The Samba AD DNS Back Ends: Difference between revisions
(→Status: Add link to todo list) |
(→Internal DNS: Update description) |
||
Line 5: | Line 5: | ||
==Status== |
==Status== |
||
As of early September 2012, the internal DNS server is fully functional, for both GSS-TSIG-signed and unsigned updates. |
|||
Also see the [[DNS/ToDo|Internal DNS ToDo list]]. |
|||
== Configuration == |
== Configuration == |
||
Line 13: | Line 12: | ||
# Allow unsigned updates | don't allow any updates | only allow signed updates |
# Allow unsigned updates | don't allow any updates | only allow signed updates |
||
allow dns updates = True | False | |
allow dns updates = True | False | signed |
||
# Query remote name servers on behalf of the clients |
# Query remote name servers on behalf of the clients |
||
Line 20: | Line 19: | ||
# If recursive queries = yes is set, the following is also needed |
# If recursive queries = yes is set, the following is also needed |
||
dns forwarder = <ip addr of external dns server> |
dns forwarder = <ip addr of external dns server> |
||
== Known Issues == |
|||
You will have to remove the fake dns user that provision creates so the BIND plugin will work. We'll fix this eventually, but at the moment you need to remove the dns-(machinename) account manually after provision. Assuming your machine is called "bob", the command would be (as root) |
|||
samba-tool user delete dns-bob |
|||
Also, the samba_dnsupdate command doesn't work yet for signed updates. We're currenly investigating. Client systems like samba3 or Win7 work fine. |
|||
==Tests== |
==Tests== |
Revision as of 22:04, 5 September 2012
Internal DNS
Developing and using the DNS server built into Samba. AD backend.
Status
As of early September 2012, the internal DNS server is fully functional, for both GSS-TSIG-signed and unsigned updates.
Configuration
There are three options that can be added to smb.conf to control the behavior of DNS at this point:
# Allow unsigned updates | don't allow any updates | only allow signed updates allow dns updates = True | False | signed # Query remote name servers on behalf of the clients dns recursive queries = yes | no # If recursive queries = yes is set, the following is also needed dns forwarder = <ip addr of external dns server>
Known Issues
You will have to remove the fake dns user that provision creates so the BIND plugin will work. We'll fix this eventually, but at the moment you need to remove the dns-(machinename) account manually after provision. Assuming your machine is called "bob", the command would be (as root)
samba-tool user delete dns-bob
Also, the samba_dnsupdate command doesn't work yet for signed updates. We're currenly investigating. Client systems like samba3 or Win7 work fine.
Tests
Run during make test
TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns
Run against external servers (Windows or BIND)
DC_SERVER_IP=<dns server ip> DC_SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns
BIND 9.8.0 DLZ plug-in
Dynamically loaded zones plug-in for BIND 9.8.0. AD backend.
Status
Module is built with Samba, handles RFC 1035 and RFC 2136
BIND & samba_dnsupdate
Non-AD backend, but works with older BINDs.
Status
samba_dnsupdate script shipped with Samba, lets BIND handle DNS and just dynamically modifies AD-related information.