On Wed, 1 May 2024 08:21:25 -0700
Peter Carlson via samba <samba at lists.samba.org> wrote:
> > I think your problems could be all down to the way that your dns is
> > set up, I do not think the Samba bind_dlz module knows anything
> > about 'views'.
> ugg...ok
I didn't think you would like that fact :-(
> >
> > In an ideal world, the Samba dns server (be it the internal or
> > Bind9) should just be responsible for the AD domain and forward
> > anything unknown to another dns server (which is how dns servers
> > generally work).
> >
> > One of the reasons that people try to use a setup like yours, is
> > that they have a registered dns domain (lets say
'example.com') and
> > then use that domain for AD instead of something like
> > 'ad.example.com'. This is definitely not a good idea and
isn't best
> > practice.
> >
> > If your AD is using something like 'ad.example.com' and your
> > registered dns domain is 'example.com', then I suggest you
setup a
> > dns server on a non domain machine to work with your 'view'
and
> > forward everything for 'ad.example.com' to a DC.
> >
> > If your external and AD dns domains are both the same, then you
> > either put up with the problems you are having or you rebuild your
> > AD using a supported dns domain.
> >
> > As I said, it works for myself using the Debian Bookworm Bind9
> > package and Samba 4.19.5 from BookWorm-backports (which from my
> > understanding is built exactly like the 4.20.0 mjt package),
> > however, I do not use a 'view'
> >
> > Rowland
> >
> This is an inherited scenario and some changes would be hard to do at
> the moment.? Good news is that the public domain and internal domain
> are different.? Bad news is that it was set up as <company>.com and
> <company>.local...sigh...but that can't be changed at the moment.
Well at least they are different, just turn off Avahi everywhere and
ban MAC machines from your AD domain.
>
> The current configuration, and imo is something strong to be
> considered, is a unified network controller...network boss, small
> business server, whatever you want to call it that is responsible for
> dhcp, dns and AD. A small business sometimes needs some of the
> capabilities of a larger network but cant afford multiple servers.
> No one should have to put up with crashing or hanging services.
That idea is a bit old now, using VMs is what would be used now.
>
> Good news is that I can easily spin up another server (thanks to
> running everything on proxmox) to split out AD from the rest of the
> network controller.? If I have no other choice I will do that.
See my comment above.
>
> However another point of reference is that I can launch both named
> and smbd without it immediately crashing using versions:
>
> administrator at nc1:~$ smbd --version
> Version 4.20.0-Ubuntu
> administrator at nc1:~$ named -version
> BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version)
> <id:>
>
> However that combination creates an occasional 100% utilization hung
> named process
I thought we were discussing using Bind9 with a Samba AD DC, if so, you
shouldn't be starting the 'smbd' daemon manually, the
'samba' daemon
should be doing it for you.
Rowland