I've been reading Terpstra's book on SAMBA, specifically "Network Browsing" and would like some clarification of DNS concepts. I am getting confused between the DNS servers past my router and any "internal" DNS servers.

I would like to discontinue the use of NetBIOS over TCP/IP on my network. I will be Running FC4 w/SAMBA 3.x - all my clients are XP. SAMBA will be PDC.

According to the chapter I can just use "plain" TCP/IP, if I have a DDNS "server". "Have" being a mystifying term for me as my router's DHCP function gives out a DNS addy from my ISP, the same one I plug into all my clients (I use static IPs). Does this mean I "have" a DDNS server? Or do I need to configure a local (internal) one on my Linux box? If so, how does the client know to query the local, and then the external?

Can SAMBA query another process on the box? Does it have to be physically seperate? (I just know this question is probably laughable, but I have to ask)

I have no MS "servers" on my network - hence no AD.

My best guess is that I must run a DNS process on the FC4 box. The Chapter mentions BIND, but I think that is in a mixed MS server environment to support AD.

So, have I got the gist, or am I off track?

T.I.A.

I'll start by saying that I'm not a linux networking expert so I will just speak about the concepts:

When you connect to the internet through your router, there are two networks one the internet and the other your local network.

The 'internet' only sees one address in your network: the routers IP address assigned by your ISP.

The router has another IP address that 'faces' you network (192.168.1.1 for example). It's DHCP server assigns addresses to the computers in your internal network. This addresses are only unique within your network.

A DNS server will convert the textual address (mycomputer.com) to an actual IP address (192.168.1.10).

The DNS Server that your ISP provides translates Internet addresses. It knows nothing about the IP addresses in your internal network.

You don't need a DNS server for your internal network to use Samba specially if you only have a few computers. Still if you want one, you need to run it in one of your computers.

BIND is the most common DNS server, it has nothing to do with supporting Windows or not.

Raul,

According to this book, if I want to use plain vanilla TCP/IP I _do_ need a DNS server on my network. Otherwise Windows Browsing will not work.

However, it would seem that you agree that it would be an internal DNS server - not the ISP external.

So now, I need to figure out how XP knows to announce to the internal one, but use the external for http.

I'll post more after more reading!

Thanks!

Well, I don't know if you need DNS for windows browsing to work. But I'm sure that you don't need it to use samba, I use it all the time at home and I don't have a DNS.

I just open a Windows Explorer and in the address line I just type my samba server IP address \\192.168.1.99, It asks me for my credentials, and that's it.

I do the same the other way around for windows shared folders. In konqueror I just type smb://192.168.1.100/transfer. Or mount the shared folders with the mount -t smbfs <parameters> command.

install winbindd
vim /etc/nsswitch.conf
at the host line add wins between hosts and dns

save the file and viola....pinging by netibios.

So now you dont need DNS servers for name resoluion.

hell0 d00msdaypr0phet,

I am aware that I don't _need_ DNS or winbindd (isn't that just when you have an AD network?) to get browsing. Just set SAMBA to WINS yes and run NetBios over TCP/IP (a checkbox in the net config for 98 - XP if I remember correctly)

But, like the Garbage song: I'm only happy when it rains!

So I know that NetBIOS is slated for phase-out. I know I need to learn more about networks and various configs. So, even though it may not be as simplistic, I'm trying to figure out how to run TCP/IP w/out NetBIOS on my SAMBA only network. Which I can do because my clients are all XP and they (as well as 2000) can register their names with a DNS server.

Along the way, I'm hoping that I will learn more about Browsing, name to IP resolution, and "everything is a file" Linux configuration.

I've just got a tiny network of 185 computers and under 90 users, with nothing mission critical - so it's a great opportunity to learn what all this baby can do!

Raul,

True. My current server is set to act as WINS and I have NetBIOS enabled over TCP/IP. Although my SAMBA is PDC and my logon script connects all my drives.

More delving for me!

Okay. I've determined that BIND is the Linux DNS server-of-choice. So I need to run BIND. I've also determined that what I want is an "Internal DNS Server".

However, in the process, I've seen hints that running such a thing is a large security risk. So now I need to evaluate how much of a risk and how hard is it to lock it down.

To run BIND internally, it would seem as easy as using the allow-query option and configuring it to allow only local IPs the privledge. But... I don't know yet.

FRom what I understand the security risk was more in Bind 8 than in 9. 9 has been out for a while so you should be cool. We run whats called a local caching DNS Server. It's very simple st set up but mainly aimed at speeding up internet speed by reducing the number of calls to an offsite DNS server thought we do try to maintain a list of relavant servers in to too. It Runs perfetcly and has for years.
In your case i'd say the tought part is the dynamic update for clients. In a nutshell, so if you have a new workstation grade system installed you won't have to add the forward and reverse look up's in the DNS server. A real pain in the ass.
If you try that mini-how-to in my previous post you should be pleasently surprised. Winbind is a wonderful tool. You can use it with ADS but ADS is more the culmination of LDAP+DNS+CIFS with a touch of kerberos basterdized M$ Style. We still use an NT based domain because we are a large organization but try that winbind trick on yhour linux workstation then you can pling and browse by netbios. It's the easiest way.
If your completly insane, like me, IBM has some nice documentation on CIFS. There is also book on CIFS. Its an Immense subjet that is quite undocumented.

I hope my dirvel hasn't bored you too much.

bored?!? Heck no! I sometimes feel that I exist in a vacuum. Commonly, when finished speaking, my co-workers take a deep breath and mutter platitudes like: "Great! Well it sound like you've got it under control then." Sadly, no.

So please, drivel on!

Today I got my BIND book and picked up a LDAP book too just for good luck. If the Administration would not wait to fund or allocate time to these projects at the last minute, I could actually read the entire text. As it is, I have to surf the book and extract just that which gets us up and running. I feel like the script-kiddie of System Administration - implementing all and understanding none. Not my preferred method of operation. But, I get to play and pick up info on the way. Yippee.

I'd check out your link, but I don't think you included one. Let me have the link or point out that I'm blind...

Cheers

By the way. The security issues with BIND have to do witn Internet facing DNS servers.

The internal DNS won't be visible to people outside your firewall, unless you explicitly open and forward the ports (I guess you are not planning to do that).

Firewalls are another thing. Currently our "firewall" is the Linksys router.

What worries me, as I begin to implement more services, is that a box that was as boring as a post, will become attractive.

I don't think I will be opening or forwarding ports. But I'll certainly mark that in the "not to be done till we know more" category.

Thank you!

Okay! I was sick with a bug for a tad, but am now back at it.

So, in my delirium I came up with a related question that has haunted all my readings on BIND..

What domain name do I assign myself if I'm _not_ opening up to the outside? Currently my box is, like all boxes to this point, localhost.localdomain
The question is - when configuring a internal resolving & caching DNS server do I keep that "name" or can I change it? I know I can not change it if I am "exposing" it to the outside world - that involves $$ and paperwork.

I'm begining to get the idea that you can name the box zerox.com if you want, as long as the IP addy of the box is not Internet broadcastable.. ie Class C.

The domain name for the internal network is whatever you want, since, as you guessed, it isn't viewable by the world.

But regardless, it would be good to name it after your company.

Now, make sure that you properly setup BIND for DDNS, and also setup the DHCP server on your Linux server. I suppose you could do it with static IP and manually enter everything...if that is something you really want to do.

The concept here is that Windows XP/2000 use DNS as the primary name resolution, and NetBIOS/WINS as secondary fallback methods. So the first DNS server you give to all of the clients is your internal DNS server. Then when the client machine tries to contact the server or another client via hostname, it will query the DNS server, get it's IP, and go on with it's business.

All very simple, and makes more sense than WINS/NetBIOS. The only problem will be getting a correct BIND/DHCPCD setup, but that isn't too bad.

A tip, for sanity's sake, dump static IP and go with dynamic. It will save you a few hours of text input. When using DHCP, the clients will just report their hostnames to the DHCP server, saving you from having to input them all into the BIND database. Plus, you are going to have to append the IP of your local DNS server into the DNS list on all the clients anyway, so you might as well just swtich them all to DHCP, and then specify the DNS servers to use from DHCP.

Thank You.

My DHCP server will stay in the Linksys box for now. It did not seem that they have to be together.
I will have to set up BIND for DDNS, as I have visiting laptops, but that is not the priority.
I realize the time savings by going Dynamic, however I prefer the security of static IPs. Then when you've got un-authorized access from IP blah,blah,blah.blah you know just where to go. Our campus is quite large with computers scattered through-out. Any-way, it's under 100 PCs.