have Samba4 (Sernet, Version4.1) on a Debian Wheezy >server. There we try to >> use our Infoblox (It is our primary and secondary DNS >server) as an external DNS >> server for the active directory on the samba4 server. It >doesn?t matter which >> setup option (Samba_internal, bind_dlz, none) we use it doesn?t work. >> >> Harry > >Yes, you are quite correct, it will not work. You need to set >the Samba >4 AD DC as the DNS server for the AD domain and then forward anything >outside the AD domain to the infoblox device. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Sven, i'll explain a bit.. If you use samba4 AD DC, then these are always your master DNS servers. this is because samba is handles the dns. but you can forward it, like wat i "wrongly" suggested in my previous e-mail. now what you can do is the following. SAMBADC1 => Slave DNS1 . SAMBADC2 => Slave DNS2 . in my case i have multiple other zones as master in "Slave DNS1" here i have a automaticy created zone and this zone is also as slave in Slave DNS2. why not by my samba, only 1 server has access to a remote network, and based on pings i recreate these zone.. Dont ask why.. but this other network does not allow stub zones.. :-( So for Harry.. ( base on bind9_DLZ ) A suggestion is.. Put your samba servers an other zone then you infoblox is handeling. set these as slave in you Infoblox and add aliases records in the infobox zone for needed records. and/or make sure you "search " in /etc/resolv.conf also has the samba zone. should work imo. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: sven.schwedas at tao.at >[mailto:samba-bounces at lists.samba.org] Namens Sven Schwedas >Verzonden: vrijdag 20 maart 2015 14:38 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Samba AD with external DNS server > >On 2015-03-20 14:20, Harry Busch (bh at hs-furtwangen.de) wrote: >> Hallo, >> >> We have Samba4 (Sernet, Version4.1) on a Debian Wheezy >server. There we try to >> use our Infoblox (It is our primary and secondary DNS >server) as an external DNS >> server for the active directory on the samba4 server. It >doesn?t matter which >> setup option (Samba_internal, bind_dlz, none) we use it doesn?t work. > >"Doesn't work" is not a problem description, it's shorthand for "please >ridicule me". > >-- >Mit freundlichen Gr??en, / Best Regards, >Sven Schwedas >Systemadministrator >TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz >Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167 >http://software.tao.at > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Hello,>> We have Samba4 (Sernet, Version4.1) on a Debian Wheezy >> server. There we try to use our Infoblox (It is our >> primary and secondary DNS server) as an external DNS >> server for the active directory on the samba4 server. It >> doesn?t matter which setup option (Samba_internal, >> bind_dlz, none) we use it doesn?t work. > >Yes, you are quite correct, it will not work. You need to set >the Samba >4 AD DC as the DNS server for the AD domain and then forward anything >outside the AD domain to the infoblox device.You can use external DNS server for AD, but it is strongly unrecommended. If you want to use external DNS server, 0) confirm Infoblox's DNS server is AD compatible See https://technet.microsoft.com/en-us/library/cc755717%28v=ws.10%29.aspx 1) choose setop option BIND9_FLATFILE 2) pick up the generated zone file (in /usr/local/samba/private/dns, if you install Samba from source) 3) Add the defined resource records defined in the zone file to Infoblox's zone But it is highly unrecommended. Because unless you enable Dynamic DNS feature, if you change some AD settings for example adding new DCs, configuring AD Site settings, ..., you have to manually update DNS records corresponding to these. --- TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo facebook.com/takahashi.motonobu
Am 20.03.2015 um 14:34 schrieb Rowland Penny:> Yes, you are quite correct, it will not work. You need to set the Samba > 4 AD DC as the DNS server for the AD domain and then forward anything > outside the AD domain to the infoblox device.Or he can put a forwarder zone on his two DNS servers. If your two DNS are running BIND, add the following to your named.conf: zone "samdom.example.com" { type forward; forwarders { 10.99.0.1; 10.99.0.2; }; }; The only important thing is, that the clients use a DNS server, that is able to resolve the AD DNS zone(s). If they resolve the zone directly via the AD DNS or by asking a different host, doesn't matter, if this one forwards. Regards, Marc