samba - Aug 2015 - Samba Internal DNS vs. BIND_DLZ

On 08/27/2015 04:52 PM, Rowland Penny wrote:
> On 27/08/15 21:42, Robert Moskowitz wrote:
>>
>>
>> On 08/27/2015 04:37 PM, Rowland Penny wrote:
>>> On 27/08/15 21:23, Robert Moskowitz wrote:
>>>>
>>>>
>>>> On 08/27/2015 04:18 PM, Marc Muehlfeld wrote:
>>>>> Hello Jim,
>>>>>
>>>>> Am 27.08.2015 um 21:49 schrieb Jim Seymour:
>>>>>>      BIND would be the auth nameserver for example.com
and delegate
>>>>>>      the samdom.example.com zone to the Samba DNS
running on the
>>>>>> second
>>>>>>      (virtual) interface
>>>>>>
>>>>>>      Samba is the auth nameserver for
samdom.example.com
>>>>> If you're already having BIND running, you're just
one step away from
>>>>> including the AD DNS domain as additional domain via DLZ.
>>>>>
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#BIND_9.8_.2F_9.9
>>>>>
>>>>>
>>>>> What's wrong with that?
>>>>
>>>> It says:
>>>>
>>>> include "/usr/local/samba/private/named.conf";
>>>>
>>>> This file does not exist on my sernet 4.2 installation.
>>>>
>>>> In fact, I do not have a /usr/local/samba directory.
>>>>
>>>>
>>>>
>>>
>>> It now also says (at the top):
>>>
>>> As this HowTo is based around a compiled install, the PATHs refer
to
>>> '/usr/local/samba' as a base. If you are using packages
from your OS
>>> or Sernet, this PATH will most likely not exist, you will need to 
>>> find the relevant files on your system, try starting with 
>>> '/var/lib/samba'.
>>
>> Oh this is soooo much fun!  Not..
>>
>>> I also use Sernet Samba 4.2.3 on one of my DCs and the required 
>>> named.conf is in /var/lib/samba/private/
>>
>> Empty dir.
>
> OK, how did you provision samba4 as a DC ?
> I believe that /var/lib/samba/private is empty until the domain is 
> provisioned, at which point it should look like this:
>
> dns          ldapi              randseed.tdb          share.ldb
> dns.keytab      ldap_priv          sam.ldb          smbd.tmp
> dns_update_cache  named.conf          sam.ldb.d spn_update_list
> dns_update_list   named.conf.update      schannel_store.tdb  tls
> hklm.ldb      named.txt          secrets.keytab
> idmap.ldb      netlogon_creds_cli.tdb  secrets.ldb
> krb5.conf      privilege.ldb          secrets.tdb
I am still reading all the wiki info, making notes and looking for 
stuff.  No provisioning yet.  I suppose since this build is a through 
away one, I should do that.

I still have to figure out what ldap rpms to install, along with dhcp!

Quite a bit to go.  Perhaps I am getting too  bogged down in DNS, as I 
THINK I should know that part up until dlz.
>
> Rowland
>
>
>
>>
>>> , it is also in /usr/share/samba/setup/ but called named.conf.dlz
>>
>> Ah there it (and others) are!
>>
>> thanks
>>
>
>

Ah, LDAP is included within Samba, I find.  Don't install provided one...

I suppose I will have to find what schemas, particularly if the bind dlz 
schema is included?

On 08/27/2015 04:56 PM, Robert Moskowitz wrote:
>
>
> On 08/27/2015 04:52 PM, Rowland Penny wrote:
>> On 27/08/15 21:42, Robert Moskowitz wrote:
>>>
>>>
>>> On 08/27/2015 04:37 PM, Rowland Penny wrote:
>>>> On 27/08/15 21:23, Robert Moskowitz wrote:
>>>>>
>>>>>
>>>>> On 08/27/2015 04:18 PM, Marc Muehlfeld wrote:
>>>>>> Hello Jim,
>>>>>>
>>>>>> Am 27.08.2015 um 21:49 schrieb Jim Seymour:
>>>>>>>      BIND would be the auth nameserver for
example.com and delegate
>>>>>>>      the samdom.example.com zone to the Samba DNS
running on the
>>>>>>> second
>>>>>>>      (virtual) interface
>>>>>>>
>>>>>>>      Samba is the auth nameserver for
samdom.example.com
>>>>>> If you're already having BIND running, you're
just one step away
>>>>>> from
>>>>>> including the AD DNS domain as additional domain via
DLZ.
>>>>>>
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#BIND_9.8_.2F_9.9
>>>>>>
>>>>>>
>>>>>> What's wrong with that?
>>>>>
>>>>> It says:
>>>>>
>>>>> include "/usr/local/samba/private/named.conf";
>>>>>
>>>>> This file does not exist on my sernet 4.2 installation.
>>>>>
>>>>> In fact, I do not have a /usr/local/samba directory.
>>>>>
>>>>>
>>>>>
>>>>
>>>> It now also says (at the top):
>>>>
>>>> As this HowTo is based around a compiled install, the PATHs
refer
>>>> to '/usr/local/samba' as a base. If you are using
packages from
>>>> your OS or Sernet, this PATH will most likely not exist, you
will
>>>> need to find the relevant files on your system, try starting
with
>>>> '/var/lib/samba'.
>>>
>>> Oh this is soooo much fun!  Not..
>>>
>>>> I also use Sernet Samba 4.2.3 on one of my DCs and the required
>>>> named.conf is in /var/lib/samba/private/
>>>
>>> Empty dir.
>>
>> OK, how did you provision samba4 as a DC ?
>> I believe that /var/lib/samba/private is empty until the domain is 
>> provisioned, at which point it should look like this:
>>
>> dns          ldapi              randseed.tdb          share.ldb
>> dns.keytab      ldap_priv          sam.ldb          smbd.tmp
>> dns_update_cache  named.conf          sam.ldb.d spn_update_list
>> dns_update_list   named.conf.update      schannel_store.tdb  tls
>> hklm.ldb      named.txt          secrets.keytab
>> idmap.ldb      netlogon_creds_cli.tdb  secrets.ldb
>> krb5.conf      privilege.ldb          secrets.tdb
>
> I am still reading all the wiki info, making notes and looking for 
> stuff.  No provisioning yet.  I suppose since this build is a through 
> away one, I should do that.
>
> I still have to figure out what ldap rpms to install, along with dhcp!
>
> Quite a bit to go.  Perhaps I am getting too  bogged down in DNS, as I 
> THINK I should know that part up until dlz.
>
>>
>> Rowland
>>
>>
>>
>>>
>>>> , it is also in /usr/share/samba/setup/ but called
named.conf.dlz
>>>
>>> Ah there it (and others) are!
>>>
>>> thanks
>>>
>>
>>
>
>

On 27/08/15 22:00, Robert Moskowitz wrote:
> Ah, LDAP is included within Samba, I find.  Don't install provided
one...
>
> I suppose I will have to find what schemas, particularly if the bind 
> dlz schema is included?
ER, you don't actually need to add any extra schemas, it is all built 
into samba4 when run as an AD DC, if you are struggling to understand 
this, just think a windows AD DC but running on Linux.
The next thing to understand is if you want an AD DC and want to use an 
rpm based OS (centos, clearos etc) then you cannot use the distro 
packages, at the moment, there aren't any. What you can use are the 
packages supplied by Sernet: http://www.samba.plus/home/

This is not a bad thing really, as you get more uptodate versions, 4.2.3 
at the moment

Rowland
>
> On 08/27/2015 04:56 PM, Robert Moskowitz wrote:
>>
>>
>> On 08/27/2015 04:52 PM, Rowland Penny wrote:
>>> On 27/08/15 21:42, Robert Moskowitz wrote:
>>>>
>>>>
>>>> On 08/27/2015 04:37 PM, Rowland Penny wrote:
>>>>> On 27/08/15 21:23, Robert Moskowitz wrote:
>>>>>>
>>>>>>
>>>>>> On 08/27/2015 04:18 PM, Marc Muehlfeld wrote:
>>>>>>> Hello Jim,
>>>>>>>
>>>>>>> Am 27.08.2015 um 21:49 schrieb Jim Seymour:
>>>>>>>>      BIND would be the auth nameserver for
example.com and
>>>>>>>> delegate
>>>>>>>>      the samdom.example.com zone to the Samba
DNS running on
>>>>>>>> the second
>>>>>>>>      (virtual) interface
>>>>>>>>
>>>>>>>>      Samba is the auth nameserver for
samdom.example.com
>>>>>>> If you're already having BIND running,
you're just one step away
>>>>>>> from
>>>>>>> including the AD DNS domain as additional domain
via DLZ.
>>>>>>>
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#BIND_9.8_.2F_9.9
>>>>>>>
>>>>>>>
>>>>>>> What's wrong with that?
>>>>>>
>>>>>> It says:
>>>>>>
>>>>>> include
"/usr/local/samba/private/named.conf";
>>>>>>
>>>>>> This file does not exist on my sernet 4.2 installation.
>>>>>>
>>>>>> In fact, I do not have a /usr/local/samba directory.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> It now also says (at the top):
>>>>>
>>>>> As this HowTo is based around a compiled install, the PATHs
refer
>>>>> to '/usr/local/samba' as a base. If you are using
packages from
>>>>> your OS or Sernet, this PATH will most likely not exist,
you will
>>>>> need to find the relevant files on your system, try
starting with
>>>>> '/var/lib/samba'.
>>>>
>>>> Oh this is soooo much fun!  Not..
>>>>
>>>>> I also use Sernet Samba 4.2.3 on one of my DCs and the
required
>>>>> named.conf is in /var/lib/samba/private/
>>>>
>>>> Empty dir.
>>>
>>> OK, how did you provision samba4 as a DC ?
>>> I believe that /var/lib/samba/private is empty until the domain is 
>>> provisioned, at which point it should look like this:
>>>
>>> dns          ldapi              randseed.tdb share.ldb
>>> dns.keytab      ldap_priv          sam.ldb          smbd.tmp
>>> dns_update_cache  named.conf          sam.ldb.d spn_update_list
>>> dns_update_list   named.conf.update      schannel_store.tdb tls
>>> hklm.ldb      named.txt          secrets.keytab
>>> idmap.ldb      netlogon_creds_cli.tdb  secrets.ldb
>>> krb5.conf      privilege.ldb          secrets.tdb
>>
>> I am still reading all the wiki info, making notes and looking for 
>> stuff.  No provisioning yet.  I suppose since this build is a through 
>> away one, I should do that.
>>
>> I still have to figure out what ldap rpms to install, along with dhcp!
>>
>> Quite a bit to go.  Perhaps I am getting too  bogged down in DNS, as 
>> I THINK I should know that part up until dlz.
>>
>>>
>>> Rowland
>>>
>>>
>>>
>>>>
>>>>> , it is also in /usr/share/samba/setup/ but called
named.conf.dlz
>>>>
>>>> Ah there it (and others) are!
>>>>
>>>> thanks
>>>>
>>>
>>>
>>
>>
>

On Thu, 27 Aug 2015 17:00:28 -0400
Robert Moskowitz <rgm at htt-consult.com> wrote:
> Ah, LDAP is included within Samba, I find.  Don't install provided
> one...
[remainder snipped]

Yikes!

I thought it awfully suspicious that Samba required so few additional
packages and so little "glue work" to get an AD PDC going.  Now I
know why.

We *require*, not desire, but *require* OpenLDAP.  OpenLDAP is used
for, amongst other things, a Corporate email address book and by the
RADIUS server.  Eventually the entire set of network directory data
that currently resides in and is served by NIS+ will be in LDAP.

I'm beginning to suspect this is going to be Not Much Fun :(

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

>We *require*, not desire, but *require* OpenLDAP.  OpenLDAP is used
>for, amongst other things, a Corporate email address book and by the
>RADIUS server. 
wel.. same here, But you can use the ldap of samba,.. i dont see you problem.. 
coperate e-mail adresses in ldap, wel.. i use zarafa mail server, 
which is integrated in ldap also. i extended the schema of samba for that. 
i now have multiple adresbooks and other "trick" accounts and/or
users/group
for other things. 
as by example one of my postfix configs. 
server_host = ldap://dc1.internal.domain.tld:389
ldap://dc2.internal.domain.tld:389
search_base = OU=General-Aliasses,OU=Company,DC=internal,DC=domain,DC=tld
version = 3
bind = yes
bind_dn =
CN=ldap-bind,OU=Service-Accounts,OU=Company,DC=internal,DC=domain,DC=tld
bind_pw = MyVerySecretPassword

scope = sub
query_filter = (&(objectClass=contact)(displayName=%s))
result_attribute = description
Here in this case for example, i create a contact, and use the displayName and
results in description.

and for my users an other filter like.. 
query_filter =
(&(objectClass=person)(zarafaAccount=1)(|(mail=%s)(otherMailbox=%s)))
result_attribute = mail

so, again, if needed extend you schema and enjoy your samba AD.. 

go here :
https://wiki.samba.org/index.php/User_Documentation 
scrol to the bottem, there are also other examples 
then 
https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD 
and..
https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD#Install_.26_Configure_a_Radius_Server
here is your radius setup example. 



Greetz, 

Louis
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jim Seymour
>Verzonden: vrijdag 28 augustus 2015 02:45
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba Internal DNS vs. BIND_DLZ
>
>On Thu, 27 Aug 2015 17:00:28 -0400
>Robert Moskowitz <rgm at htt-consult.com> wrote:
>
>> Ah, LDAP is included within Samba, I find.  Don't install provided
>> one...
>[remainder snipped]
>
>Yikes!
>
>I thought it awfully suspicious that Samba required so few additional
>packages and so little "glue work" to get an AD PDC going.  Now I
>know why.
>
>We *require*, not desire, but *require* OpenLDAP.  OpenLDAP is used
>for, amongst other things, a Corporate email address book and by the
>RADIUS server.  Eventually the entire set of network directory data
>that currently resides in and is served by NIS+ will be in LDAP.
>
>I'm beginning to suspect this is going to be Not Much Fun :(
>
>Regards,
>Jim
>-- 
>Note: My mail server employs *very* aggressive anti-spam
>filtering.  If you reply to this email and your email is
>rejected, please accept my apologies and let me know via my
>web form at <http://jimsun.LinxNet.com/contact/scform.php>.
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>