samba - Jan 2023 - DCs in multiple VLANs

I have 2 DCs at a customer that also run ISC-Kea-DHCP servers.

To be able to provide DHCP-Leases I added virtual interfaces to the 
servers with IPs in each VLAN.

In turn there also exist routes to the VLANs:

# ip r
default via 10.0.0.254 dev enp0s31f6 onlink
10.0.0.0/24 dev enp0s31f6 proto kernel scope link src 10.0.0.230
10.100.40.0/24 dev enp0s31f6.200 proto kernel scope link src 10.100.40.230
192.168.101.0/24 dev enp0s31f6.101 proto kernel scope link src 
192.168.101.230
192.168.102.0/24 dev enp0s31f6.102 proto kernel scope link src 
192.168.102.230
192.168.103.0/24 dev enp0s31f6.103 proto kernel scope link src 
192.168.103.230

In smb.conf I did this:

bind interfaces only = yes
interfaces = lo enp0s31f6

to only run the DC in the LAN network.

Otherwise there were 4 or 5 DNS-entries created for the hostname of the 
DC, which seemed problematic to me. Maybe it is not?

What if a client in LAN gets a DNS reply with a IP in the VLANs? timeouts?

-

To reply to DHCP-clients in the VLANs I need the specific interfaces + 
routes.

But if a client in a VLAN tries to "gpupdate" things fail: asymmetric 
routing, the replies don't get to the client.

I am not sure how to solve this.

Allow the DC to run on all interfaces?

And no, we don't have additional hardware to move the DHCP-services to.

18.01.2023 18:45, Stefan G. Weichinger via samba wrote:
..
> to only run the DC in the LAN network.
> 
> Otherwise there were 4 or 5 DNS-entries created for the hostname of the DC,
which seemed problematic to me. Maybe it is not?
> 
> What if a client in LAN gets a DNS reply with a IP in the VLANs? timeouts?
Is it impossible for the client to reach this IP on the VLAN?
Quite often in this configuration it is possible, depending on
routing and filtering in place.

FWIW, this is one of the reasons I prefer to manage DNS elsewhere, without
tying it to samba/DC, - this way I can control which records are being used.
DNS is mostly static, it changes only when you reconfigure network, when you
can update DNS explicitly too, so dynamic DNS isn't really necessary.
> To reply to DHCP-clients in the VLANs I need the specific interfaces +
routes.
> 
> But if a client in a VLAN tries to "gpupdate" things fail:
asymmetric routing, the replies don't get to the client.
> 
> I am not sure how to solve this.
> 
> Allow the DC to run on all interfaces?
> 
> And no, we don't have additional hardware to move the DHCP-services to.
You don't need additional hardware. It is trivial these days to
run a virtual machine - with either samba or dhcpd or whatever
else is needed.

But so far, it's difficult to say which problem you're trying to solve.

/mjt