If you are doing AD, then you don't need broadcasts. I have a small AD setup on one host with the "root" DC (from which replication is sourced and no outside host has access), a "subnet" DC (which replicates from the "root"), a member server (file server) and an ldap proxy (haproxy, for HA/LB) all running in separate jails:
Code:
# jls
JID IP Address Hostname Path
1000 10.1.200.99 dc-root.ad.nyingma.org /usr/local/Jail-AD/dc-root
1001 10.1.200.98 dc-lodge.ad.nyingma.org /usr/local/Jail-AD/dc-lodge
1002 10.1.200.101 fs-lodge.ad.nyingma.org /usr/local/Jail-AD/fs-lodge
1003 10.1.1.3 ldap-proxy.in.nyingma.org /usr/local/Jail-AD/ldap-proxy
You need to ensure you specify
interfaces to bind to the jails's IP and not a broadcast, plus
disable netbios:
Code:
# jexec 1000 samba --version
Version 4.2.4
# jexec 1000 cat /usr/local/etc/smb4.conf
# Global parameters
[global]
workgroup = NYINGMA
realm = AD.NYINGMA.ORG
netbios name = DC-ROOT
interfaces = 10.1.200.99
bind interfaces only = Yes
server role = active directory domain controller
disable netbios = Yes
dns forwarder = 10.1.200.1
nsupdate command = /usr/local/bin/samba-nsupdate -g
tls enabled = Yes
tls keyfile = tls/Server-AD-dc-root-key.pem
tls certfile = tls/Server-AD-dc-root.crt
tls cafile = tls/CANI-RootCSA.crt
idmap_ldb:use rfc2307 = yes
log level = 1
[netlogon]
path = /var/db/samba4/sysvol/ad.nyingma.org/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
My very limited understanding with AD is that the DC can/should provide the directory, and DNS is used instead of the reliance on broadcasts, enabling you break out of local subnet only visibility.
I have joined one Win7 machine to this domain to administer it with ADUC, my FreeBSD workstation and FreeBSD server, utilizing rfc2307 to ensure consistent uid/gid across all systems. None of these clients are on the same subnet as the AD jailed hosts. On the Win7 machine I could access the member server simply by entering
fs-lodge as the DNS domain is the same for them all.
In this case, it's not for security, but that it is not recommended to run a DC and a member server on the same host, per the wiki:
Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server to allow upgrades of each without disrupting the other. It is also suggested that medium-sized sites should run more than one DC. It also makes sense to have the DC's distinct from any file servers that may use the Domain Controllers. Additionally using distinct file servers avoids the idiosyncrasies in the winbindd configuration on to the Active Directory Domain Controller. The Samba team do not recommend using the Domain Controller as a file server, the recommendation is to run a separate
Domain Member with
file shares.
I didn't want to have to use two pieces of hardware to run this lot on.