Missing DNS forwarder setting

[scara]

Hello everyone,
just playing with quay.io/samba.org/samba-ad-server:v0.3 to create on-the-fly AD DC for testing purposes, as a single container not running under K8s.

For my use case it would be of great value to have the possibility to (optionally) set dns forwarder = ...: I found nothing related on https://github.com/samba-in-kubernetes/sambacc/blob/627c6c09a9f198f6f8ad46412bf970f72ad6745e/sambacc/addc.py#L99C1-L100 and not sure how to properly force it into the container.

TIA,
Matteo

[phlogistonjohn]

Thanks for the feedback! There's currently no great way to get custom settings into the AD DC container (this is not the case for the file server container). This is due to the fact that the AD DC provision command makes the smb.conf file and how it does that. There's an issue for this in sambacc samba-in-kubernetes/sambacc#43 - I started working on it but found it was trickier than I anticipated. I did find out from Andrew Bartlett of the samba team there are other approaches but those ended up fairly tricky to implement too. At one point I wondered if it would be worth trying to patch samba-tool.

This is not an excuse, but rather an explanation of why I haven't gotten back to it! ;-) Maybe I'll have the motivation to look again soon. Also, anyone should feel free to try and contribute the feature if you're up to it.

[phlogistonjohn]

I forgot to mention: for what it's worth one can manipulate the generated smb.conf after the provision is done. So if the settings in question are not needed for provisioning it's possible to do that (esp. if you're storing the /etc/samba as a persistent volume). But it's annoying, I know.

[phlogistonjohn]

I keep forgetting things. In case it helps: the way we set up our AD DC instances we configure the internal k8s dns server to delegate to the AD DC for certain subdomains. When the in-cluster applications refer to domains outside of the DC's domain the resolution doesn't need to go through the DC's DNS. This principle would also apply to systems outside of the k8s cluster but you need to control a DNS server :-)

Example:

samba-container/tests/test-deploy-ad-server.sh

Lines 57 to 92 in 193bfe8

	echo "patching coredns zonefile"
	AD_POD_IP=$(kubectl get pod -o jsonpath='{ .items[*].status.podIP }')
	[ $? -eq 0 ] || _error "Error getting ad server pod IP"
	echo "AD pod IP: ${AD_POD_IP}"
	TMPFILE=$(mktemp)
	cat > "${TMPFILE}" <<EOF
	data:
	Corefile: |
	EOF
	kubectl get cm -n kube-system coredns -o jsonpath='{ .data.Corefile }' \
	| sed -e 's/^/ /g' \
	>> "${TMPFILE}"
	echo >> "${TMPFILE}"
	# don't repeat an existing block for our domain
	FIRSTLINE="$(head -1 ./tests/files/coredns-snippet.template)"
	LASTLINE=" }"
	sed -i .backup -e "/$FIRSTLINE/,/$LASTLINE/d" "${TMPFILE}"
	sed -e "s/AD_SERVER_IP/${AD_POD_IP}/" \
	< tests/files/coredns-snippet.template \
	>> "${TMPFILE}"
	echo >> "${TMPFILE}"
	kubectl patch cm -n kube-system coredns -p "$(cat "${TMPFILE}")"
	[ $? -eq 0 ] || _error "Error patching coredns config map"
	echo "ad setup done"

Maybe that'll be useful to you as a workaround for not being able to set dns forwarder for now.

[scara]

Thanks @phlogistonjohn for your fast reply and insights!
For my use case the AD DC DNS will be the primary one, unfortunately.

samba-container/tests/test-deploy-ad-server.sh

Nice hack!

In the mean time, I'll explore the other sambacc caps.

TIA,
Matteo