[Samba] Samba domain name in short format

Sun, Zhongdong zhongdong.sun at yale.edu
Tue May 7 01:34:58 UTC 2024 

Hi Jeremy,

I forgot to mention this. All these strange behaviors occurred when winbind was turned off. If I turn on winbind, this problem could be resolved, i.e. at least it allowed me to login as YALE\zs24, but it always said 'access is denied' even I input the correct password. Maybe something wrong with the Samba settings. Here is my smb.conf file. Anything looks unusual? I'm not sure about the ipmap config part, especially the range and backend.

Thanks.
Zhongdong

[global]

        netbios name = HECATE
        workgroup = YALE
        realm = YU.YALE.EDU
        server string = PET Center Samba Server
        security = ADS
       #2017-11-23 zs24, allow ntlm which is still used by some local accounts and old Windows XP machines.
        ntlm auth = yes
        client NTLMv2 auth = yes
        client lanman auth = no
        client plaintext auth  = no
        min protocol = NT1
    
    kerberos method = secrets and keytab
    idmap config * : backend = tdb
    idmap config * :  range = 10000-199999
    idmap config YALE : backend = sss
    idmap config YALE : range = 200000-2147483647
    machine password timeout = 0

-----Original Message-----
From: Jeremy Allison <jra at samba.org> 
Sent: Monday, May 6, 2024 5:50 PM
To: Sun, Zhongdong <zhongdong.sun at yale.edu>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba domain name in short format

On Mon, May 06, 2024 at 09:03:14PM +0000, Sun, Zhongdong via samba wrote:
>Hi Rowland,
>
>Thanks for your quick response.
>
>Yes, it's Samba+sssd+krb5+AD. So many technologies wrapped together,  
>and I don't know which part can go wrong. We managed to make them work 
>together with the full domain name format such as yu.yale.edu\zs24.
>But it didn't work with short format as YALE\zs24. When I did this in a 
>Windows computer, it reported "We can't sign you in with this 
>credential because your domain isn't available."
>This seems a DNS issue, because it cannot convert 'YALE' to its full name 'yu.yale.edu'.

Yep it's DNS. Client can't get a krb5 ticket for the server as the full hostname isn't correct.

More information about the samba mailing list