samba 4 - 'domain admin' accounts behaving like normal users; inexplicable errors

Michael Wood esiotrot at gmail.com
Sun Sep 19 13:36:09 MDT 2010 

Hi

On 19 September 2010 05:08, Ben Hodgens <ben at hodgens.net> wrote:
> Michael,
>
> It returns something similar, but not quite:
>
> _ldap._tcp.rc1.mydomain.com has SRV record 0 0 389 rc1.mydomain.com
>
> Might this deviation from "10" to "0" be a potential cause of the problem?
>
> I do have a number of srv-host definitions in my dnsmasq config already:
>
> srv-host=gc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com
> srv-host=_gc._tcp.rc1.mydomain.com,sentinel.rc1.mydomain.com
> srv-host=_ldap._tcp.rc1.mydomain.com,sentinel.rc1.mydomain.com,389
> srv-host=_ldap._tcp.dc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,389
> srv-host=_ldap._tcp.gc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,389
> srv-host=gc._tcp.gc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com
> srv-host=gc._tcp.Default-First-Site-Name._sites.gc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com
> srv-host=_gc._tcp.Default-First-Site-Name._sites.rc1.mydomain.com,sentinel.rc1.mydomain.com
> srv-host=_kerberos._udp.rc1.mydomain.com,sentinel.rc1.mydomain.com

Not sure if this will help, but try this in dnsmasq.conf:

srv-host=_gc._tcp.rc1.mydomain.com,sentinel.rc1.mydomain.com,3268,0,100
srv-host=_gc._tcp.Default-First-Site-Name._sites.rc1.mydomain.com,sentinel.rc1.mydomain.com,3268,0,100
srv-host=_ldap._tcp.gc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,3268,0,100
srv-host=_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,3268,0,100
srv-host=_ldap._tcp.rc1.mydomain.com,sentinel.rc1.mydomain.com,389,0,100
srv-host=_ldap._tcp.dc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,389,0,100
srv-host=_ldap._tcp.pdc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,389,0,100
srv-host=_ldap._tcp.bb62e504-14b5-4a46-9cb0-4ffe59f34c3a.domains._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,389,0,100
srv-host=_ldap._tcp.Default-First-Site-Name._sites.rc1.mydomain.com,sentinel.rc1.mydomain.com,389,0,100
srv-host=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,389,0,100
srv-host=_kerberos._tcp.rc1.mydomain.com,sentinel.rc1.mydomain.com,88,0,100
srv-host=_kerberos._tcp.dc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,88,0,100
srv-host=_kerberos._tcp.Default-First-Site-Name._sites.rc1.mydomain.com,sentinel.rc1.mydomain.com,88,0,100
srv-host=_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.rc1.mydomain.com,sentinel.rc1.mydomain.com,88,0,100
srv-host=_kerberos._udp.rc1.mydomain.com,sentinel.rc1.mydomain.com,88,0,100
srv-host=_kerberos-master._tcp.rc1.mydomain.com,sentinel.rc1.mydomain.com,88,0,100
srv-host=_kerberos-master._udp.rc1.mydomain.com,sentinel.rc1.mydomain.com,88,0,100
srv-host=_kpasswd._tcp.rc1.mydomain.com,sentinel.rc1.mydomain.com,464,0,100
srv-host=_kpasswd._udp.rc1.mydomain.com,sentinel.rc1.mydomain.com,464,0,100
txt-record=_kerberos.rc1.mydomain.com,"RC1.MYDOMAIN.COM"

and this in your hosts file:

10.9.8.3  sentinel.rc1.mydomain.com
10.9.8.3  gc._msdcs.rc1.mydomain.com
10.9.8.3  29a8d19d-df8d-4f37-ac9f-3727cead9928._msdcs.rc1.mydomain.com

(with appropriate UUIDs, of course, and sorry for gmail wrapping the
long lines).

> On 09/18/2010 04:49 PM, Michael Wood wrote:
>>
>> And if you, e.g., do:
>>
>> $ host -t srv _ldap._tcp.rc1.mydomain.com.
>>
>> Does it return something like this?
>>
>> _ldap._tcp.rc1.mydomain.com has SRV record 0 100 389 rc1.mydomain.com
>>
>> Does dnsmasq handle SRV records?
>>
>> According to their docs they do, but it looks like what you have is
>> not enough.  You have to put some stuff in dnsmasq.conf:
>>
>> # Change the following lines if you want dnsmasq to serve SRV
>> # records.  These are useful if you want to serve ldap requests for
>> # Active Directory and other windows-originated DNS requests.
>> # See RFC 2782.
>> # You may add multiple srv-host lines.
>> # The fields are<name>,<target>,<port>,<priority>,<weight>
>> # If the domain part if missing from the name (so that is just has the
>> # service and protocol sections) then the domain given by the domain=
>> # config option is used. (Note that expand-hosts does not need to be
>> # set for this to work.)
>>
>> # A SRV record sending LDAP for the example.com domain to
>> # ldapserver.example.com port 389
>> #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
>>
>> # A SRV record sending LDAP for the example.com domain to
>> # ldapserver.example.com port 389 (using domain=)
>> #domain=example.com
>> #srv-host=_ldap._tcp,ldapserver.example.com,389
>>
>> # Two SRV records for LDAP, each with different priorities
>> #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
>> #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
>>
>> # A SRV record indicating that there is no LDAP server for the domain
>> # example.com
>> #srv-host=_ldap._tcp.example.com

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list