samba - Oct 2020 - Samba AD with multiple DC and multiple NICs

On 20/10/2020 22:09, Stefano Vargiu via samba wrote:
> I didn't know the concept of site in AD: thank you for pointing that
out to
> me, I'll read about it.
> I'm also going to avoid the same subnets on the two sites, but honestly
> I'll try to keep the multi-homed configuration because I always used it
(at
> least in single master configurations), always worked and I never had
> problems with it: I think it's enough that all the IPs of the domain
> controller are reachable (through appropriate routing) from any subnets
> served by it.
>
> Thank you
> Stefano
>
You can do as you wish, but I will say it again, just in case you missed 
it, Active Directory Domain Controllers do not like being being 
multi-homed, they can only have one hostname, so which Ipaddress do you 
link to that ? What you could is, use one IP and then use a CNAME for 
the other IP.

Rowland

>  they can only have one hostname, so which Ipaddress do you link to that?
Both IPs? The requirement of a DC having only one hostname doesn't rule out
the option to let it be resolved to multiple IPs (which on the other hand
samba does automatically when binding it to multiple interfaces).
> What you could is, use one IP and then use a CNAME for the other IP
Sorry, again I don't get it. Why a CNAME?
How can I associate the second IP to a CNAME record?

With the configuration you are suggesting, are you implying that I should
only bind samba to one interface, or I can keep two interfaces in the
"interfaces" parameter?


Il giorno mer 21 ott 2020 alle ore 10:06 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 20/10/2020 22:09, Stefano Vargiu via samba wrote:
> > I didn't know the concept of site in AD: thank you for pointing
that out
> to
> > me, I'll read about it.
> > I'm also going to avoid the same subnets on the two sites, but
honestly
> > I'll try to keep the multi-homed configuration because I always
used it
> (at
> > least in single master configurations), always worked and I never had
> > problems with it: I think it's enough that all the IPs of the
domain
> > controller are reachable (through appropriate routing) from any
subnets
> > served by it.
> >
> > Thank you
> > Stefano
> >
> You can do as you wish, but I will say it again, just in case you missed
> it, Active Directory Domain Controllers do not like being being
> multi-homed, they can only have one hostname, so which Ipaddress do you
> link to that ? What you could is, use one IP and then use a CNAME for
> the other IP.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 21/10/2020 10:58, Stefano Vargiu via samba wrote:
>>   they can only have one hostname, so which Ipaddress do you link to
that?
> Both IPs? The requirement of a DC having only one hostname doesn't rule
out
> the option to let it be resolved to multiple IPs (which on the other hand
> samba does automatically when binding it to multiple interfaces).
>
>> What you could is, use one IP and then use a CNAME for the other IP
> Sorry, again I don't get it. Why a CNAME?
> How can I associate the second IP to a CNAME record?
You don't? 'associate' the second IP, you sue the 'CNAME'
instead of the
second IP. AD lives on DNS, so what you are proposing is likely to kill 
your AD.
>
> With the configuration you are suggesting, are you implying that I should
> only bind samba to one interface, or I can keep two interfaces in the
> "interfaces" parameter?
Yes, one DC, one hostname, one interface.

Rowland

I suggest, research systemd-networkd 
Mainly. Section [Networking] optional Route
https://www.freedesktop.org/software/systemd/man/systemd.network.html

Setup the resolving per interface and your problem is solved.
But, do note, an AD-DC only has 1 real hostname. 
So setting this up  can be done but before you install samba you must be sure
all resolving and works as expected. 

Only configure 1 hostname in /etc/hosts 
Any other one should come out the DNS. 

I have more info on this also with the vpn part but i dont have the time 
write it out atm. (sorry) 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefano Vargiu via samba
> Verzonden: woensdag 21 oktober 2020 11:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD with multiple DC and multiple NICs
> 
> >  they can only have one hostname, so which Ipaddress do you 
> link to that?
> 
> Both IPs? The requirement of a DC having only one hostname 
> doesn't rule out
> the option to let it be resolved to multiple IPs (which on 
> the other hand
> samba does automatically when binding it to multiple interfaces).
> 
> > What you could is, use one IP and then use a CNAME for the other IP
> Sorry, again I don't get it. Why a CNAME?
> How can I associate the second IP to a CNAME record?
> 
> With the configuration you are suggesting, are you implying 
> that I should
> only bind samba to one interface, or I can keep two interfaces in the
> "interfaces" parameter?
> 
> 
> Il giorno mer 21 ott 2020 alle ore 10:06 Rowland penny via samba <
> samba at lists.samba.org> ha scritto:
> 
> > On 20/10/2020 22:09, Stefano Vargiu via samba wrote:
> > > I didn't know the concept of site in AD: thank you for 
> pointing that out
> > to
> > > me, I'll read about it.
> > > I'm also going to avoid the same subnets on the two 
> sites, but honestly
> > > I'll try to keep the multi-homed configuration because I 
> always used it
> > (at
> > > least in single master configurations), always worked and 
> I never had
> > > problems with it: I think it's enough that all the IPs of 
> the domain
> > > controller are reachable (through appropriate routing) 
> from any subnets
> > > served by it.
> > >
> > > Thank you
> > > Stefano
> > >
> > You can do as you wish, but I will say it again, just in 
> case you missed
> > it, Active Directory Domain Controllers do not like being being
> > multi-homed, they can only have one hostname, so which 
> Ipaddress do you
> > link to that ? What you could is, use one IP and then use a 
> CNAME for
> > the other IP.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

> I suggest, research systemd-networkd
Thank you, that is interesting information: I never used it.
> Mainly. Section [Networking] optional Route
Do you mean [Network] section?
And Route is a section, right? (I see also a Route parameter and that's
about IPv6)
> Setup the resolving per interface and your problem is solved.
Do you mean DNS resolving customized per interface?
I wonder if that's comparable to what I was trying to do with the DNS proxy
in front of samba's DNS.
> I have more info on this also with the vpn part but i dont have the time
write it out atm. (sorry)

Don't worry, you already gave me a good starting point.

Il giorno mer 21 ott 2020 alle ore 12:25 L.P.H. van Belle via samba <
samba at lists.samba.org> ha scritto:
>
> I suggest, research systemd-networkd
> Mainly. Section [Networking] optional Route
> https://www.freedesktop.org/software/systemd/man/systemd.network.html
>
> Setup the resolving per interface and your problem is solved.
> But, do note, an AD-DC only has 1 real hostname.
> So setting this up  can be done but before you install samba you must be
> sure
> all resolving and works as expected.
>
> Only configure 1 hostname in /etc/hosts
> Any other one should come out the DNS.
>
> I have more info on this also with the vpn part but i dont have the time
> write it out atm. (sorry)
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Stefano Vargiu via samba
> > Verzonden: woensdag 21 oktober 2020 11:59
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba AD with multiple DC and multiple NICs
> >
> > >  they can only have one hostname, so which Ipaddress do you
> > link to that?
> >
> > Both IPs? The requirement of a DC having only one hostname
> > doesn't rule out
> > the option to let it be resolved to multiple IPs (which on
> > the other hand
> > samba does automatically when binding it to multiple interfaces).
> >
> > > What you could is, use one IP and then use a CNAME for the other
IP
> > Sorry, again I don't get it. Why a CNAME?
> > How can I associate the second IP to a CNAME record?
> >
> > With the configuration you are suggesting, are you implying
> > that I should
> > only bind samba to one interface, or I can keep two interfaces in the
> > "interfaces" parameter?
> >
> >
> > Il giorno mer 21 ott 2020 alle ore 10:06 Rowland penny via samba <
> > samba at lists.samba.org> ha scritto:
> >
> > > On 20/10/2020 22:09, Stefano Vargiu via samba wrote:
> > > > I didn't know the concept of site in AD: thank you for
> > pointing that out
> > > to
> > > > me, I'll read about it.
> > > > I'm also going to avoid the same subnets on the two
> > sites, but honestly
> > > > I'll try to keep the multi-homed configuration because I
> > always used it
> > > (at
> > > > least in single master configurations), always worked and
> > I never had
> > > > problems with it: I think it's enough that all the IPs
of
> > the domain
> > > > controller are reachable (through appropriate routing)
> > from any subnets
> > > > served by it.
> > > >
> > > > Thank you
> > > > Stefano
> > > >
> > > You can do as you wish, but I will say it again, just in
> > case you missed
> > > it, Active Directory Domain Controllers do not like being being
> > > multi-homed, they can only have one hostname, so which
> > Ipaddress do you
> > > link to that ? What you could is, use one IP and then use a
> > CNAME for
> > > the other IP.
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

To give an idea. 

# /etc/systemd/network/30-eth0.network
# Assuming LAN (samba interface ) 
[Match]
Name=eth0
?
[Network]
DHCP=no
DNSSEC=allow-downgrade
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
?
# Samba AD-DC DNS. ?
DNS=192.168.2.1
DNS=192.168.2.2
# Primary dnsDomain, the AD-DC should be in this DnsDomain
Domains=internal.domain.tld

# Time
NTP=192.168.2.1
NTP=192.168.2.2
?
[Address]
Address=192.168.2.1/24
?
[Route]
Destination=0.0.0.0/0
Gateway=192.168.2.1

?
# /etc/systemd/network/30-eth1.network # Assuming WAN?(VPN interface ) 
[Match]
Name=eth1
?
[Network]
DHCP=no
DNSSEC=allow-downgrade
IPv6PrivacyExtensions=no
IPv6AcceptRouterAdvertisements=no
LinkLocalAddressing=no
?
# ! If you want to use lets-encrypt or so, use external DNS
DNS=8.8.8.8
DNS=1.1.1.1
# And the external search domain. 
Domains=domain.tld

[Address]
Address=1.2.3.4/24
Gateway=1.2.3.1 

?
Above eliminate the need to configure routing tables, for example.
?
?
Greetz, 
?
Louis
?
?


Van: Stefano Vargiu [mailto:vstefanoxx at gmail.com] 
Verzonden: woensdag 21 oktober 2020 13:18
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba AD with multiple DC and multiple NICs


> I suggest, research systemd-networkd 
Thank you, that is interesting information: I never used it.

> Mainly. Section [Networking] optional Route??
Do you mean [Network] section?
And Route is a section, right? (I see also?a Route parameter and that's
about IPv6)

> Setup the resolving per interface and your problem is solved.
Do you mean DNS resolving customized per interface?
I wonder if that's comparable to what I was trying to do with the DNS proxy
in front of samba's DNS.

> I have more info on this also with the vpn part but i dont have the time?
write it out atm. (sorry) 

Don't worry, you already gave me a good starting point.


Il giorno mer 21 ott 2020 alle ore 12:25 L.P.H. van Belle via samba <samba at
lists.samba.org> ha scritto:


I suggest, research systemd-networkd 
Mainly. Section [Networking] optional Route
https://www.freedesktop.org/software/systemd/man/systemd.network.html

Setup the resolving per interface and your problem is solved.
But, do note, an AD-DC only has 1 real hostname. 
So setting this up? can be done but before you install samba you must be sure
all resolving and works as expected. 

Only configure 1 hostname in /etc/hosts 
Any other one should come out the DNS. 

I have more info on this also with the vpn part but i dont have the time 
write it out atm. (sorry) 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefano Vargiu via samba
> Verzonden: woensdag 21 oktober 2020 11:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD with multiple DC and multiple NICs
> 
> >? they can only have one hostname, so which Ipaddress do you 
> link to that?
> 
> Both IPs? The requirement of a DC having only one hostname 
> doesn't rule out
> the option to let it be resolved to multiple IPs (which on 
> the other hand
> samba does automatically when binding it to multiple interfaces).
> 
> > What you could is, use one IP and then use a CNAME for the other IP
> Sorry, again I don't get it. Why a CNAME?
> How can I associate the second IP to a CNAME record?
> 
> With the configuration you are suggesting, are you implying 
> that I should
> only bind samba to one interface, or I can keep two interfaces in the
> "interfaces" parameter?
> 
> 
> Il giorno mer 21 ott 2020 alle ore 10:06 Rowland penny via samba <
> samba at lists.samba.org> ha scritto:
> 
> > On 20/10/2020 22:09, Stefano Vargiu via samba wrote:
> > > I didn't know the concept of site in AD: thank you for 
> pointing that out
> > to
> > > me, I'll read about it.
> > > I'm also going to avoid the same subnets on the two 
> sites, but honestly
> > > I'll try to keep the multi-homed configuration because I 
> always used it
> > (at
> > > least in single master configurations), always worked and 
> I never had
> > > problems with it: I think it's enough that all the IPs of 
> the domain
> > > controller are reachable (through appropriate routing) 
> from any subnets
> > > served by it.
> > >
> > > Thank you
> > > Stefano
> > >
> > You can do as you wish, but I will say it again, just in 
> case you missed
> > it, Active Directory Domain Controllers do not like being being
> > multi-homed, they can only have one hostname, so which 
> Ipaddress do you
> > link to that ? What you could is, use one IP and then use a 
> CNAME for
> > the other IP.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:? https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba