Q: Should I have external IP in the DNS page ?
-
Oct 25, 2015 2:30 PMby MrHoffman,HelpfulYour internal network will use internal addresses. If you don't do that, then your traffic will pass via your firewall.
I'd either use a subdomain of your registered domain, or use a second registered domain, for your internal DNS translations.
I'd not try to use the same domain name inside and out.
Mixing internal and external addresses and using the same domain name with authoritative servers within two pools of DNS servers — within your network, and the public DNS servers — is possible, but it also means you get to track any changes to the public DNS in your private DNS, and it means you'll need a firewall that can "reflect" traffic to your public IP address back into your network.
You're not likely going to have Open Directory accessible outside your network, as well.
I may receive some form of compensation, financial or otherwise, from my recommendation or link.
<Edited by Host>
-
Oct 25, 2015 2:10 PMby Lastouille,Thanks for your reply.
So, basically, you are telling me that it's a good thing that I see my internal IP on the DNS page, and not the public one ?
In fact, I already use a subdomain for this mac server. I recorded an A entry in my dns provider linking this particular subdomain to my public IP. All the others subdomains and the domain itself are linked to another server with another public IP.
In server.app, I only have a primary zone (subdomain.domain.com), a record linking the host name (= subdomain.domain.com) to the internal static IP of the server, and a reverse one. Does it seem ok to you ? Or should I change the hostname to something like sth.subdomain.domain.com ?
-
Oct 25, 2015 2:49 PMby MrHoffman,Your public IP address "belongs" to your firewall-gateway-router-NAT box, and (maybe) as an alias domain for a web server or related.
Your server has a private static IP address, and it is your private static IP address that is typically associated with the OS X Server server.
I'm not familiar with DNS records "linking the host name" to the internal server IP address, and might guess that you are referring to an alias (CNAME) record. I'd recommend an A or AAAA machine record for the server internal IP address, and not a CNAME.
If you have your public address resolving from within your local DNS, then the local connections must go via your firewall-gateway-router-NAT box, and those connections must abide by whatever access requirements and configuration might be in place there.
Please read the linked reference material for a write-up on the various configuration options and trade-offs with OS X Server DNS, terminology and related.
-
Oct 25, 2015 11:48 PMby Lastouille,Thanks for your reply, and sorry if I misunderstand a bit or if I don't use the rights words, english is not my mother tongue.
By "linking the host name to the internal server IP address", I was referring to a A record.
So, I'm getting a bit further in my understanding of the DNS setup.
I just have another question. I have a A record in my DNS provider like this : subdomain.domain.com IN A 82.229.XXX.XXX, which is my router IP address.
I wonder if it's possible to use this subdomain as the host name of my mac server, and also my internal name server ?
When I try this, with my hostname and primary zone being subdomain.domain.com (plus A record and PTR on private IP), the DNS setup seems to work correctly (cmd host with hostname and private IP, displayed public host name in server.app, dig, changeip etc), but I am not able to use remote services such as Contacts on a device not connected to the local network. It says that credentials are not valid when I try to log in on my iPhone for example (but they should be). And I can only use network file sharing with afp, smb won't work.
But, if I use a host name before the subdomain, such as server.subdomain.domain.com, with subdomain.domain.com as primary zone, then everything works, lan filesharing, VPN, Contacts, cal etc, except that there's no public host name in the internet reachability, only my router IP address.
So, what am I missing ? I am bit confused by the fact that, in the first case, everything seems to be ok but is clearly not, and in the second case, it doesn't seem to be perfectly set up, but things work...
-
by John Lockwood,Oct 26, 2015 3:35 AM
John Lockwood
Oct 26, 2015 3:35 AM
in response to Lastouille
Level 6
(9,411 points)
Servers EnterpriseTo run Open Directory you need to run an internal DNS server. This could be the same Mac server or a different not necessarily Mac server. The Open Directory server and all client Macs should point to this internal DNS server.
The DNS server software e.g. in Server.app would be set to use an external DNS server address as a forwarding DNS server address. However the computer running Server.app would have the internal DNS server as its own DNS server in Network settings.
Therefore internal servers and clients point to your internal DNS server, and if it itself cannot resolve an address it 'forwards' it to the external forwarding DNS server.
-
Oct 26, 2015 7:11 AMby Lastouille,Thanks John for your reply.
In both cases I described in my previous message, I do have the Open directory server setup on the same mac, i.e. on my internal DNS server.
For testing, I use a macbook air on lan, and a iPhone which connects remotely with 4G. The macbook air first DNS server is the server IP private address.
I put Google IP as forwarding server in server.app and the mac server looks to its own IP address to resolve DNS before.
And in both cases the Open Directory server name is the same as the host name...
-
by John Lockwood,Oct 26, 2015 7:17 AM
John Lockwood
Oct 26, 2015 7:17 AM
in response to Lastouille
Level 6
(9,411 points)
Servers Enterprise
The MacBook Air would have (via DHCP) the private LAN IP address of the Mac server as the DNS server. The iPhone does not use Open Directory so one could argue it does not need to resolve internal IP addresses at all. However if one was going to do this then the VPN server if you are using one that the iPhone might connect via would then 'tell' clients including iPhones to use the internal DNS server address. At other times the iPhone will automatically be told to use the mobile (4G) networks DNS servers.
Other than the above your setup sounds fine.
-
Oct 26, 2015 7:52 AMby Lastouille,The iPhone doesn't use Open directory except for the credentials when trying to connect to an OS X server account, right ?
I really can't understand what's wrong. With subdomain.domain.com being everything (my hostname, DNS server, Open Directory server, primary zone, and the DNS of my router), I can't connect locally with my macbook air with "Add an OS X server account" in system pref.
The macbook sees the network, I can get the SSL certificate, but when entering OD credentials, it tells me that they are invalid. With this messages in the password error log :
Oct 26 2015 15:04:57 539179us Requested SASL mechanism not loaded: SMB-NT
Oct 26 2015 15:08:40 449964us 'algorithm' must be 'md5' or 'md5-sess'
-
by John Lockwood,Oct 26, 2015 8:08 AM
John Lockwood
Oct 26, 2015 8:08 AM
in response to Lastouille
Level 6
(9,411 points)
Servers Enterprise
Start off simple.
Login to the MacBook Air using a local account. Then try logging in to an AFP share on the server using an Open Directory account. At this stage do not worry about binding the MacBook Air to Open Directory. It should still be able to login to the AFP share using an Open Directory account if all is well.
Are you using the auto-generated server SSL certificates? Or are you using your own manually created SSL certificates, or are you using a purchased certificate?
-
Oct 26, 2015 8:35 AMby Lastouille,Ok.
So I successfully connected to the server locally with a local account and with a network account, both with AFP and SMB (I couldn't yesterday with SMB if I remember well).
The macbook air is not bound to the server. I tried a few days ago, but I could only get an anonymous binding, so I stop trying it.
It's a root self-signed certificate (word to word translation from french), not a trusted one.
-
Oct 26, 2015 8:54 AMby Lastouille,I checked the certificates...
I have three certificates. The two first ones are automatically generated (IntermediateCA_subdomain.domain.com_1), one of them is a 'Code Signing Certificate'.
The third one is a root self-signed certificate (word to word translation from french), not a trusted one. I created it after having watched the Todd Olthoff videos... I dont know much about certificates
Anyway, it doesn't matter which one I use for adding an OS X account on client, locally or remotely. In any case, it tells me that credentials are not valid.
-
by John Lockwood,Oct 26, 2015 9:18 AM
John Lockwood
Oct 26, 2015 9:18 AM
in response to Lastouille
Level 6
(9,411 points)
Servers Enterprise
If you are able to login to the AFP and/or SMB server with a network account then the credentials are correct and working.
You will not be able to login to the MacBook Air itself using a network account until you have successfully 'bound' it to the Open Directory server. This is done in System Preferences -> Users & Groups -> Login options. Anonymous binding is ok for this purpose, authenticated binding has some advantages but is not compulsory, you would use the Open Directory Admin credentials to authorise Authenticated Binding not an 'ordinary' admin account.
If you have successfully bound to Open Directory it should be listed in green in the Window in System Preferences and should also provide an 'Other' choice in the Login window afterwards.
-
Oct 26, 2015 9:19 AMby Lastouille,And now I notice that I can connect locally (with the MBA) and remotely (iPhone 4G) to CalDAV and CardDAV by adding account for each service with my OD credentials.
But it still doesn't work if I try to connect by adding an OS X server account to get both of them simultaneously...
