samba 4 - 'domain admin' accounts behaving like normal users; inexplicable errors

Michael Wood esiotrot at gmail.com
Sat Sep 18 16:49:15 MDT 2010


On 18 September 2010 22:24, Ben Hodgens <ben at hodgens.net> wrote:
> Thanks for the response, Matthias.
>
> On 09/11/2010 07:24 AM, Matthias Dieter Wallnöfer wrote:
>>
>> Hi Ben,
>>
>> Ben Hodgens wrote:
[...]
>>> Unfortunately, I'm not seeing anything in the samba.log file which
>>> might indicate the cause of this problem, one way or the other. (The
>>> only thing in there is relating to samba_dnsupdate, which I wouldn't
>>> expect to work - I'm using dnsmasq not bind; might this be the fault?).
>>
>> You can ignore dnsupdate errors for the moment - they are not
>> essentially important.
>> But also with "dnsmasq" you make use of our provision-generated zone
>> files or create the entries requested by AD, I imagine?
>
> Here is what I'm using in my (dnsmasq) hosts file, which I duplicated from
> the zone files, more or less (not 100% sure it's perfectly congruent):
>
> 10.9.8.3        gc._msdcs.rc1.mydomain.com      gc._msdcs
> 10.9.8.3        _gc._tcp.rc1.mydomain.com       _gc._tcp
> 10.9.8.3        _gc._tcp.Default-First-Site-Name._sites.rc1.mydomain.com
> _gc._tcp.Default-First-Site-Name._sites
> 10.9.8.3
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.rc1.mydomain.com
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs
> 10.9.8.3        _gc._tcp.gc._msdcs.rc1.mydomain.com     _gc._tcp.gc._msdcs
> 10.9.8.3        _ldap._tcp.gc._msdcs.rc1.mydomain.com  _ldap._tcp.gc._msdcs
> 10.9.8.3        _ldap._tcp.rc1.mydomain.com             _ldap._tcp
> 10.9.8.3        _ldap._tcp.dc._msdcs.rc1.mydomain.com   _ldap._tcp.dc._msdcs
> 10.9.8.3         _kerberos._udp.rc1.mydomain.com         _kerberos._udp
> 10.9.8.3        rc1.mydomain.com                        rc1

And if you, e.g., do:

$ host -t srv _ldap._tcp.rc1.mydomain.com.

Does it return something like this?

_ldap._tcp.rc1.mydomain.com has SRV record 0 100 389 rc1.mydomain.com

Does dnsmasq handle SRV records?

According to their docs they do, but it looks like what you have is
not enough.  You have to put some stuff in dnsmasq.conf:

# Change the following lines if you want dnsmasq to serve SRV
# records.  These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389

# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba-technical mailing list