[Samba] Samba acting as a domain member + netbios

Thu Jan 25 16:28:57 UTC 2024

Thanks for the advice about the security line, I won't use domain type anymore then.

I know name_status_find is using NetBios, what I don't know is why this function is called when using 'security = ads', and as a result of the fail my domain is added to the failed connection cache.

Then, every action that needs to have a look into the cache results in failing, and wbinfo -P returns "WBC_ERR_DOMAIN_NOT_FOUND"

I've got the following error message :
wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: BERTINIT - NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND

Cheers
Vincent

-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Rowland Penny via samba
Envoyé : jeudi 25 janvier 2024 17:18
À : samba at lists.samba.org
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Samba acting as a domain member + netbios

[You don't often get email from samba at lists.samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On Thu, 25 Jan 2024 15:48:39 +0000
Vincent DROUIN via samba <samba at lists.samba.org> wrote:

> Hello,
>
> I'm trying to use to use a Samba share service with authentication
> delegated to a Windows Active Directory Server.
>
> I manage to join successfully to the AD using net ads join command,
> with or without Kerberos, using either "security = domain" or
> "security = ads".

You really should only use 'security = ads', 'domain' is meant for the legacy NT4-style domains.

> Nevertheless, if I use "disable netbios" option, winbindd immediately
> fails to use "name_status_find",

It would, it requires netbios. If you turn the logging up to 5, you will get a log message telling you this.

> the domain is
> then added to the negative connection cache and the whole thing stops
> working.

What stops working ? The entire domain, or whatever you are trying to do ?

>
> The winbind ping is also failing if netbios is disabled.

Are we taking 'wbinfo -P', because I have netbios turned off in smb.conf (I also do not run nmbd) and that command works for myself:

wbinfo -P
checking the NETLOGON for domain[SAMDOM] dc connection to "rpidc2.samdom.example.com" succeeded

Though I am using a Samba AD DC

>
> Am I missing some configuration parameter that would prevent such a
> behavior? NetBios is an unsecure deprecated protocol : why is it
> mandatory to have it to verify communication with the domain?

It isn't mandatory, as far as I am aware, as for you having a missing parameter, it is doubtful, but I haven't a clue because I do not know what you have in your smb.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba