samba - Sep 2015 - samba_dlz: Failed to configure zone... already exists

On Thu, 3 Sep 2015 15:07:37 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

[snip]
> 
> The kerberos default_realm must be the samba AD DC domain name and 
> usually
So if I put the Samba AD DC in, say, "addc.example.com,"
"addc.example.com" must be the Kerberos default_realm?
> the samba DNS server (internal or bind) is just the dns
> server for the samba4 AD DC.
Yes, but I need example.com's zone to be a "normal" (i.e.: static)
zone.  It is now, and will remain, *the* zone for the corporate LAN at
this location.

So, since a Samba AD DC must have dynamic zones, I guess that means
Samba must "run in" a sub-zone.

This is the problem to which I referred a couple days ago.

I find it odd that this seems to be such an unusual configuration.  Has
the *nix world become contaminated with typical MS-Win server thinking:
That a server can do only one thing at a time?  It's an AD DC, to it
can't do anything else?
> This does not mean that you cannot add
> other zones to AD, this is easily done with samba-tool, in fact as
> standard, you have to create the reverse zone if you require it.
Don't see how that solves the problem.
> 
> I wouldn't use 'pdc.example.com' as you do not have a pdc and
should
> get out of the habit of referring to it as the PDC, a PDC is a very 
> different thing from an AD DC, all DCs are equal apart from the FSMO 
> roles. How about 'ad.example.com' or 'samba.example.com'
Very well.  I defaulted to that because I keep seeing references to
it.  I'll call it "addc.example.com".

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

On 03/09/15 15:57, Jim Seymour wrote:
> On Thu, 3 Sep 2015 15:07:37 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
> [snip]
>> The kerberos default_realm must be the samba AD DC domain name and
>> usually
> So if I put the Samba AD DC in, say, "addc.example.com,"
> "addc.example.com" must be the Kerberos default_realm?
Yes
>
>> the samba DNS server (internal or bind) is just the dns
>> server for the samba4 AD DC.
> Yes, but I need example.com's zone to be a "normal" (i.e.:
static)
> zone.  It is now, and will remain, *the* zone for the corporate LAN at
> this location.
Then use another machine for the main zone.
>
> So, since a Samba AD DC must have dynamic zones, I guess that means
> Samba must "run in" a sub-zone.
>
> This is the problem to which I referred a couple days ago.
>
> I find it odd that this seems to be such an unusual configuration.  Has
> the *nix world become contaminated with typical MS-Win server thinking:
> That a server can do only one thing at a time?  It's an AD DC, to it
> can't do anything else?
>
>> This does not mean that you cannot add
>> other zones to AD, this is easily done with samba-tool, in fact as
>> standard, you have to create the reverse zone if you require it.
> Don't see how that solves the problem.
If you are using this in a corporate environment, you probably shouldn't 
be running the main DNS server on the Samba4 machine. Just because you 
can do something is not a good reason to do it! What will happen if the 
Samba4 machines crashes (don't say it wont, it may) and all DNS 
resolving is done by the samba4 machine. I will tell what will happen, 
your phone will melt! Now, if you put the main DNS server on another 
machine and the samba4 machine goes down, DNS should still work.
>
>> I wouldn't use 'pdc.example.com' as you do not have a pdc
and should
>> get out of the habit of referring to it as the PDC, a PDC is a very
>> different thing from an AD DC, all DCs are equal apart from the FSMO
>> roles. How about 'ad.example.com' or
'samba.example.com'
> Very well.  I defaulted to that because I keep seeing references to
> it.  I'll call it "addc.example.com".
>
> Thanks,
> Jim

On Thu, 3 Sep 2015 16:18:21 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> On 03/09/15 15:57, Jim Seymour wrote:
> > On Thu, 3 Sep 2015 15:07:37 +0100
> > Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> >
> > [snip]
> >> The kerberos default_realm must be the samba AD DC domain name and
> >> usually
> > So if I put the Samba AD DC in, say, "addc.example.com,"
> > "addc.example.com" must be the Kerberos default_realm?
> 
> Yes
Very well.  But I expect this may well soon become a non-issue,
because...
> 
[snip]
> > Yes, but I need example.com's zone to be a "normal"
(i.e.: static)
> > zone.  It is now, and will remain, *the* zone for the corporate LAN
> > at this location.
> 
> Then use another machine for the main zone.
Not. Going. To. Happen.
> 
[snip]
> 
> If you are using this in a corporate environment, you probably
> shouldn't be running the main DNS server on the Samba4 machine. Just
> because you can do something is not a good reason to do it! What will
> happen if the Samba4 machines crashes (don't say it wont, it may)
If Samba4 can, and particularly if it's likely to, crash this machine:
Then Samba4 will not be used, and that's the end of that.  If we wanted
to run machines that can't walk and chew gum at the same time, we'd run
MS-Win servers and be done with it.

I've had what is a, by now, archaic Sun Sparc Solaris box, running for
about a decade, serving as:

    . File server (NFS and SMB/CIFS) (about 1TB of file storage)
    . Mail server (mostly been moved to an outside server, now)
    . Web (intranet) server, with some active content
    . NIS+ and LDAP directory services server
    . RADIUS server
    . DNS server
    . DHCP server
    . RDBMS server (two different RDBMS', low-volume, very
      lightly-loaded)
    . Applications license server
    . CVS (source code versioning system) server
    . NTP server
    . Print server
    . SSH server

and probably some things I'm forgetting, atm.

For the entire operation, inside-and-out, I have only four servers (two
inside and two out), plus a firewall box.  And the only reason there
are that many is because the manufacturing system had to run on RHEL,
which we don't use anywhere else.

None of them ever crash.  None of them ever have services just fall
over and die for no good reason.  I don't run crashy, undependable
servers or provide crashy, undependable services.  If I wanted to run
crashy, undependable stuff, I'd be running MS-Win servers.

If the new server can't replace the old one, on its own, running Samba4
as an AD DC, then I'll fall back to running it as a plain old workgroup
server and, if the company ever want AD, they can buy a MS-Win server.

[snip]
> Now, if you put the main DNS
> server on another machine and the samba4 machine goes down, DNS
> should still work.
Do you know how long it'd take before my "phone would melt" if the
AD
server went down?

What I'm taking away, from your comments, is more-or-less reinforcing
my earlier concerns: That this Samba/BIND_DLZ/Kerberos/etc. lash-up is
not exceedingly stable--only now you're suggesting that it can *crash my
server*?!?!

Yeah.... no.

I'm thinking perhaps it's time to rethink this entire plan.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

Jim,

I ran into the same problems a year ago. What I did is the following.

The DC serves ad.example.com on a bind DLZ as authority.

I have a standard Bind as main DNS. It forwards everything external and 
serves std.example.com as authority, but ad.example.com as slave to the DC.

An additional issue which came up was that machine.std.example.com and 
machine.ad.example.com by design map to the same IP. This makes it hard 
for reverse lookups and AD will break, if the reverse lookup does not 
yield ad.example.com for any machine on the domain.

For that reason I wrote a small python script, which creates the reverse 
zone files from the forward lookups. So adding a new machine boils down to:

1) add machine to zone file
2) restart bind
3) run python script
4) restart bind

If later on that machine shall join the domain:

1) add DNS entry to DC e.g. by join or samba-tool
2) wait for bind cache to expire on primary DNS (sadly bind_dlz does not 
notify any changes :( )
3) run python script
4) restart bind

For a large deployment this should somehow be automated. ;)

Regards,
  - lars.