[Samba] Two problems with Samba in AD realm
Pascal Levy
pascal.levy at univ-paris3.fr
Wed Nov 12 19:11:57 GMT 2008
On Wednesday 12 November 2008 19:23:52 Guillaume Rousse wrote:
> Hello list.
>
> I recently moved to an AD environment. I'm still keeping a samba servers
> to make my cups-managed printers available to windows users, rather than
> duplicating configuration with a Windows print service. But I'm facing
> two problems, probably due to the way we manage AD.
>
> First, all my host belong to a Unix-managed DNS domain
> (msr-inria.inria.fr), not to the windows-managed one corresponding to
> the AD realm (msr-inria.idf). It means resolving their IP address result
> in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a
> secondary server for the foo.msr-inria.idf, meaning SRV record lookup
> still works. But all CIFS kerberos authentication attempt for the host
> unqualified, or realm-qualified fails: I can't use \\foo, nor
> \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr
>
> I know this is probably due to kerberos DNS-based hostname
> canonicalisation, and not samba-specific (it also occurs with netapp
> filers), but I initially understood it with my samba server. Is there
> anything I could do there to make user's life easier ?
>
seems very complicated to me. Maybe you could use only one DNS system with
differents dns zones (something like msr-inria.inria.fr for your general
domain and windows.msr-inria.inria.fr for the AD part) all managed with bind ?
This is what we have here and this allow a box to know is actual name without
any kind of schizophrenia.
if you need foo to be resolve as foo.msr-inria.inria.fr, you could have
foo.msr-inria.inria.fr CNAME foo.windows.msr-inria.inria.fr
foo.windows.msr-inria.inria.fr A x.x.x.x
x.x.x.x PTR foo.windows.msr-inria.inria.fr
(...)
>
> There is a user mapping option in samba, but it is primary meant for
> mapping Windows users to Unix users, whereas I'd need there to map
> Windows unqualified users to kerberos-realm users, instead of ad-realm
> users. Is this possible someway ?
I'm not sure to understand exactly your problem but I think that samba can't
use a non-AD-kerberos-realm. If there is a way, i'm very interesting, though.
--
Pascal Levy
Ingénieur réseaux & ressources informatiques
Bibliothèque InterUniversitaire Sainte Geneviève
tél. : (33) 1 44 41 97 53
Bibliothèque InterUniversitaire de Langues Orientales
tél. : (33) 1 44 77 95 00
pascal.levy at univ-paris3.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba/attachments/20081112/4e99fdf7/attachment.bin
More information about the samba
mailing list