BTW, I commented out the first two lines in dns_update_list, then removed the "spare" entries from DNS. Now they don't refresh the bad entries. Problem solved. (really, I'm only interested in samba keeping the ms-specific dns entries up to date)
*Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Fri, Oct 11, 2013 at 12:43 PM, Gregory Sloop <gr...@sloop.net> wrote: > > > AB> On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote: > >> I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz > >> > >> My domain is example.com > >> My Samba4 server is myserver.example.com > >> myserver has two nics: 10.10.10.5 and 192.168.10.2 > >> My externally hosted web site is www.example.com, and is hosted at > >> 123.123.123.123 > >> I have an A and CNAME in DNS like so: > >> > >> @ A 123.123.123.123 > >> www CNAME example.com. > >> > >> The above allows internal web browsers to access the external site via > >> www.example.com or example.com. This works great. > >> > >> The problem is that every ten minutes when samb's dns update happens, it > >> keeps putting the following two entries in, which points internal hosts > to > >> the dns server, instead of the externally hosted web site: > >> @ A 10.10.10.5 > >> @ A 192.168.10.2 > >> > >> > >> Why do these keep showing up? I'm sure there is a place that the info > is > >> coming from, but I don't know where, and I desperately need to prevent > this > >> from happening. I mean, don't get me wrong, I realize what the records > >> mean, but what I'm trying to do is prevent them from repopulating and > >> preventing my internal hosts from browsing the web site. I didn't have > >> this problem when I could edit the bind files directly, but now that I'm > >> using bind_dlz for samba, I'm a little lost. > > AB> The issue is that Samba controls that name, and tries to set it to > match > AB> the network interfaces of the DC, because AD clients may (few actually > AB> do, in this specific case) use this name to find a DC. See > AB> dns_update_list. > > AB> I suggest breaking the CNAME and not using example.com to find your > AB> website internally. > > Wouldn't it make a lot of sense, provided one had the infrastructure > [extra servers/hardware] to handle DNS like this: > > (And at a smaller site, you could do this in a VM like virtualbox on > the same hardware as the S4/AD server - memory is cheap, and at a > small site, I/O load is going to be trivial.) > --- > > Setup a DNS+DHCP server, external to/outside of the AD. Say, > mydomain.local > > DHCP and DDNS would apply against mydomain.local > > Put the S4/Windows AD in a 3rd level domain - say samba.mydomain.local. > > Point all queries for the 3rd level DNS [samba.mydomain.local] to the AD/ > DNS controller. [i.e. A forward zone for samba.mydomain.local -> S4AD > server] > > This resolves issues with DHCP/DDNS - since you're not trying to make > the AD controller handle it. > > Next by using something like .local as your 1st level domain, you don't > have conflicts with real-world external domains. [And even if you did > use something like .com - you could tweak the DNS server to handle it > without messing with the AD domain - provided you didn't use anything > in that 3rd level domain (samba.mydomain.local) out in the open/public > internet.] > > I know it's extra work, but it just seems to make things a lot cleaner > and keeps DNS from becoming such a tangle in AD, IMO > > Thoughts? > > -Greg > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba