Samba Internal DNS Back End: Difference between revisions

From SambaWiki
m (→‎Configuration: removed non existent smb.conf setting and replaced with (hopefully) a better explanation.)
Line 12: Line 12:
allow dns updates = False | nonsecure | signed
allow dns updates = False | nonsecure | signed
# If recursive queries = yes is set, the following is also needed
# If you require recursive queries i.e. queries outside the AD domain, the following is also needed
dns forwarder = <ip addr of external dns server>
dns forwarder = <ip addr of external dns server>






= Limitations / Known issues =
= Limitations / Known issues =

Revision as of 08:12, 19 August 2015

Introduction

The internal DNS server is built into Samba and uses AD as backend. Also it is the default DNS solution when provisioning a new Samba AD DC or upgrade from a Samba NT4 domain to Samba AD.

An alternative backend is BIND_DLZ.

Configuration

If you have chosen the internal DNS as backend for your environment, there are only two options that can be added to your smb.conf, to control the behaviour of DNS at this point:

# Don't allow any updates | allow unsigned updates | only allow signed updates
allow dns updates = False | nonsecure | signed

# If you require recursive queries i.e. queries outside the AD domain, the following is also needed
dns forwarder = <ip addr of external dns server>

Limitations / Known issues

  • The internal server is not a caching resolver.
  • The internal server by default only comes with a working forward zone; if you need a reverse zone, see instructions here.
  • The samba_dnsupdate command produces warnings when used with signed updates. We're currently investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine.
  • Currently, recursive queries are not possible without using a forwarder.
  • Negative replies do not come with an authority record (not required by RFC, but Windows seems to like that).
  • Shared-key TSIG is not implemented.
  • Stub zones are not implemented.
  • Zone axfr is not allowed from internal samba DNS.

Tests

Run during make test

TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns

Run against external servers (Windows or BIND)

SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns