[Samba] Restricting to a subset of the domain controllers on a site
Wayne Rasmussen
Wayne at gomonarch.com
Tue May 29 21:24:45 GMT 2007
Had a situation where users could not map drives from Windows XP to
Solaris 9 system running Samba-3.0.10 for Active Directory. This
system has been running for a couple of years without problems. Now
recently, the site administrators have added some new servers to the
domain which may have introduced a problem.
This krb5.conf file has been modified to hide the site in question.
[libdefaults]
default_realm = sanatized
default_tgs-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
sanatized = {
kdc = DC1a.sanatized
kdc = DC2a.sanatized
kdc = DC3a.sanatized
kdc = DC4a.sanatized
admin_server = DC3a.sanatized
}
[domain_realm]
.sanatized = sanatized
sanatized = sanatized
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
admin_server = FILE:/var/log/kadmin.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1,
...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
So the system is expecting to see the following Domain Controllers:
DC1a DC2a DC3a DC4a
However, when users were experiencing problems, we saw the following
when
klist was run.
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: IL02mcs at sanatized
Valid starting Expires Service principal
05/29/07 11:04:53 05/29/07 21:04:53 krbtgt/sanatized at sanatized
renew until 05/30/07 11:04:53
05/29/07 11:05:09 05/29/07 21:04:53 exchgc01a$@sanatized
renew until 05/30/07 11:04:53
05/29/07 11:05:09 05/29/07 11:07:09 kadmin/changepw at sanatized
renew until 05/29/07 11:07:09
Kerberos 4 ticket cache: /tmp/tkt0
The line that concerns me is:
05/29/07 11:05:09 05/29/07 21:04:53 exchgc01a$@sanatized
renew until 05/30/07 11:04:53
Anytime a DC other than DC1a DC2a DC3a DC4a gets used, users have
problems
mapping drives.
We had no record of a domain controller named exchgc01a in the
environment.
The admins have recently added a number of servers which they are saying
they are catalog servers as part of their exchange setup and should not
be used for authentication at all. The domain controllers they have
added
are: EXCHGC01A EXCHGC02A EXCHGC03A EXCHGC04A DC1SE DC2SE
They are telling us that we must restrict to only authenticating to the
domain controllers: DC1a DC2a DC3a DC4a
Is there a way to do this? Is their request unreasonable?
There is a password server setting, but is that good enough and can you
give it more than a single machine? What if the machine is down for an
unscheduled problem?
Personally, I don't think the new servers should be issuing tickets if
they are not used for authentication. They just called be and will
checking to see if that is the case...
More information about the samba
mailing list