samba - Aug 2016 - Bind on non-DC host (formerly: bind 9.11.b2 with samba 4.4.5)

Hi Andrew,

Sorry about that but I have to ask: why that would not be an option?

2016-08-01 8:48 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Tue, 2016-07-26 at 10:34 +0200, mathias dufresne wrote:
> > Hi,
> >
> > Did you tried to use the bind9_10 library? Did it worked?
>
> If not, the changes to the dlz_minimal.h and the code to match the .h
> from BIND are normally trivial
>
> > If it does not work you should be able to replace this library (which
> > do
> > not need configuration) by one shipped with your Bind package. This
> > one
> > will need configuration to know how to reach and deal with AD LDAP
> > tree and
> > authentication, but that should be possible...
>
> I'm sorry, this isn't an option.
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>

On Mon, 2016-08-01 at 10:49 +0200, mathias dufresne
wrote:
> Hi Andrew,
> 
> Sorry about that but I have to ask: why that would not be an option? 
Just because the data is in LDAP doesn't mean it is anything like any
other LDAP-using DNS data store.  The schema is quite specific, and the
behaviours required are encoded in the Samba shared libraries used by
the DLZ module and the internal DNS server.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

oki doki. Thank you for precision.
That kind of limitation should be added to the wiki as I would have already
tried to move Bind to a non-DC host if I was able to find to to do that.
And if I thought about that, some have thought about that before me.

With easy virtualisation as we have now, with the idea to separate task one
different systems to lower risk endured by each system, it seems to me that
splitting AD services across systems (VM or physical) could be seen as the
next step... Giving Samba users advices regarding what can be done, what
can be tested and especially what must not be done would be time-saver for
whom who to test...

My 2 cents...
M.

2016-08-01 12:24 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Mon, 2016-08-01 at 10:49 +0200, mathias dufresne wrote:
> > Hi Andrew,
> >
> > Sorry about that but I have to ask: why that would not be an option?
>
> Just because the data is in LDAP doesn't mean it is anything like any
> other LDAP-using DNS data store.  The schema is quite specific, and the
> behaviours required are encoded in the Samba shared libraries used by
> the DLZ module and the internal DNS server.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>