samba - Sep 2015 - samba_dlz: Failed to configure zone... already exists

On Thu, 3 Sep 2015 16:18:21 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> On 03/09/15 15:57, Jim Seymour wrote:
> > On Thu, 3 Sep 2015 15:07:37 +0100
> > Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> >
> > [snip]
> >> The kerberos default_realm must be the samba AD DC domain name and
> >> usually
> > So if I put the Samba AD DC in, say, "addc.example.com,"
> > "addc.example.com" must be the Kerberos default_realm?
> 
> Yes
Very well.  But I expect this may well soon become a non-issue,
because...
> 
[snip]
> > Yes, but I need example.com's zone to be a "normal"
(i.e.: static)
> > zone.  It is now, and will remain, *the* zone for the corporate LAN
> > at this location.
> 
> Then use another machine for the main zone.
Not. Going. To. Happen.
> 
[snip]
> 
> If you are using this in a corporate environment, you probably
> shouldn't be running the main DNS server on the Samba4 machine. Just
> because you can do something is not a good reason to do it! What will
> happen if the Samba4 machines crashes (don't say it wont, it may)
If Samba4 can, and particularly if it's likely to, crash this machine:
Then Samba4 will not be used, and that's the end of that.  If we wanted
to run machines that can't walk and chew gum at the same time, we'd run
MS-Win servers and be done with it.

I've had what is a, by now, archaic Sun Sparc Solaris box, running for
about a decade, serving as:

    . File server (NFS and SMB/CIFS) (about 1TB of file storage)
    . Mail server (mostly been moved to an outside server, now)
    . Web (intranet) server, with some active content
    . NIS+ and LDAP directory services server
    . RADIUS server
    . DNS server
    . DHCP server
    . RDBMS server (two different RDBMS', low-volume, very
      lightly-loaded)
    . Applications license server
    . CVS (source code versioning system) server
    . NTP server
    . Print server
    . SSH server

and probably some things I'm forgetting, atm.

For the entire operation, inside-and-out, I have only four servers (two
inside and two out), plus a firewall box.  And the only reason there
are that many is because the manufacturing system had to run on RHEL,
which we don't use anywhere else.

None of them ever crash.  None of them ever have services just fall
over and die for no good reason.  I don't run crashy, undependable
servers or provide crashy, undependable services.  If I wanted to run
crashy, undependable stuff, I'd be running MS-Win servers.

If the new server can't replace the old one, on its own, running Samba4
as an AD DC, then I'll fall back to running it as a plain old workgroup
server and, if the company ever want AD, they can buy a MS-Win server.

[snip]
> Now, if you put the main DNS
> server on another machine and the samba4 machine goes down, DNS
> should still work.
Do you know how long it'd take before my "phone would melt" if the
AD
server went down?

What I'm taking away, from your comments, is more-or-less reinforcing
my earlier concerns: That this Samba/BIND_DLZ/Kerberos/etc. lash-up is
not exceedingly stable--only now you're suggesting that it can *crash my
server*?!?!

Yeah.... no.

I'm thinking perhaps it's time to rethink this entire plan.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

> 
> [snip]
>> Now, if you put the main DNS
>> server on another machine and the samba4 machine goes down, DNS
>> should still work.
> 
> Do you know how long it'd take before my "phone would melt"
if the AD
> server went down?
> 
> What I'm taking away, from your comments, is more-or-less reinforcing
> my earlier concerns: That this Samba/BIND_DLZ/Kerberos/etc. lash-up is
> not exceedingly stable--only now you're suggesting that it can *crash
my
> server*?!?!
> 
> Yeah.... no.
> 
> I'm thinking perhaps it's time to rethink this entire plan.
> 
> Regards,
> Jim
> 
FWIW, I've found Samba4 to be very reliable. We're going into 10 months
of using it. And, in the time, it's never crashed. And, our DCs provide
auth for 200ish workstations (Windows, OS X, and Linux), numerous
servers (Windows, Linux, illumos), and a multitude of applications.

-- 
John Yocum, Systems Administrator, DEOHS

On 03/09/15 16:46, Jim Seymour wrote:
> On Thu, 3 Sep 2015 16:18:21 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
>> On 03/09/15 15:57, Jim Seymour wrote:
>>> On Thu, 3 Sep 2015 15:07:37 +0100
>>> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>>>
>>> [snip]
>>>> The kerberos default_realm must be the samba AD DC domain name
and
>>>> usually
>>> So if I put the Samba AD DC in, say, "addc.example.com,"
>>> "addc.example.com" must be the Kerberos default_realm?
>> Yes
> Very well.  But I expect this may well soon become a non-issue,
> because...
>
> [snip]
>>> Yes, but I need example.com's zone to be a "normal"
(i.e.: static)
>>> zone.  It is now, and will remain, *the* zone for the corporate LAN
>>> at this location.
>> Then use another machine for the main zone.
> Not. Going. To. Happen.
>
> [snip]
>> If you are using this in a corporate environment, you probably
>> shouldn't be running the main DNS server on the Samba4 machine.
Just
>> because you can do something is not a good reason to do it! What will
>> happen if the Samba4 machines crashes (don't say it wont, it may)
> If Samba4 can, and particularly if it's likely to, crash this machine:
> Then Samba4 will not be used, and that's the end of that.  If we wanted
> to run machines that can't walk and chew gum at the same time, we'd
run
> MS-Win servers and be done with it.
>
> I've had what is a, by now, archaic Sun Sparc Solaris box, running for
> about a decade, serving as:
>
>      . File server (NFS and SMB/CIFS) (about 1TB of file storage)
>      . Mail server (mostly been moved to an outside server, now)
>      . Web (intranet) server, with some active content
>      . NIS+ and LDAP directory services server
>      . RADIUS server
>      . DNS server
>      . DHCP server
>      . RDBMS server (two different RDBMS', low-volume, very
>        lightly-loaded)
>      . Applications license server
>      . CVS (source code versioning system) server
>      . NTP server
>      . Print server
>      . SSH server
>
> and probably some things I'm forgetting, atm.
>
> For the entire operation, inside-and-out, I have only four servers (two
> inside and two out), plus a firewall box.  And the only reason there
> are that many is because the manufacturing system had to run on RHEL,
> which we don't use anywhere else.
>
> None of them ever crash.  None of them ever have services just fall
> over and die for no good reason.  I don't run crashy, undependable
> servers or provide crashy, undependable services.  If I wanted to run
> crashy, undependable stuff, I'd be running MS-Win servers.
>
> If the new server can't replace the old one, on its own, running Samba4
> as an AD DC, then I'll fall back to running it as a plain old workgroup
> server and, if the company ever want AD, they can buy a MS-Win server.
>
> [snip]
>> Now, if you put the main DNS
>> server on another machine and the samba4 machine goes down, DNS
>> should still work.
> Do you know how long it'd take before my "phone would melt"
if the AD
> server went down?
>
> What I'm taking away, from your comments, is more-or-less reinforcing
> my earlier concerns: That this Samba/BIND_DLZ/Kerberos/etc. lash-up is
> not exceedingly stable--only now you're suggesting that it can *crash
my
> server*?!?!
>
> Yeah.... no.
>
> I'm thinking perhaps it's time to rethink this entire plan.
>
> Regards,
> Jim
This 'thing' as you call it, is stable and you can run everything on one
box if you like, but what if something does go wrong? I am not saying it 
will, but what if ?
You remind me of a lot of H&S experts I have run across, they come up 
with risk assessments but *never* ask 'but what if this happens' :-)

You can run samba4 with a domain name of 'example.com' , but, if you 
have machines that will not be in the AD domain, you will have to come 
up with a way to add them to the AD records. This is not particularly 
hard, DHCP can do this for you, if you have static IP machines, you will 
have to add them with samba-tool or other means.

You just have to remember that the samba4 AD mode is based heavily on 
microsoft AD and has to work the same way, you can bend the way it 
works, but if you bend it that much that it breaks, you get to pick up 
the pieces :-D

Rowland

Jim,

It wasn't an implication that Samba4 would crash your server, rather it was
a question of what happens *if* that box fails (power supply, memory, cpu,
disk controller, etc. I've seen 'em all)?

Consider this.  I had one site with a Microsoft DC providing DHCP to it's
clients and shared folders.  When that DC failed due to disk controller, it
stopped issuing DHCP leases.  Users didn't care the share went down, but
they did that internet connectivity was lost.  Well MS recommends against
this practice anyway, I moved DHCP to the router and told the admin
responsible to fix that server.

AD is a little different.  You should separate your root DC from your file
server (I run them in separate jails on the same box) so you can upgrade
the DC separately from the file server (just regurgitating what I've read,
not done this in practice)

The biggest issue I see is hardware maintenance with your setup.  If the
PSU needs to be replaced, I take it the entire corp goes down for the
duration?  Routing is separate, but without DNS pretty useless for regular
users.  At the least I'd consider a 2nd box and make some of that stuff
redundant (DHCP, DNS especially, never hurts to have multiple more NTP's).
I too like to stack up as much as I can on these modern boxes, but I ensure
there's some redundancy to cope with the unexpected.

I hope the perspective helps -- lee

On Thu, Sep 3, 2015 at 8:46 AM, Jim Seymour <jseymour at linxnet.com>
wrote:
> On Thu, 3 Sep 2015 16:18:21 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
> > On 03/09/15 15:57, Jim Seymour wrote:
> > > On Thu, 3 Sep 2015 15:07:37 +0100
> > > Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> > >
> > > [snip]
> > >> The kerberos default_realm must be the samba AD DC domain
name and
> > >> usually
> > > So if I put the Samba AD DC in, say,
"addc.example.com,"
> > > "addc.example.com" must be the Kerberos default_realm?
> >
> > Yes
>
> Very well.  But I expect this may well soon become a non-issue,
> because...
>
> >
> [snip]
> > > Yes, but I need example.com's zone to be a "normal"
(i.e.: static)
> > > zone.  It is now, and will remain, *the* zone for the corporate
LAN
> > > at this location.
> >
> > Then use another machine for the main zone.
>
> Not. Going. To. Happen.
>
> >
> [snip]
> >
> > If you are using this in a corporate environment, you probably
> > shouldn't be running the main DNS server on the Samba4 machine.
Just
> > because you can do something is not a good reason to do it! What will
> > happen if the Samba4 machines crashes (don't say it wont, it may)
>
> If Samba4 can, and particularly if it's likely to, crash this machine:
> Then Samba4 will not be used, and that's the end of that.  If we wanted
> to run machines that can't walk and chew gum at the same time, we'd
run
> MS-Win servers and be done with it.
>
> I've had what is a, by now, archaic Sun Sparc Solaris box, running for
> about a decade, serving as:
>
>     . File server (NFS and SMB/CIFS) (about 1TB of file storage)
>     . Mail server (mostly been moved to an outside server, now)
>     . Web (intranet) server, with some active content
>     . NIS+ and LDAP directory services server
>     . RADIUS server
>     . DNS server
>     . DHCP server
>     . RDBMS server (two different RDBMS', low-volume, very
>       lightly-loaded)
>     . Applications license server
>     . CVS (source code versioning system) server
>     . NTP server
>     . Print server
>     . SSH server
>
> and probably some things I'm forgetting, atm.
>
> For the entire operation, inside-and-out, I have only four servers (two
> inside and two out), plus a firewall box.  And the only reason there
> are that many is because the manufacturing system had to run on RHEL,
> which we don't use anywhere else.
>
> None of them ever crash.  None of them ever have services just fall
> over and die for no good reason.  I don't run crashy, undependable
> servers or provide crashy, undependable services.  If I wanted to run
> crashy, undependable stuff, I'd be running MS-Win servers.
>
> If the new server can't replace the old one, on its own, running Samba4
> as an AD DC, then I'll fall back to running it as a plain old workgroup
> server and, if the company ever want AD, they can buy a MS-Win server.
>
> [snip]
> > Now, if you put the main DNS
> > server on another machine and the samba4 machine goes down, DNS
> > should still work.
>
> Do you know how long it'd take before my "phone would melt"
if the AD
> server went down?
>
> What I'm taking away, from your comments, is more-or-less reinforcing
> my earlier concerns: That this Samba/BIND_DLZ/Kerberos/etc. lash-up is
> not exceedingly stable--only now you're suggesting that it can *crash
my
> server*?!?!
>
> Yeah.... no.
>
> I'm thinking perhaps it's time to rethink this entire plan.
>
> Regards,
> Jim
> --
> Note: My mail server employs *very* aggressive anti-spam
> filtering.  If you reply to this email and your email is
> rejected, please accept my apologies and let me know via my
> web form at <http://jimsun.LinxNet.com/contact/scform.php>.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, 3 Sep 2015 09:00:18 -0700
John Yocum <jtyocum at uw.edu> wrote:

[snip]
> 
> FWIW, I've found Samba4 to be very reliable.
[snip]

Samba ("Classic", I guess) has been very reliable for us, as well,
going on neigh... 20 years?  More?  Switched to it when Sun's PC-NFS
turned out to be an utter cluster frack.

It's the integration between Samba, BIND and <whatever else> that
concerns me, but if it's been stable for you, well...

On Thu, 3 Sep 2015 17:12:36 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> 
> This 'thing' as you call it, is stable and you can run everything
> on one box if you like,
I like :)
> but what if something does go wrong? I am
> not saying it will, but what if ?
Since the Enterprise is 99-44/100% MS-Win on the desktops, there'd
really be little difference between losing the AD DC, the DHCP
server, the nameserver, or the entire kit and caboodle.  Not
from a customer POV.  As for the network core: Routing is all static,
as are IP address assignments to all mission-critical servers and
network bits (switches, routers).
> You remind me of a lot of H&S experts I have run across, they come
> up with risk assessments but *never* ask 'but what if this
> happens' :-)
I've been doing Server & Network Admin. for better than 20 years.
The last time we tried distributing the things upon which the
Enterprise depended across multiple systems we quickly figured out
that all that did was increase the number of points-of-failure that
could cause a partial or complete denial of services to customers.
Since then I've adopted a strategy of "All the eggs in one basket and
make certain it's a damn good basket."
> 
> You can run samba4 with a domain name of 'example.com' , ...
snip]
> 
Won't be necessary.  See below.


On Thu, 3 Sep 2015 09:43:22 -0700
Lee Brown <leeb at ratnaling.org> wrote:
> Jim,
> 
> It wasn't an implication that Samba4 would crash your server,
> rather it was a question of what happens *if* that box fails (power
> supply, memory, cpu, disk controller, etc. I've seen 'em all)?
See above.  W/o any of the mission-critical services everything falls
over, to a greater or lesser degree, anyway, so it doesn't really
matter.

(Btw: Maintaining two identical pieces of the same hardware, in case
of a hardware malf.  Storage is RAID5 with a hot spare, fully
backed-up monthly and a differential backup nightly.  Everything on a
UPS.)
> 
[snip]
> 
> The biggest issue I see is hardware maintenance with your setup.
> If the PSU needs to be replaced,
[snip]

Dual redundant hot-swap PSUs.  (One on the UPS, one on the mains.)
The drives are hot-swap, too.

Like I said: I make sure it's a damn good basket ;)

[snip]
> 
> I hope the perspective helps -- lee
I do, but please understand: Been there.  Done that.  Got the
t-shirt.  I won't claim to know it *all*, but, after lo these many
years, I think I have a pretty good handle one how network
architecture works.

I'd like to thank each of you for your comments--particularly
following my last, rather... *cough* "testy" post to the list.  It
was just frustration.  Please accept my apologies.

In an email directly to me, Louis offered additional pointers and
input.  And offered additional help.  Thanks, Louis!  And thanks for
the script, too.

So, the good news: I took Louis' script, split it in two, hacked it a
bit, and I *think* I now have an operational AD DC! \o/  The
"root" zone is "example.com" and the AD DC in
"addc.example.com".
Tuesday I hope to be let alone long enough by my end-users to try to
get my laptop onto the AD.

Later I will post details on what I had to do to make all this work,
but it's the Labour Day weekend, here in the U.S., I just got back
from an excellent cardio workout, I'm currently enjoying a *very* good
(and well-earned, if I do say so, myself) IPA, and I don't feel like
trying to make sense any more :D

Thanks again, all of you, for your help!

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.