[Samba] name resolve order parameter for security=ads

Rowland Penny rpenny at samba.org
Mon Jul 11 07:30:35 UTC 2022 

On Mon, 2022-07-11 at 08:23 +0200, Jonathan Neuhauser via samba wrote:
> Dear Samba list,
> 
> I noticed that the recommendation for the "name resolve order"
> parameter 
> for security = ads, namely "wins bcast", breaks everything on my
> test 
> domain client (Rowland Penny asked me to post this issue on the
> mailing 
> list to exclude misconfiguration on my part).
> 
> samba --version: Version 4.13.17-Ubuntu, Ubuntu 20.04 LTS, uname -r: 
> 5.13.0-52-generic
> 
> Here's my smb.conf as shown by testparm (realm replaced by
> EXAMPLE.ORG):
> 
> [global]
>      kerberos method = system keytab
>      log file = /var/log/samba/log.%m
>      logging = file
>      log level = 3
>      map to guest = Bad User
>      max log size = 1000
>      ntlm auth = ntlmv2-only
>      panic action = /usr/share/samba/panic-action %d
>      realm = EXAMPLE.ORG
>      security = ADS
>      template shell = /bin/bash
>      winbind enum groups = Yes
>      winbind enum users = Yes
>      winbind nss info = rfc2307
>      winbind offline logon = Yes
>      winbind refresh tickets = Yes
>      winbind use default domain = Yes
>      workgroup = EXAMPLE
>      idmap config example : unix_primary_group = yes
>      idmap config example : schema_mode = rfc2307
>      idmap config example : unix_nss_info = yes
>      idmap config example : range = 8000 - 9999999
>      idmap config example : backend = ad
>      idmap config * : range = 3000 - 7999
>      idmap config * : backend = tdb
> 
> and krb5.conf:
> 
> [libdefaults]
>    default_realm = EXAMPLE.ORG
>    kdc_timesync = 1
>    ccache_type = 4
>    forward = true
>    forwardable = true
>    proxiable = true
>    dns_lookup_realm = true
>    dns_lookup_kdc = true
> 
> With this setting, wbinfo -i username as well as wbinfo -i 
> "EXAMPLE\username" works fine and shows correct uid/gid and home 
> directory, and domain integration works mostly fine - including PAM
> & 
> NSS integration and graphical login, as well as Kerberos access to 
> shares hosted by this machine. So thanks to the samba team for
> providing 
> a great tool!
> 
> If I additionally set
> 
>     name resolve order = wins bcast
> 
> wbinfo -P shows
> 
> checking the NETLOGON for domain[EXAMPLE] dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
> 
> wbinfo -i username or wbinfo -i "EXAMPLE\username"
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user username
> 
> I can resolve the SRV records: host -t SRV _ldap._tcp.example.org
> still 
> shows the available domain controllers.
> 
> It is from these observations that I filed bug 
> https://bugzilla.samba.org/show_bug.cgi?id=15117, but maybe there's
> an 
> issue with my configuration as shown above. I'll also provide
> further 
> logs on request.
> 
> Thanks in advance,
> 
> Jonathan

Hi Jonathan, thanks for posting your smb.conf, which doesn't really
have anything wrong with it.

I have tried 'wbinfo -P' & 'wbinfo -i' on two machines, one running
4.15.7 with the 'ad' backend and 4.13.3 with the 'rid' backend. Both
succeed.

What is different between your set up and mine is krb5.conf, so can you
try this one:

[libdefaults]
   default_realm = EXAMPLE.ORG
   dns_lookup_realm = false
   dns_lookup_kdc = true

Rowland

More information about the samba mailing list