mathias dufresne
2016-Aug-01 13:35 UTC
[Samba] Bind on non-DC host (formerly: bind 9.11.b2 with samba 4.4.5)
oki doki. Thank you for precision. That kind of limitation should be added to the wiki as I would have already tried to move Bind to a non-DC host if I was able to find to to do that. And if I thought about that, some have thought about that before me. With easy virtualisation as we have now, with the idea to separate task one different systems to lower risk endured by each system, it seems to me that splitting AD services across systems (VM or physical) could be seen as the next step... Giving Samba users advices regarding what can be done, what can be tested and especially what must not be done would be time-saver for whom who to test... My 2 cents... M. 2016-08-01 12:24 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:> On Mon, 2016-08-01 at 10:49 +0200, mathias dufresne wrote: > > Hi Andrew, > > > > Sorry about that but I have to ask: why that would not be an option? > > Just because the data is in LDAP doesn't mean it is anything like any > other LDAP-using DNS data store. The schema is quite specific, and the > behaviours required are encoded in the Samba shared libraries used by > the DLZ module and the internal DNS server. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > >
Rowland penny
2016-Aug-01 15:03 UTC
[Samba] Bind on non-DC host (formerly: bind 9.11.b2 with samba 4.4.5)
On 01/08/16 14:35, mathias dufresne wrote:> oki doki. Thank you for precision. > That kind of limitation should be added to the wiki as I would have already > tried to move Bind to a non-DC host if I was able to find to to do that. > And if I thought about that, some have thought about that before me. >If you look here: https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD Under the heading 'Introduction', is this line: Since the BIND DLZ module accesses the AD database directly, BIND for AD zones must be on the same machine. I thought this was pretty specific, but I will change it slightly to: Since the BIND DLZ module accesses the AD database directly, Bind9 must be run on the same machine as the Samba 4 AD DC. Rowland
mathias dufresne
2016-Aug-02 09:41 UTC
[Samba] Bind on non-DC host (formerly: bind 9.11.b2 with samba 4.4.5)
In both cases there is no reason why theses services must be on the same machine. What was interesting with Andrew's comment was the explanation. The wiki says they must be on same machine, the list was asked several times and always the answer was they must be on same host. Until yesterday there was no explanations about the why, which is in my own opinion something important. More why, less dumb questions. 2016-08-01 17:03 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 01/08/16 14:35, mathias dufresne wrote: > >> oki doki. Thank you for precision. >> That kind of limitation should be added to the wiki as I would have >> already >> tried to move Bind to a non-DC host if I was able to find to to do that. >> And if I thought about that, some have thought about that before me. >> >> > If you look here: > > https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD > > Under the heading 'Introduction', is this line: > > Since the BIND DLZ module accesses the AD database directly, BIND for AD > zones must be on the same machine. > > I thought this was pretty specific, but I will change it slightly to: > > Since the BIND DLZ module accesses the AD database directly, Bind9 must be > run on the same machine as the Samba 4 AD DC. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >