samba - Aug 2016 - Samba4 with external bind - best practices?

Here we (the DNS team of our company, not me ;) chose the zone type forward
as it is the way DNS works (one resolver on client system, this resolver
will forward requests to others DNS server to get answer) and also because
that seemed to them the strongest against failure: there is no data stored
on the client resolver, there can't be corrupted data on this DNS server
when with masters / slaves slaves have to wait for synchronization, they
host data, these data can be corrupted... in addition of the very same
problems on any masters...
And we can declare as much zone with type forward as we want so it works
also with multiple domains, AD or not.

2016-07-27 21:02 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
> Looking over this thread it got me thinking of multiple domains and then
> thinking maybe it would be better to setup the external DNS as a slave to
> the AD domain?
>
> Then you could have it resolve from the external DNS for multiple AD
> domains.
>
> On Wed, Jul 27, 2016 at 9:32 AM, Elias Pereira <empbilly at
gmail.com> wrote:
>
> > I found this article about separate samba4 and bind.
> >
> >
>
https://quercerjanath.wordpress.com/samba-active-directory-with-bind9-on-separate-machines-ubuntu-14-04/
> >
> > Em 27/07/2016 9:39 AM, "mathias dufresne" <infractory at
gmail.com>
> escreveu:
> >
> > > 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at
samba.org>:
> > >
> > > > On 26/07/16 09:31, mathias dufresne wrote:
> > > >
> > > >> Hi Elias,
> > > >>
> > > >> Separating DNS and AD services:
> > > >> It should be possible to have AD DNS server hosted on a
non-DC
> server.
> > > >> Samba Wiki explain we just have to include
> > > >> "/var/lib/samba/private/named.conf" in Bind
configuration. This
> > library
> > > >> can
> > > >> be replaced be one of those shipped with Bind, this
library will
> need
> > > >> configuration for it can deal with remote DC(s).
> > > >> Please note I never tried that, 'cause I'm a
lazy guy, but that
> should
> > > be
> > > >> possible: Bind+DLZ seems to me to be meant for that kind
of job.
> > > >>
> > > >> One (or more) non-DC DNS server dealing with AD DNS
servers:
> > > >> That is more simple to achieve:
> > > >> - just configure AD DNS service as you want (please note
that few
> > weeks
> > > >> ago
> > > >> Samba's internal DNS server was still not able to
work as
> > multi-masters
> > > >> which is needed to avoid SPOF in AD, so IMHO the only
valid DNS
> > backend
> > > is
> > > >> bind+DLZ if you want high availability)
> > > >> - add a new zone to your existing DNS server (the one
which is not
> AD
> > > DC)
> > > >> like that one:
> > > >>
> > > >>
> > >
> >
>
----------------------------------------------------------------------------------------------
> > > >> zone "ad.domain.tld" IN {
> > > >>    type forward;
> > > >>    forward only;
> > > >>    forwarders {
> > > >>      <ip of 1st DC>;
> > > >>      <ip of 2nd DC>;
> > > >>      ....
> > > >>      <ip of Nth DC>;
> > > >>    };
> > > >> };
> > > >>
> > > >>
> > >
> >
>
----------------------------------------------------------------------------------------------
> > > >> Restart your external non-DC Bind service and it should
be able to
> > > resolve
> > > >> one more zone: the one from your AD.
> > > >> What is nice in that is you don't need to take in
account _msdcs
> zone
> > as
> > > >> it
> > > >> is a sub zone of "ad.domain.tld", your
external Bind will also
> forward
> > > >> requests regarding _msdcs to AD servers.
> > > >>
> > > >> I did not played with that for a relatively long time
and I'm just
> > > coming
> > > >> back from vacations, so I'm not sure if you would
need to allow
> > > forwarding
> > > >> and recursion on that non-DC DNS server. It could be
necessary...
> > Anyway
> > > >> as
> > > >> this DNS should be meant to resolve Internet addresses
in addition
> of
> > > your
> > > >> local domain(s) recursion and forwarding should be
accepted
> already...
> > > >>
> > > >> Hoping this clarify DNS management a little bit and that
helps you,
> > > >>
> > > >> Mathias
> > > >>
> > > >>
> > > >>
> > > >>
> > > > The Samba wiki page:
> > > >
> >
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
> > > >
> > > > Has these lines:
> > > >
> > > >  * Since the BIND DLZ module accesses the AD database
directly, BIND
> > > >    for AD zones must be on the same machine.
> > > >
> > >
> > > This, for me, means: as long as we use the BIND DLZ module
provided by
> > > Samba, Bind must run on same host as Samba AD DC".
> > > In other words, you should be able to move Bind to another host
if, as
> I
> > > said yesterday, you accept to use standard module (so not
Samba's Bind
> > > module) and configure it correctly. Of course this is more
complicated
> to
> > > achieve, especially compared to the forward zone I described also
> > > yesterday.
> > >
> > >
> > > >  * Because the BIND DLZ module uses the information already
stored in
> > > >    AD, you do not need to create any extra databases.
> > > >
> > > > Or to put it another way, if you want to use bind_dlz, you
must run
> > Bind9
> > > > on the DC and you do not need to create any zones (except
the reverse
> > > zone
> > > > and you have to do this anyway)
> > > >
> > > > Rowland
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Guys,

In the clients dns settings I configure the Samba4 or external DNS IP?

On Thu, Jul 28, 2016 at 5:57 AM, mathias dufresne <infractory at
gmail.com>
wrote:
> Here we (the DNS team of our company, not me ;) chose the zone type forward
> as it is the way DNS works (one resolver on client system, this resolver
> will forward requests to others DNS server to get answer) and also because
> that seemed to them the strongest against failure: there is no data stored
> on the client resolver, there can't be corrupted data on this DNS
server
> when with masters / slaves slaves have to wait for synchronization, they
> host data, these data can be corrupted... in addition of the very same
> problems on any masters...
> And we can declare as much zone with type forward as we want so it works
> also with multiple domains, AD or not.
>
> 2016-07-27 21:02 GMT+02:00 Jeff Sadowski <jeff.sadowski at
gmail.com>:
>
> > Looking over this thread it got me thinking of multiple domains and
then
> > thinking maybe it would be better to setup the external DNS as a slave
to
> > the AD domain?
> >
> > Then you could have it resolve from the external DNS for multiple AD
> > domains.
> >
> > On Wed, Jul 27, 2016 at 9:32 AM, Elias Pereira <empbilly at
gmail.com>
> wrote:
> >
> > > I found this article about separate samba4 and bind.
> > >
> > >
> > https://quercerjanath.wordpress.com/samba-active-
> directory-with-bind9-on-separate-machines-ubuntu-14-04/
> > >
> > > Em 27/07/2016 9:39 AM, "mathias dufresne"
<infractory at gmail.com>
> > escreveu:
> > >
> > > > 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at
samba.org>:
> > > >
> > > > > On 26/07/16 09:31, mathias dufresne wrote:
> > > > >
> > > > >> Hi Elias,
> > > > >>
> > > > >> Separating DNS and AD services:
> > > > >> It should be possible to have AD DNS server hosted
on a non-DC
> > server.
> > > > >> Samba Wiki explain we just have to include
> > > > >> "/var/lib/samba/private/named.conf" in
Bind configuration. This
> > > library
> > > > >> can
> > > > >> be replaced be one of those shipped with Bind, this
library will
> > need
> > > > >> configuration for it can deal with remote DC(s).
> > > > >> Please note I never tried that, 'cause I'm
a lazy guy, but that
> > should
> > > > be
> > > > >> possible: Bind+DLZ seems to me to be meant for that
kind of job.
> > > > >>
> > > > >> One (or more) non-DC DNS server dealing with AD DNS
servers:
> > > > >> That is more simple to achieve:
> > > > >> - just configure AD DNS service as you want (please
note that few
> > > weeks
> > > > >> ago
> > > > >> Samba's internal DNS server was still not able
to work as
> > > multi-masters
> > > > >> which is needed to avoid SPOF in AD, so IMHO the
only valid DNS
> > > backend
> > > > is
> > > > >> bind+DLZ if you want high availability)
> > > > >> - add a new zone to your existing DNS server (the
one which is not
> > AD
> > > > DC)
> > > > >> like that one:
> > > > >>
> > > > >>
> > > >
> > >
> > ------------------------------------------------------------
> ----------------------------------
> > > > >> zone "ad.domain.tld" IN {
> > > > >>    type forward;
> > > > >>    forward only;
> > > > >>    forwarders {
> > > > >>      <ip of 1st DC>;
> > > > >>      <ip of 2nd DC>;
> > > > >>      ....
> > > > >>      <ip of Nth DC>;
> > > > >>    };
> > > > >> };
> > > > >>
> > > > >>
> > > >
> > >
> > ------------------------------------------------------------
> ----------------------------------
> > > > >> Restart your external non-DC Bind service and it
should be able to
> > > > resolve
> > > > >> one more zone: the one from your AD.
> > > > >> What is nice in that is you don't need to take
in account _msdcs
> > zone
> > > as
> > > > >> it
> > > > >> is a sub zone of "ad.domain.tld", your
external Bind will also
> > forward
> > > > >> requests regarding _msdcs to AD servers.
> > > > >>
> > > > >> I did not played with that for a relatively long
time and I'm just
> > > > coming
> > > > >> back from vacations, so I'm not sure if you
would need to allow
> > > > forwarding
> > > > >> and recursion on that non-DC DNS server. It could
be necessary...
> > > Anyway
> > > > >> as
> > > > >> this DNS should be meant to resolve Internet
addresses in addition
> > of
> > > > your
> > > > >> local domain(s) recursion and forwarding should be
accepted
> > already...
> > > > >>
> > > > >> Hoping this clarify DNS management a little bit and
that helps
> you,
> > > > >>
> > > > >> Mathias
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > > The Samba wiki page:
> > > > >
> > > https://wiki.samba.org/index.php/Configure_BIND_as_backend_
> for_Samba_AD
> > > > >
> > > > > Has these lines:
> > > > >
> > > > >  * Since the BIND DLZ module accesses the AD database
directly,
> BIND
> > > > >    for AD zones must be on the same machine.
> > > > >
> > > >
> > > > This, for me, means: as long as we use the BIND DLZ module
provided
> by
> > > > Samba, Bind must run on same host as Samba AD DC".
> > > > In other words, you should be able to move Bind to another
host if,
> as
> > I
> > > > said yesterday, you accept to use standard module (so not
Samba's
> Bind
> > > > module) and configure it correctly. Of course this is more
> complicated
> > to
> > > > achieve, especially compared to the forward zone I described
also
> > > > yesterday.
> > > >
> > > >
> > > > >  * Because the BIND DLZ module uses the information
already stored
> in
> > > > >    AD, you do not need to create any extra databases.
> > > > >
> > > > > Or to put it another way, if you want to use bind_dlz,
you must run
> > > Bind9
> > > > > on the DC and you do not need to create any zones
(except the
> reverse
> > > > zone
> > > > > and you have to do this anyway)
> > > > >
> > > > > Rowland
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL
and read the
> > > > > instructions: 
https://lists.samba.org/mailman/options/samba
> > > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira

You do what you want!

The point is the clients must resolve everything.

You have two options:
A - client resolver is non-DC DNS server: here the non-DC DNS server must
be configured to forward DNS requests about AD to AD DNS servers (to DCs)
B - client resolver is AD DNS server: here AD DNS server(s) used as
resolver(s) must be configured to forward any non-AD DNS request to non-DC
DNS server.

Hoping this is clear enough...

Cheers,

mathias

2016-08-04 21:34 GMT+02:00 Elias Pereira <empbilly at gmail.com>:
> Guys,
>
> In the clients dns settings I configure the Samba4 or external DNS IP?
>
> On Thu, Jul 28, 2016 at 5:57 AM, mathias dufresne <infractory at
gmail.com>
> wrote:
>
>> Here we (the DNS team of our company, not me ;) chose the zone type
>> forward
>> as it is the way DNS works (one resolver on client system, this
resolver
>> will forward requests to others DNS server to get answer) and also
because
>> that seemed to them the strongest against failure: there is no data
stored
>> on the client resolver, there can't be corrupted data on this DNS
server
>> when with masters / slaves slaves have to wait for synchronization,
they
>> host data, these data can be corrupted... in addition of the very same
>> problems on any masters...
>> And we can declare as much zone with type forward as we want so it
works
>> also with multiple domains, AD or not.
>>
>> 2016-07-27 21:02 GMT+02:00 Jeff Sadowski <jeff.sadowski at
gmail.com>:
>>
>> > Looking over this thread it got me thinking of multiple domains
and then
>> > thinking maybe it would be better to setup the external DNS as a
slave
>> to
>> > the AD domain?
>> >
>> > Then you could have it resolve from the external DNS for multiple
AD
>> > domains.
>> >
>> > On Wed, Jul 27, 2016 at 9:32 AM, Elias Pereira <empbilly at
gmail.com>
>> wrote:
>> >
>> > > I found this article about separate samba4 and bind.
>> > >
>> > >
>> > https://quercerjanath.wordpress.com/samba-active-directory-
>> with-bind9-on-separate-machines-ubuntu-14-04/
>> > >
>> > > Em 27/07/2016 9:39 AM, "mathias dufresne"
<infractory at gmail.com>
>> > escreveu:
>> > >
>> > > > 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at
samba.org>:
>> > > >
>> > > > > On 26/07/16 09:31, mathias dufresne wrote:
>> > > > >
>> > > > >> Hi Elias,
>> > > > >>
>> > > > >> Separating DNS and AD services:
>> > > > >> It should be possible to have AD DNS server
hosted on a non-DC
>> > server.
>> > > > >> Samba Wiki explain we just have to include
>> > > > >> "/var/lib/samba/private/named.conf"
in Bind configuration. This
>> > > library
>> > > > >> can
>> > > > >> be replaced be one of those shipped with Bind,
this library will
>> > need
>> > > > >> configuration for it can deal with remote
DC(s).
>> > > > >> Please note I never tried that, 'cause
I'm a lazy guy, but that
>> > should
>> > > > be
>> > > > >> possible: Bind+DLZ seems to me to be meant for
that kind of job.
>> > > > >>
>> > > > >> One (or more) non-DC DNS server dealing with AD
DNS servers:
>> > > > >> That is more simple to achieve:
>> > > > >> - just configure AD DNS service as you want
(please note that few
>> > > weeks
>> > > > >> ago
>> > > > >> Samba's internal DNS server was still not
able to work as
>> > > multi-masters
>> > > > >> which is needed to avoid SPOF in AD, so IMHO
the only valid DNS
>> > > backend
>> > > > is
>> > > > >> bind+DLZ if you want high availability)
>> > > > >> - add a new zone to your existing DNS server
(the one which is
>> not
>> > AD
>> > > > DC)
>> > > > >> like that one:
>> > > > >>
>> > > > >>
>> > > >
>> > >
>> > ------------------------------------------------------------
>> ----------------------------------
>> > > > >> zone "ad.domain.tld" IN {
>> > > > >>    type forward;
>> > > > >>    forward only;
>> > > > >>    forwarders {
>> > > > >>      <ip of 1st DC>;
>> > > > >>      <ip of 2nd DC>;
>> > > > >>      ....
>> > > > >>      <ip of Nth DC>;
>> > > > >>    };
>> > > > >> };
>> > > > >>
>> > > > >>
>> > > >
>> > >
>> > ------------------------------------------------------------
>> ----------------------------------
>> > > > >> Restart your external non-DC Bind service and
it should be able
>> to
>> > > > resolve
>> > > > >> one more zone: the one from your AD.
>> > > > >> What is nice in that is you don't need to
take in account _msdcs
>> > zone
>> > > as
>> > > > >> it
>> > > > >> is a sub zone of "ad.domain.tld",
your external Bind will also
>> > forward
>> > > > >> requests regarding _msdcs to AD servers.
>> > > > >>
>> > > > >> I did not played with that for a relatively
long time and I'm
>> just
>> > > > coming
>> > > > >> back from vacations, so I'm not sure if you
would need to allow
>> > > > forwarding
>> > > > >> and recursion on that non-DC DNS server. It
could be necessary...
>> > > Anyway
>> > > > >> as
>> > > > >> this DNS should be meant to resolve Internet
addresses in
>> addition
>> > of
>> > > > your
>> > > > >> local domain(s) recursion and forwarding should
be accepted
>> > already...
>> > > > >>
>> > > > >> Hoping this clarify DNS management a little bit
and that helps
>> you,
>> > > > >>
>> > > > >> Mathias
>> > > > >>
>> > > > >>
>> > > > >>
>> > > > >>
>> > > > > The Samba wiki page:
>> > > > >
>> > > https://wiki.samba.org/index.php/Configure_BIND_as_backend_f
>> or_Samba_AD
>> > > > >
>> > > > > Has these lines:
>> > > > >
>> > > > >  * Since the BIND DLZ module accesses the AD
database directly,
>> BIND
>> > > > >    for AD zones must be on the same machine.
>> > > > >
>> > > >
>> > > > This, for me, means: as long as we use the BIND DLZ
module provided
>> by
>> > > > Samba, Bind must run on same host as Samba AD DC".
>> > > > In other words, you should be able to move Bind to
another host if,
>> as
>> > I
>> > > > said yesterday, you accept to use standard module (so
not Samba's
>> Bind
>> > > > module) and configure it correctly. Of course this is
more
>> complicated
>> > to
>> > > > achieve, especially compared to the forward zone I
described also
>> > > > yesterday.
>> > > >
>> > > >
>> > > > >  * Because the BIND DLZ module uses the information
already
>> stored in
>> > > > >    AD, you do not need to create any extra
databases.
>> > > > >
>> > > > > Or to put it another way, if you want to use
bind_dlz, you must
>> run
>> > > Bind9
>> > > > > on the DC and you do not need to create any zones
(except the
>> reverse
>> > > > zone
>> > > > > and you have to do this anyway)
>> > > > >
>> > > > > Rowland
>> > > > >
>> > > > > --
>> > > > > To unsubscribe from this list go to the following
URL and read the
>> > > > > instructions: 
https://lists.samba.org/mailman/options/samba
>> > > > >
>> > > > --
>> > > > To unsubscribe from this list go to the following URL
and read the
>> > > > instructions: 
https://lists.samba.org/mailman/options/samba
>> > > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and
read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> Elias Pereira
>