What we did in this situation is we have all local computers (Domain and non-Domain) use our two A.D. DNS servers for DNS and that's it. We then have those DNS servers forward unknown requests to our ISP DNS.
A while ago, we had our DHCP server assigning our two DNS servers and then the ISP DNS as a tertiary. Like that, we would have random issues where one day someone could resolve a local host and other days they couldn't. So I removed the ISP DNS from the DHCP servers assignment. So now every device in the building uses the two internal servers and they have a forward lookup set to the ISP DNS. Works like a charm.
I do not see any security directive in your config file. I assume that you want security=ad. I've spent last month trying to do exactly same thing - use OpenLDAP as main database of user login information.
I've tested few approaches:
Samba 4 AD can't trust at the moment (Samba Team will publish soon Samba 4.2 in the time of writing), so u can't use trust mechanisms.
Samba 4 in AD as far as I know can't be based on OpenLDAP because lack of schemas needed by Active Directory.
I've tired to use software called LSC, which basically allow you to sync user and groups between AD an OpenLDAP. No luck here either. LSC documentation and examples are outdated and not compatible with current release. I've finally managed to get user sync working, but there are few bugs (at least in LSC v2.0 I've tired), when you update password in OpenLDAP, LSC won't catch it. You have to store passwords in plain text to make it work.
For now no Samba AD controller with OpenLDAP as backend. I am planing to stick classic NT domain controller as soon as Samba will support trusts, then I wanna delegate one direction trusts (from samba4 NT DC to Samba4 AD) and use it on AD domain controller with user information located at OpenLDAP.
If someone can find any mistake here, I'll be more than glad to hear it. ;-)
UPDATE:
According to Francesco Malvezzi information in Samba 4.3, trust are now supported:
https://www.samba.org/samba/history/samba-4.3.0.html
Improved support for trusted domains (as AD DC)
The support for trusted domains/forests has improved a lot.
samba-tool
got "domain trust" subcommands to manage trusts:
create
- Create a domain or forest trust.
delete
- Delete a domain trust.
list
- List domain trusts.
namespaces
- Manage forest trust namespaces.
show
- Show trusted domain details.
validate
- Validate a domain trust.
External trusts between individual domains work in both ways (inbound
and outbound). The same applies to root domains of a forest trust. The
transitive routing into the other forest is fully functional for
kerberos, but not yet supported for NTLMSSP.
While a lot of things are working fine, there are currently a few
limitations:
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights
in domain B.
- It's not possible to add users/groups of a trusted domain
into domain groups.
Configuration example:
https://www.samba.org/samba/history/samba-4.3.0.html
Trust relationship is created and can be check using winbind:
wbinfo -u
-> get local users list
wbinfo -u --domain=trusted.domain.tld
-> get trusted domain users list (short domain can be used too)
It can also be validated using --local-dc-username
and
--local-dc-password
switches:
samba-tool domain trust validate trusted.domain.tld \
--local-dc-password=trustedAdminPass \ --local-dc-username=administrator \ -U administrator at trusted.domain.tld
Using Samba's internal DNS make DNS queries forwarding transparent
(with the few tools I think about to check).
To be able to connect on machine.A.domain.tld using a user from
B.domain.tld you'll have to "Authenticated users" special group to RDP
authorized peoples.
I am still waiting until it become available in official channel in my distro (debian 8-9) though.
Best Answer
All machines here use our internal DNS (bind9) to access internet. It serves internal addresses, external and forwards all to our "provider", the University.
Samba AD works with those as the DNSes but sometimes we can't even join a machine to the domain if we don't change the DNSes to domain's IP. But I was having problems when doing that with some internal addresses, that were not being resolved by Bind9 or Samba internal DNS even when implemented a secondary DC to act as DNS for the AD and to sync configurations. Implementing the second server, as backup, worked for a week correctly, but something in the old server, which can be considered legacy, started to cause problems and the backup started to have the same problems with internal DNS resolution. Don't now why and waste too much time.
So solved using DNSMASQ as described here http://edoceo.com/howto/samba4. Now everything (!!) is working fine.