Samba AD /dns /dhcp

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba AD /dns /dhcp

Samba - General mailing list
Hello there.  I hope I'm in the right place for some Samba AD advice.

I recently added two extra ADs to a setup I inherited.
Originally there was a single Samba AD  with BIND9_DLS config.  DHCP was
separate.
Subsequently I installed Samba on two Raspberry Pis to act as backup
servers.

Basically, I followd this set of instructions:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
I have run into several problems.

   1. The new DCs were not automatically added to the master zone A record,
   i.e. "host -t A samdom.example.com localhost" would only return the
   original host.  all of the other records (including GUIDS) were inserted
   fine.  I ended up adding these manually.
   2. The SOA record for my dns zones seem to have migrated to point to the
   last DC that I set up.  New zones get the orignal one (the one with the
   master token).  I am unsure what this means, but from what I can tell,
   dnsupdate contacts the host in the SOA record to make updates.  What is the
   recommended practice here?  Does it matter which of my now three redundant
   DNS hosts is the SOA?  How can I change it?
   3. I was unable to the dynamic DNS updates from DHCPD to work without
   adding an "allow-update {any;};" clause (or similar) to named.conf.  This
   was not documented anywhere and caused me a lot of headaches, particularly
   since this setting was in the original DC and so dynamic updates would work
   or not, based on the SOA record for the zones.  What is the recommended
   practice here?


I was unable to find on the samba wiki an overview over a recommended setup
of the combination of SambaAD/BIND/DHCP which is sort of a minimum to
maintain a site.  Particularly how they interact.
From what I can tell, Samba AD and BIND always go hand in hand, but there
are at most two DHCPD servers on the net, running on two of the DCs.  Is
this correct?

Finally, dynamic NDS updates from the DHCP server seem to take some 8 or
nine seconds, during which time a cliend does not get a DHCPD ack.
Sometimes the client gives up waiting.
I'm currently looking into this, but here is a log:

Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: Commit: IP: 192.168.53.20 DHCID:
1:0:20:85:ed:5:d0 Name: ups208
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[0] =
/etc/dhcp/bin/dhcp-dyndns.sh
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[1] = add
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[2] =
192.168.53.20
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[3] =
1:0:20:85:ed:5:d0
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[4] = ups208
a)
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: starting transaction
on zone rvx.is
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=ups208.rvx.is tcpaddr=127.0.0.1 type=A
key=1178036325.sig-dc03.rv
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=ups208.rvx.is tcpaddr=127.0.0.1 type=A
key=1178036325.sig-dc03.rv
Nov 30 14:48:38 dc03.rvx.is named[19015]: client 127.0.0.1#56549/key
dhcpduser\@RVX.IS: updating zone 'rvx.is/NONE': deleting rrset at '
ups208.rvx.is' A
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: subtracted rdataset
ups208.rvx.is 'ups208.rvx.is.        3600        IN        A
192.168.53.20'
Nov 30 14:48:38 dc03.rvx.is named[19015]: client 127.0.0.1#56549/key
dhcpduser\@RVX.IS: updating zone 'rvx.is/NONE': adding an RR at '
ups208.rvx.is' A
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: added rdataset
ups208.rvx.is 'ups208.rvx.is.        3600        IN        A
192.168.53.20'
b)
Nov 30 14:48:40 dc03.rvx.is named[19015]: samba_dlz: committed transaction
on zone rvx.is
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: starting transaction
on zone 53.168.192.in-addr.arpa
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=20.53.168.192.in-addr.arpa tcpaddr=127.0.0.1
type=PTR key=4098431
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=20.53.168.192.in-addr.arpa tcpaddr=127.0.0.1
type=PTR key=4098431
Nov 30 14:48:44 dc03.rvx.is named[19015]: client 127.0.0.1#59019/key
dhcpduser\@RVX.IS: updating zone '53.168.192.in-addr.arpa/NONE': deleting
rrset at '20.53.168.192.
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: subtracted rdataset
20.53.168.192.in-addr.arpa '20.53.168.192.in-addr.arpa.        3600
IN        PTR
Nov 30 14:48:44 dc03.rvx.is named[19015]: client 127.0.0.1#59019/key
dhcpduser\@RVX.IS: updating zone '53.168.192.in-addr.arpa/NONE': adding an
RR at '20.53.168.192.in
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: added rdataset
20.53.168.192.in-addr.arpa '20.53.168.192.in-addr.arpa.        3600
IN        PTR        ups
c)
Nov 30 14:48:46 dc03.rvx.is named[19015]: samba_dlz: committed transaction
on zone 53.168.192.in-addr.arpa
d)
Nov 30 14:48:47 dc03.rvx.is logger[20952]: DHCP-DNS Update succeeded

Note the initial 6 seconds at a) that it takes dhcp-dyndns.sh to get to the
point where it call nsupdate....  Any thoughts?




--
Kv,
Kristján Valur Jónsson, RVX
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD /dns /dhcp

Samba - General mailing list

See inline commments:


On Thu, 30 Nov 2017 14:55:43 +0000
Kristján Valur Jónsson via samba <[hidden email]> wrote:

> Hello there.  I hope I'm in the right place for some Samba AD advice.
>
> I recently added two extra ADs to a setup I inherited.
> Originally there was a single Samba AD  with BIND9_DLS config.  DHCP
> was separate.
> Subsequently I installed Samba on two Raspberry Pis to act as backup
> servers.
>
> Basically, I followd this set of instructions:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> I have run into several problems.
>
>    1. The new DCs were not automatically added to the master zone A
> record, i.e. "host -t A samdom.example.com localhost" would only
> return the original host.  all of the other records (including GUIDS)
> were inserted fine.  I ended up adding these manually.

It is probably down to the version of Samba running on the rpi's, later
versions should do this.

>    2. The SOA record for my dns zones seem to have migrated to point
> to the last DC that I set up.  New zones get the orignal one (the one
> with the master token).  I am unsure what this means, but from what I
> can tell, dnsupdate contacts the host in the SOA record to make
> updates.  What is the recommended practice here?  Does it matter
> which of my now three redundant DNS hosts is the SOA?  How can I
> change it?

Again, later versions of Samba will make all Samba DCs authoritative.

>3. I was unable to the dynamic DNS updates from DHCPD to
> work without adding an "allow-update {any;};" clause (or similar) to
> named.conf.  This was not documented anywhere and caused me a lot of
> headaches, particularly since this setting was in the original DC and
> so dynamic updates would work or not, based on the SOA record for the
> zones.  What is the recommended practice here?

You shouldn't need that line, at least, I never have.
It might help if you post your bind conf files.

>
>
> I was unable to find on the samba wiki an overview over a recommended
> setup of the combination of SambaAD/BIND/DHCP which is sort of a
> minimum to maintain a site.  Particularly how they interact.
> From what I can tell, Samba AD and BIND always go hand in hand, but
> there are at most two DHCPD servers on the net, running on two of the
> DCs.  Is this correct?

Can I suggest you read again the Samba wikipage that you couldn't
find:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

it changed yesterday because of a bug.

>
> Finally, dynamic NDS updates from the DHCP server seem to take some 8
> or nine seconds, during which time a cliend does not get a DHCPD ack.
> Sometimes the client gives up waiting.
> I'm currently looking into this, but here is a log:

I feel this must be down to the rpi's, less than a second on my DCs

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD /dns /dhcp

Samba - General mailing list
Hi there, thanks for your reply.  Probably I should add that:
a) I'm running Centos7 on the RPi3.
b) Compiled and installed samba 4.7.2 from source (packaged AD samba not
available for CentOS)
c) I haven't managed an AD before this thing landed in my lap, much less a
Samba AD :)


On 30 November 2017 at 15:45, Rowland Penny via samba <[hidden email]
> wrote:

>
> > Basically, I followd this set of instructions:
> > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> Existing_Active_Directory
> > I have run into several problems.
> >
> >    1. The new DCs were not automatically added to the master zone A
> > record, i.e. "host -t A samdom.example.com localhost" would only
> > return the original host.  all of the other records (including GUIDS)
> > were inserted fine.  I ended up adding these manually.
>
> It is probably down to the version of Samba running on the rpi's, later
> versions should do this.
>
Original DC samba version is 4.5.0, also compiled from source
Possibly the issue was that the original DC01 had its record manually
inserted nin the dns, at least, the dns viewer flagged it as 'static'


>
> >    2. The SOA record for my dns zones seem to have migrated to point
> > to the last DC that I set up.  New zones get the orignal one (the one
> > with the master token).  I am unsure what this means, but from what I
> > can tell, dnsupdate contacts the host in the SOA record to make
> > updates.  What is the recommended practice here?  Does it matter
> > which of my now three redundant DNS hosts is the SOA?  How can I
> > change it?
>
> Again, later versions of Samba will make all Samba DCs authoritative.
>
Running 4.7.2.
What does that mean, can a zone have more than one SOA record?  Using the
DNS Manager tool on windows, the "properties" of a zone has only one
"Primary server" in the SOA.
The pre-existing zones seem to have all migrated to DC03 (the last one
where i installed the AD).   Is it ok to have different DCs as primary
server for a zone?  How does this affect redundancy if one DC goes offline?

>
> >3. I was unable to the dynamic DNS updates from DHCPD to
> > work without adding an "allow-update {any;};" clause (or similar) to
> > named.conf.  This was not documented anywhere and caused me a lot of
> > headaches, particularly since this setting was in the original DC and
> > so dynamic updates would work or not, based on the SOA record for the
> > zones.  What is the recommended practice here?
> You shouldn't need that line, at least, I never have.
> It might help if you post your bind conf files.
>

Sure, this is what I'm using.  It's the default one for Centos7 rpm bind,
modified for AD:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.0.0/16; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        # changes for BIND for AD
        #allow-query     { localhost; any; };
        allow-query { localhost; 192.168.0.0/16;};
        allow-recursion { localhost; 192.168.0.0/16;};
        auth-nxdomain yes;
        notify no;
        empty-zones-enable no;
        allow-transfer { none; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need
to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST
enable access
           control to limit queries to your legitimate users. Failing to do
so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* option from /usr/local/samba/private/named.txt */
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
        allow-update     { localhost; any; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

/* the include file for samba support */
include "/usr/local/samba/private/named.conf";



>
> >
> >
> > I was unable to find on the samba wiki an overview over a recommended
> > setup of the combination of SambaAD/BIND/DHCP which is sort of a
> > minimum to maintain a site.  Particularly how they interact.
> > From what I can tell, Samba AD and BIND always go hand in hand, but
> > there are at most two DHCPD servers on the net, running on two of the
> > DCs.  Is this correct?
>
> Can I suggest you read again the Samba wikipage that you couldn't
> find:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_
> DNS_records_with_BIND9
>
> it changed yesterday because of a bug.
>
> Thanks, that's exactly the page I followed when it came to this. I had
already fixed the problems with the read access to /etc/dhcp, (chgrp dhcpd
/etc/dhcp) and setting the right path in the script.



> >
> > Finally, dynamic NDS updates from the DHCP server seem to take some 8
> > or nine seconds, during which time a cliend does not get a DHCPD ack.
> > Sometimes the client gives up waiting.
> > I'm currently looking into this, but here is a log:
>
> I feel this must be down to the rpi's, less than a second on my DCs
>
> I'm sure you are right.  I'm having problems with IO performance on this
particular machine.  I probably should replace the SD card.
However, a considerable time in the script (after analysis) is spent on
doing checking, particularly the wbinfo -u call, which can take anything
from .17 seconds to 5 seconds in my case.
"wbinfo -i dhcpduser" is consistently faster.
I will continue to  investigate.  I"ll remove the redundant wbinfo call in
my install, since it is only there for prolem diagnostics.


Cheers!

- K
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD /dns /dhcp

Samba - General mailing list

See inline comments:

On Thu, 30 Nov 2017 16:25:25 +0000
Kristján Valur Jónsson via samba <[hidden email]> wrote:

> Hi there, thanks for your reply.  Probably I should add that:
> a) I'm running Centos7 on the RPi3.

Where did you get that from ?

> b) Compiled and installed samba 4.7.2 from source (packaged AD samba
> not available for CentOS)

Not yet, but it is coming to Fedora and then ultimately Centos, but
probably Centos 8 (this is just a guess)

> c) I haven't managed an AD before this thing landed in my lap, much
> less a Samba AD :)
>

It gets easier after the first year or two ;-)

>
> On 30 November 2017 at 15:45, Rowland Penny via samba
> <[hidden email]
> > wrote:
>
> >
> > > Basically, I followd this set of instructions:
> > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> > Existing_Active_Directory
> > > I have run into several problems.
> > >
> > >    1. The new DCs were not automatically added to the master zone
> > > A record, i.e. "host -t A samdom.example.com localhost" would only
> > > return the original host.  all of the other records (including
> > > GUIDS) were inserted fine.  I ended up adding these manually.
> >
> > It is probably down to the version of Samba running on the rpi's,
> > later versions should do this.
> >
> Original DC samba version is 4.5.0, also compiled from source
> Possibly the issue was that the original DC01 had its record manually
> inserted nin the dns, at least, the dns viewer flagged it as 'static'

I have the feeling that your rpi's are getting their IP's via DHCP, if
that is the case, give them a static IP, using DHCP on an AD DC is only
going to end in tears.

>
>
> >
> > >    2. The SOA record for my dns zones seem to have migrated to
> > > point to the last DC that I set up.  New zones get the orignal
> > > one (the one with the master token).  I am unsure what this
> > > means, but from what I can tell, dnsupdate contacts the host in
> > > the SOA record to make updates.  What is the recommended practice
> > > here?  Does it matter which of my now three redundant DNS hosts
> > > is the SOA?  How can I change it?
> >
> > Again, later versions of Samba will make all Samba DCs
> > authoritative.
> >
> Running 4.7.2.
> What does that mean, can a zone have more than one SOA record?  Using
> the DNS Manager tool on windows, the "properties" of a zone has only
> one "Primary server" in the SOA.
> The pre-existing zones seem to have all migrated to DC03 (the last one
> where i installed the AD).   Is it ok to have different DCs as primary
> server for a zone?  How does this affect redundancy if one DC goes
> offline?

All AD DCs that run a dns server are authoritative for the dns domain,
this means that if you ask a DC for its SOA, it will claim it is
itself. All DCs carry the AD records, this includes the dns records. A
program called 'samba_dnsupdate' is run at Samba startup and then at
frequent intervals, this uses a file 'dns_update_list' and checks and
updates the records found in that file.

>
> >
> > >3. I was unable to the dynamic DNS updates from DHCPD to
> > > work without adding an "allow-update {any;};" clause (or similar)
> > > to named.conf.  This was not documented anywhere and caused me a
> > > lot of headaches, particularly since this setting was in the
> > > original DC and so dynamic updates would work or not, based on
> > > the SOA record for the zones.  What is the recommended practice
> > > here?
> > You shouldn't need that line, at least, I never have.
> > It might help if you post your bind conf files.
> >
>
> Sure, this is what I'm using.  It's the default one for Centos7 rpm
> bind, modified for AD:

This is mine (actually the three debian ones in one file):

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; 8.8.4.4; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;
        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.7; 127.0.0.1; };

        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

// adding the Samba dlopen ( Bind DLZ ) module
include "/usr/local/samba/private/named.conf";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

It has worked for me for the last 5 years ;-)

> > >
> > > I was unable to find on the samba wiki an overview over a
> > > recommended setup of the combination of SambaAD/BIND/DHCP which
> > > is sort of a minimum to maintain a site.  Particularly how they
> > > interact. From what I can tell, Samba AD and BIND always go hand
> > > in hand, but there are at most two DHCPD servers on the net,
> > > running on two of the DCs.  Is this correct?
> >
> > Can I suggest you read again the Samba wikipage that you couldn't
> > find:
> >
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_
> > DNS_records_with_BIND9
> >
> > it changed yesterday because of a bug.
> >
> > Thanks, that's exactly the page I followed when it came to this. I
> > had
> already fixed the problems with the read access to /etc/dhcp, (chgrp
> dhcpd /etc/dhcp) and setting the right path in the script.
>
>
>
> > >
> > > Finally, dynamic NDS updates from the DHCP server seem to take
> > > some 8 or nine seconds, during which time a cliend does not get a
> > > DHCPD ack. Sometimes the client gives up waiting.
> > > I'm currently looking into this, but here is a log:
> >
> > I feel this must be down to the rpi's, less than a second on my DCs
> >
> > I'm sure you are right.  I'm having problems with IO performance on
> > this
> particular machine.  I probably should replace the SD card.
> However, a considerable time in the script (after analysis) is spent
> on doing checking, particularly the wbinfo -u call, which can take
> anything from .17 seconds to 5 seconds in my case.
> "wbinfo -i dhcpduser" is consistently faster.

Good point, never thought of that (don't use wbinfo much), I will test
it and update the wiki page again, if it makes it faster.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD /dns /dhcp

Samba - General mailing list
On 30 November 2017 at 17:00, Rowland Penny via samba <[hidden email]
> wrote:

>
> > Hi there, thanks for your reply.  Probably I should add that:
> > a) I'm running Centos7 on the RPi3.
>
> Where did you get that from ?
>
It's been around for a few months.
https://wiki.centos.org/SpecialInterestGroup/AltArch/Arm32/RaspberryPi3
It is completely stable, and it has the entire base rpm and selected stuff
from EPEL.
But there isn't an ARM epel repo yet and some packages are missing.
Since most of the linux infrasructure I manage is using CentOS it seemed
like a good idea.
I'm trying to set up a cheap and reliable infrastructure with redundancy.
the RPi3 should theoretically work well in this scenario.  Its main
bottleneck seems to be the SD card.
external discs could be used but again the RPi is USB2 only and shares the
usb bus with the network interface... I havent run the experiment to
compare the two.
Anyway, there are ways to speed these up.

>
>
> I have the feeling that your rpi's are getting their IP's via DHCP, if
> that is the case, give them a static IP, using DHCP on an AD DC is only
> going to end in tears.
>
> No, actually I did assign them static ips, and give them initial static
dns entries in the AD before starting the install.

> >
>
>
> All AD DCs that run a dns server are authoritative for the dns domain,
> this means that if you ask a DC for its SOA, it will claim it is
> itself. All DCs carry the AD records, this includes the dns records. A
> program called 'samba_dnsupdate' is run at Samba startup and then at
> frequent intervals, this uses a file 'dns_update_list' and checks and
> updates the records found in that file.
>
Thanks, this is useful info.  Like I said, the wiki is a bit hard to
navicate.  Would be cool to have an overview page with AD specific topics,
and something explaining the architecture and how these three things work
together.
Also, how to run dhcp on a machine separate from the DC...  Would to be set
up as an AD member?


> > Sure, this is what I'm using.  It's the default one for Centos7 rpm
> > bind, modified for AD:
>
> This is mine (actually the three debian ones in one file):
>
> Thanks.  Will run some experiments and report back.

Kristján
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD /dns /dhcp

Samba - General mailing list
On Fri, 1 Dec 2017 14:57:36 +0000
Kristján Valur Jónsson via samba <[hidden email]> wrote:

> On 30 November 2017 at 17:00, Rowland Penny via samba
> <[hidden email]
> > wrote:
>
> >
> > > Hi there, thanks for your reply.  Probably I should add that:
> > > a) I'm running Centos7 on the RPi3.
> >
> > Where did you get that from ?
> >
> It's been around for a few months.
> https://wiki.centos.org/SpecialInterestGroup/AltArch/Arm32/RaspberryPi3
> It is completely stable, and it has the entire base rpm and selected
> stuff from EPEL.
> But there isn't an ARM epel repo yet and some packages are missing.
> Since most of the linux infrasructure I manage is using CentOS it
> seemed like a good idea.
> I'm trying to set up a cheap and reliable infrastructure with
> redundancy. the RPi3 should theoretically work well in this
> scenario.  Its main bottleneck seems to be the SD card.
> external discs could be used but again the RPi is USB2 only and
> shares the usb bus with the network interface... I havent run the
> experiment to compare the two.
> Anyway, there are ways to speed these up.

Thanks for the link ;-)

> >
> Thanks, this is useful info.  Like I said, the wiki is a bit hard to
> navicate.  Would be cool to have an overview page with AD specific
> topics, and something explaining the architecture and how these three
> things work together.
> Also, how to run dhcp on a machine separate from the DC...  Would to
> be set up as an AD member?

The big problem is that Bind has to run on the same machine as the DC
to use dlz. You 'may' be able to run the DHCP server on another server,
but this would probably entail using ssh to run 'nsupdate' on the DC,
because Bind has to run on the DC, so it would actually be harder.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba