Discussion:
[Samba] Bind on non-DC host (formerly: bind 9.11.b2 with samba 4.4.5)
mathias dufresne
2016-08-01 08:49:13 UTC
Permalink
Hi Andrew,

Sorry about that but I have to ask: why that would not be an option?
Hi,
Did you tried to use the bind9_10 library? Did it worked?
If not, the changes to the dlz_minimal.h and the code to match the .h
from BIND are normally trivial
If it does not work you should be able to replace this library (which
do
not need configuration) by one shipped with your Bind package. This
one
will need configuration to know how to reach and deal with AD LDAP
tree and
authentication, but that should be possible...
I'm sorry, this isn't an option.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT
http://catalyst.net.nz/services/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-08-01 13:35:42 UTC
Permalink
oki doki. Thank you for precision.
That kind of limitation should be added to the wiki as I would have already
tried to move Bind to a non-DC host if I was able to find to to do that.
And if I thought about that, some have thought about that before me.

With easy virtualisation as we have now, with the idea to separate task one
different systems to lower risk endured by each system, it seems to me that
splitting AD services across systems (VM or physical) could be seen as the
next step... Giving Samba users advices regarding what can be done, what
can be tested and especially what must not be done would be time-saver for
whom who to test...

My 2 cents...
M.
Post by mathias dufresne
Hi Andrew,
Sorry about that but I have to ask: why that would not be an option?
Just because the data is in LDAP doesn't mean it is anything like any
other LDAP-using DNS data store. The schema is quite specific, and the
behaviours required are encoded in the Samba shared libraries used by
the DLZ module and the internal DNS server.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT
http://catalyst.net.nz/services/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-08-02 09:41:32 UTC
Permalink
In both cases there is no reason why theses services must be on the same
machine.

What was interesting with Andrew's comment was the explanation. The wiki
says they must be on same machine, the list was asked several times and
always the answer was they must be on same host. Until yesterday there was
no explanations about the why, which is in my own opinion something
important.

More why, less dumb questions.
Post by mathias dufresne
oki doki. Thank you for precision.
That kind of limitation should be added to the wiki as I would have already
tried to move Bind to a non-DC host if I was able to find to to do that.
And if I thought about that, some have thought about that before me.
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
Since the BIND DLZ module accesses the AD database directly, BIND for AD
zones must be on the same machine.
Since the BIND DLZ module accesses the AD database directly, Bind9 must be
run on the same machine as the Samba 4 AD DC.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...