Replace dnsmasq with BIND9

In this sense there’s a wiki page that describes how to add the NethServer DC to an existing Active Directory domain.

https://wiki.nethserver.org/doku.php?id=howto:add_ns7_samba_domain_controller_to_existing_active_directory&s[]=dc

It’s quite old. As a starting point it could be tested and refreshed.

1 Like

BIND is not the solution to all problems

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture

The Samba-BIND integration has some limitations and is far from being perfect.

In the end it seems Samba DC does not offer an ultimate authoritative DNS server solution. I cannot evaluate the MS alternative in this sense.

Maybe not using AD at all is the correct way :smiling_imp:

2 Likes

@davidep

Hi Davidep

I have the greatest respect for your contributions and wisdom here, but:

As you know, NethServer can’t handle authenticated Shares with LDAP (actually, why not?), it needs a AD implementation in the background.

If LDAP authenticated Shares become possible, I’d say give users both options.

-> Users DO have both options now, AD or LDAP, but it’s like a Democratic Vote in North Korea:
You either vote “right”, or you vote “wrong”…
Having all Shares as “Public” is just NOT usable!

However, doing a “split-brain” DNS, as suggested on the Samba side, might be a very good idea - and shouldn’t be too difficult to implement on NethServer. The basics are there, justs needs some fine tuning. Maybe samba-bind in AD and BIND directly in NethServer…

My 2 cents
Andy

1 Like

Ok, I’ll bite… :wink:
@davidep, you may live in a linux world, but the majority of the rest of the world (unfortunately) lives in a Windows world. At least a Windows client world. And since the sane way of authentication in a Windows world is AD, you can not state to ditch AD…

What does BIND have to do with Let’s Encrypt certificates? I’ve already documented two ways of getting wildcard certs that don’t require BIND.

@robb
@davidep

Hi Robb

As you know, I’m NOT primarily a Windows user. Personally I use Mac and Linux, but I do have Clients using Windows, so I have a virtual windows around.

Even if using just Linux, Users have problems if only public shares are allowed.

Sure, the CLI affiliate ones can almost always connect, but these don’t need my help.

My 2 cents
Andy

@danb
If you have to add/update/remove TLSA resource records for certificate/host/port/protocol combinations a hidden primary nameserver is the simpliest solution.

We’re did you document ways of getting Let’s Encrypt wildcard certificates without BIND automatically?

https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers

The second one is aimed at the use case of an internal server that can’t be reached by the Internet, but it would work just as well to get a wildcard cert–the process would be identical.

2 Likes

Does acme-dns support wildcard-SAN-certificates?

e.g.

  mydomain1.tld
*.mydomain1.tld
  mydomain2.tld
*.mydomain2.tld
  mydomain3.tld
*.mydomain3.tld

Of course, up to 100 SANs on a cert. You’d just need to set the appropriate CNAME records for any domain you wanted on the cert.

1 Like

Is the --dhcp-script hook of DNSMasq available in nethserver?