On 5/1/24 08:34, Rowland Penny via samba wrote:> On Wed, 1 May 2024 08:21:25 -0700
> Peter Carlson via samba<samba at lists.samba.org> wrote:
>
>>> I think your problems could be all down to the way that your dns is
>>> set up, I do not think the Samba bind_dlz module knows anything
>>> about 'views'.
>> ugg...ok
> I didn't think you would like that fact :-(
>
>>> In an ideal world, the Samba dns server (be it the internal or
>>> Bind9) should just be responsible for the AD domain and forward
>>> anything unknown to another dns server (which is how dns servers
>>> generally work).
>>>
>>> One of the reasons that people try to use a setup like yours, is
>>> that they have a registered dns domain (lets say
'example.com') and
>>> then use that domain for AD instead of something like
>>> 'ad.example.com'. This is definitely not a good idea and
isn't best
>>> practice.
>>>
>>> If your AD is using something like 'ad.example.com' and
your
>>> registered dns domain is 'example.com', then I suggest you
setup a
>>> dns server on a non domain machine to work with your 'view'
and
>>> forward everything for 'ad.example.com' to a DC.
>>>
>>> If your external and AD dns domains are both the same, then you
>>> either put up with the problems you are having or you rebuild your
>>> AD using a supported dns domain.
>>>
>>> As I said, it works for myself using the Debian Bookworm Bind9
>>> package and Samba 4.19.5 from BookWorm-backports (which from my
>>> understanding is built exactly like the 4.20.0 mjt package),
>>> however, I do not use a 'view'
>>>
>>> Rowland
>>>
>> This is an inherited scenario and some changes would be hard to do at
>> the moment.? Good news is that the public domain and internal domain
>> are different.? Bad news is that it was set up as <company>.com
and
>> <company>.local...sigh...but that can't be changed at the
moment.
> Well at least they are different, just turn off Avahi everywhere and
> ban MAC machines from your AD domain.
>
>> The current configuration, and imo is something strong to be
>> considered, is a unified network controller...network boss, small
>> business server, whatever you want to call it that is responsible for
>> dhcp, dns and AD. A small business sometimes needs some of the
>> capabilities of a larger network but cant afford multiple servers.
>> No one should have to put up with crashing or hanging services.
> That idea is a bit old now, using VMs is what would be used now.
I will see if I can convince them to let me re-architect the design and
split it into multiple pieces.? VMs are a bit advanced for most small
businesses but I guess even Synology all in one NAS supports VMs.? (dont
worry, this isn't running on a synology).>
>> Good news is that I can easily spin up another server (thanks to
>> running everything on proxmox) to split out AD from the rest of the
>> network controller.? If I have no other choice I will do that.
> See my comment above.
>
>> However another point of reference is that I can launch both named
>> and smbd without it immediately crashing using versions:
>>
>> administrator at nc1:~$ smbd --version
>> Version 4.20.0-Ubuntu
>> administrator at nc1:~$ named -version
>> BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version)
>> <id:>
>>
>> However that combination creates an occasional 100% utilization hung
>> named process
> I thought we were discussing using Bind9 with a Samba AD DC, if so, you
> shouldn't be starting the 'smbd' daemon manually, the
'samba' daemon
> should be doing it for you.
>
> Rowland
I am, i only ran the command to show the versions, sorry for any
confusion there.