AB> On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote: >> I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz >> >> My domain is example.com >> My Samba4 server is myserver.example.com >> myserver has two nics: 10.10.10.5 and 192.168.10.2 >> My externally hosted web site is www.example.com, and is hosted at >> 123.123.123.123 >> I have an A and CNAME in DNS like so: >> >> @ A 123.123.123.123 >> www CNAME example.com. >> >> The above allows internal web browsers to access the external site via >> www.example.com or example.com. This works great. >> >> The problem is that every ten minutes when samb's dns update happens, it >> keeps putting the following two entries in, which points internal hosts to >> the dns server, instead of the externally hosted web site: >> @ A 10.10.10.5 >> @ A 192.168.10.2 >> >> >> Why do these keep showing up? I'm sure there is a place that the info is >> coming from, but I don't know where, and I desperately need to prevent this >> from happening. I mean, don't get me wrong, I realize what the records >> mean, but what I'm trying to do is prevent them from repopulating and >> preventing my internal hosts from browsing the web site. I didn't have >> this problem when I could edit the bind files directly, but now that I'm >> using bind_dlz for samba, I'm a little lost.
AB> The issue is that Samba controls that name, and tries to set it to match AB> the network interfaces of the DC, because AD clients may (few actually AB> do, in this specific case) use this name to find a DC. See AB> dns_update_list. AB> I suggest breaking the CNAME and not using example.com to find your AB> website internally. Wouldn't it make a lot of sense, provided one had the infrastructure [extra servers/hardware] to handle DNS like this: (And at a smaller site, you could do this in a VM like virtualbox on the same hardware as the S4/AD server - memory is cheap, and at a small site, I/O load is going to be trivial.) --- Setup a DNS+DHCP server, external to/outside of the AD. Say, mydomain.local DHCP and DDNS would apply against mydomain.local Put the S4/Windows AD in a 3rd level domain - say samba.mydomain.local. Point all queries for the 3rd level DNS [samba.mydomain.local] to the AD/ DNS controller. [i.e. A forward zone for samba.mydomain.local -> S4AD server] This resolves issues with DHCP/DDNS - since you're not trying to make the AD controller handle it. Next by using something like .local as your 1st level domain, you don't have conflicts with real-world external domains. [And even if you did use something like .com - you could tweak the DNS server to handle it without messing with the AD domain - provided you didn't use anything in that 3rd level domain (samba.mydomain.local) out in the open/public internet.] I know it's extra work, but it just seems to make things a lot cleaner and keeps DNS from becoming such a tangle in AD, IMO Thoughts? -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
