samba - Jul 2016 - Samba4 with external bind - best practices?

On 26/07/16 09:31, mathias dufresne wrote:
> Hi Elias,
>
> Separating DNS and AD services:
> It should be possible to have AD DNS server hosted on a non-DC server.
> Samba Wiki explain we just have to include
> "/var/lib/samba/private/named.conf" in Bind configuration. This
library can
> be replaced be one of those shipped with Bind, this library will need
> configuration for it can deal with remote DC(s).
> Please note I never tried that, 'cause I'm a lazy guy, but that
should be
> possible: Bind+DLZ seems to me to be meant for that kind of job.
>
> One (or more) non-DC DNS server dealing with AD DNS servers:
> That is more simple to achieve:
> - just configure AD DNS service as you want (please note that few weeks ago
> Samba's internal DNS server was still not able to work as multi-masters
> which is needed to avoid SPOF in AD, so IMHO the only valid DNS backend is
> bind+DLZ if you want high availability)
> - add a new zone to your existing DNS server (the one which is not AD DC)
> like that one:
>
----------------------------------------------------------------------------------------------
> zone "ad.domain.tld" IN {
>    type forward;
>    forward only;
>    forwarders {
>      <ip of 1st DC>;
>      <ip of 2nd DC>;
>      ....
>      <ip of Nth DC>;
>    };
> };
>
----------------------------------------------------------------------------------------------
> Restart your external non-DC Bind service and it should be able to resolve
> one more zone: the one from your AD.
> What is nice in that is you don't need to take in account _msdcs zone
as it
> is a sub zone of "ad.domain.tld", your external Bind will also
forward
> requests regarding _msdcs to AD servers.
>
> I did not played with that for a relatively long time and I'm just
coming
> back from vacations, so I'm not sure if you would need to allow
forwarding
> and recursion on that non-DC DNS server. It could be necessary... Anyway as
> this DNS should be meant to resolve Internet addresses in addition of your
> local domain(s) recursion and forwarding should be accepted already...
>
> Hoping this clarify DNS management a little bit and that helps you,
>
> Mathias
>
>
>
The Samba wiki page: 
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD

Has these lines:

  * Since the BIND DLZ module accesses the AD database directly, BIND
    for AD zones must be on the same machine.
  * Because the BIND DLZ module uses the information already stored in
    AD, you do not need to create any extra databases.

Or to put it another way, if you want to use bind_dlz, you must run 
Bind9 on the DC and you do not need to create any zones (except the 
reverse zone and you have to do this anyway)

Rowland

Thanks Mathias and Rowland for the answers.

Rowland,

You said: “Use the sub domain for your AD domain and forward anything
outside the sub domain to your main DNS servers.”

This forward I do on the settings of the bind in Samba4?

Something like:

acl goodclients {
        192.168.1.0/24;
        localhost;
        localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { goodclients; };

        forwarders {
                192.168.1.15; # EXTERNAL DNS SERVER
        };
        forward only;

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

​

On Tue, Jul 26, 2016 at 8:16 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 26/07/16 09:31, mathias dufresne wrote:
>
>> Hi Elias,
>>
>> Separating DNS and AD services:
>> It should be possible to have AD DNS server hosted on a non-DC server.
>> Samba Wiki explain we just have to include
>> "/var/lib/samba/private/named.conf" in Bind configuration.
This library
>> can
>> be replaced be one of those shipped with Bind, this library will need
>> configuration for it can deal with remote DC(s).
>> Please note I never tried that, 'cause I'm a lazy guy, but that
should be
>> possible: Bind+DLZ seems to me to be meant for that kind of job.
>>
>> One (or more) non-DC DNS server dealing with AD DNS servers:
>> That is more simple to achieve:
>> - just configure AD DNS service as you want (please note that few weeks
>> ago
>> Samba's internal DNS server was still not able to work as
multi-masters
>> which is needed to avoid SPOF in AD, so IMHO the only valid DNS backend
is
>> bind+DLZ if you want high availability)
>> - add a new zone to your existing DNS server (the one which is not AD
DC)
>> like that one:
>>
>>
----------------------------------------------------------------------------------------------
>> zone "ad.domain.tld" IN {
>>    type forward;
>>    forward only;
>>    forwarders {
>>      <ip of 1st DC>;
>>      <ip of 2nd DC>;
>>      ....
>>      <ip of Nth DC>;
>>    };
>> };
>>
>>
----------------------------------------------------------------------------------------------
>> Restart your external non-DC Bind service and it should be able to
resolve
>> one more zone: the one from your AD.
>> What is nice in that is you don't need to take in account _msdcs
zone as
>> it
>> is a sub zone of "ad.domain.tld", your external Bind will
also forward
>> requests regarding _msdcs to AD servers.
>>
>> I did not played with that for a relatively long time and I'm just
coming
>> back from vacations, so I'm not sure if you would need to allow
forwarding
>> and recursion on that non-DC DNS server. It could be necessary...
Anyway
>> as
>> this DNS should be meant to resolve Internet addresses in addition of
your
>> local domain(s) recursion and forwarding should be accepted already...
>>
>> Hoping this clarify DNS management a little bit and that helps you,
>>
>> Mathias
>>
>>
>>
>>
> The Samba wiki page:
> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
>
> Has these lines:
>
>  * Since the BIND DLZ module accesses the AD database directly, BIND
>    for AD zones must be on the same machine.
>  * Because the BIND DLZ module uses the information already stored in
>    AD, you do not need to create any extra databases.
>
> Or to put it another way, if you want to use bind_dlz, you must run Bind9
> on the DC and you do not need to create any zones (except the reverse zone
> and you have to do this anyway)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira

On 26/07/16 19:42, Elias Pereira wrote:
> Thanks Mathias and Rowland for the answers.
>
> Rowland,
>
> You said: “Use the sub domain for your AD domain and forward anything
> outside the sub domain to your main DNS servers.”
>
> This forward I do on the settings of the bind in Samba4?
>
> Something like:
>
> acl goodclients {
>          192.168.1.0/24;
>          localhost;
>          localnets;
> };
>
> options {
>          directory "/var/cache/bind";
>
>          recursion yes;
>          allow-query { goodclients; };
>
>          forwarders {
>                  192.168.1.15; # EXTERNAL DNS SERVER
>          };
>          forward only;
>
>          dnssec-validation auto;
>
>          auth-nxdomain no;    # conform to RFC1035
>          listen-on-v6 { any; };
> };
>
> ​
>
>
You have a line missing inside your 'options' block, it should have a 
line like this:

tkey-gssapi-keytab "/path/to/dns.keytab";

But, apart from that it looks very similar to mine.

Rowland

2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 26/07/16 09:31, mathias dufresne wrote:
>
>> Hi Elias,
>>
>> Separating DNS and AD services:
>> It should be possible to have AD DNS server hosted on a non-DC server.
>> Samba Wiki explain we just have to include
>> "/var/lib/samba/private/named.conf" in Bind configuration.
This library
>> can
>> be replaced be one of those shipped with Bind, this library will need
>> configuration for it can deal with remote DC(s).
>> Please note I never tried that, 'cause I'm a lazy guy, but that
should be
>> possible: Bind+DLZ seems to me to be meant for that kind of job.
>>
>> One (or more) non-DC DNS server dealing with AD DNS servers:
>> That is more simple to achieve:
>> - just configure AD DNS service as you want (please note that few weeks
>> ago
>> Samba's internal DNS server was still not able to work as
multi-masters
>> which is needed to avoid SPOF in AD, so IMHO the only valid DNS backend
is
>> bind+DLZ if you want high availability)
>> - add a new zone to your existing DNS server (the one which is not AD
DC)
>> like that one:
>>
>>
----------------------------------------------------------------------------------------------
>> zone "ad.domain.tld" IN {
>>    type forward;
>>    forward only;
>>    forwarders {
>>      <ip of 1st DC>;
>>      <ip of 2nd DC>;
>>      ....
>>      <ip of Nth DC>;
>>    };
>> };
>>
>>
----------------------------------------------------------------------------------------------
>> Restart your external non-DC Bind service and it should be able to
resolve
>> one more zone: the one from your AD.
>> What is nice in that is you don't need to take in account _msdcs
zone as
>> it
>> is a sub zone of "ad.domain.tld", your external Bind will
also forward
>> requests regarding _msdcs to AD servers.
>>
>> I did not played with that for a relatively long time and I'm just
coming
>> back from vacations, so I'm not sure if you would need to allow
forwarding
>> and recursion on that non-DC DNS server. It could be necessary...
Anyway
>> as
>> this DNS should be meant to resolve Internet addresses in addition of
your
>> local domain(s) recursion and forwarding should be accepted already...
>>
>> Hoping this clarify DNS management a little bit and that helps you,
>>
>> Mathias
>>
>>
>>
>>
> The Samba wiki page:
> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
>
> Has these lines:
>
>  * Since the BIND DLZ module accesses the AD database directly, BIND
>    for AD zones must be on the same machine.
>
This, for me, means: as long as we use the BIND DLZ module provided by
Samba, Bind must run on same host as Samba AD DC".
In other words, you should be able to move Bind to another host if, as I
said yesterday, you accept to use standard module (so not Samba's Bind
module) and configure it correctly. Of course this is more complicated to
achieve, especially compared to the forward zone I described also yesterday.

>  * Because the BIND DLZ module uses the information already stored in
>    AD, you do not need to create any extra databases.
>
> Or to put it another way, if you want to use bind_dlz, you must run Bind9
> on the DC and you do not need to create any zones (except the reverse zone
> and you have to do this anyway)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I found this article about separate samba4 and bind.
https://quercerjanath.wordpress.com/samba-active-directory-with-bind9-on-separate-machines-ubuntu-14-04/

Em 27/07/2016 9:39 AM, "mathias dufresne" <infractory at
gmail.com> escreveu:
> 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at samba.org>:
>
> > On 26/07/16 09:31, mathias dufresne wrote:
> >
> >> Hi Elias,
> >>
> >> Separating DNS and AD services:
> >> It should be possible to have AD DNS server hosted on a non-DC
server.
> >> Samba Wiki explain we just have to include
> >> "/var/lib/samba/private/named.conf" in Bind
configuration. This library
> >> can
> >> be replaced be one of those shipped with Bind, this library will
need
> >> configuration for it can deal with remote DC(s).
> >> Please note I never tried that, 'cause I'm a lazy guy, but
that should
> be
> >> possible: Bind+DLZ seems to me to be meant for that kind of job.
> >>
> >> One (or more) non-DC DNS server dealing with AD DNS servers:
> >> That is more simple to achieve:
> >> - just configure AD DNS service as you want (please note that few
weeks
> >> ago
> >> Samba's internal DNS server was still not able to work as
multi-masters
> >> which is needed to avoid SPOF in AD, so IMHO the only valid DNS
backend
> is
> >> bind+DLZ if you want high availability)
> >> - add a new zone to your existing DNS server (the one which is not
AD
> DC)
> >> like that one:
> >>
> >>
>
----------------------------------------------------------------------------------------------
> >> zone "ad.domain.tld" IN {
> >>    type forward;
> >>    forward only;
> >>    forwarders {
> >>      <ip of 1st DC>;
> >>      <ip of 2nd DC>;
> >>      ....
> >>      <ip of Nth DC>;
> >>    };
> >> };
> >>
> >>
>
----------------------------------------------------------------------------------------------
> >> Restart your external non-DC Bind service and it should be able to
> resolve
> >> one more zone: the one from your AD.
> >> What is nice in that is you don't need to take in account
_msdcs zone as
> >> it
> >> is a sub zone of "ad.domain.tld", your external Bind
will also forward
> >> requests regarding _msdcs to AD servers.
> >>
> >> I did not played with that for a relatively long time and I'm
just
> coming
> >> back from vacations, so I'm not sure if you would need to
allow
> forwarding
> >> and recursion on that non-DC DNS server. It could be necessary...
Anyway
> >> as
> >> this DNS should be meant to resolve Internet addresses in addition
of
> your
> >> local domain(s) recursion and forwarding should be accepted
already...
> >>
> >> Hoping this clarify DNS management a little bit and that helps
you,
> >>
> >> Mathias
> >>
> >>
> >>
> >>
> > The Samba wiki page:
> >
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
> >
> > Has these lines:
> >
> >  * Since the BIND DLZ module accesses the AD database directly, BIND
> >    for AD zones must be on the same machine.
> >
>
> This, for me, means: as long as we use the BIND DLZ module provided by
> Samba, Bind must run on same host as Samba AD DC".
> In other words, you should be able to move Bind to another host if, as I
> said yesterday, you accept to use standard module (so not Samba's Bind
> module) and configure it correctly. Of course this is more complicated to
> achieve, especially compared to the forward zone I described also
> yesterday.
>
>
> >  * Because the BIND DLZ module uses the information already stored in
> >    AD, you do not need to create any extra databases.
> >
> > Or to put it another way, if you want to use bind_dlz, you must run
Bind9
> > on the DC and you do not need to create any zones (except the reverse
> zone
> > and you have to do this anyway)
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>