[Samba] Two problems with Samba in AD realm

Pascal Levy pascal.levy at univ-paris3.fr
Wed Nov 12 19:11:57 GMT 2008

On Wednesday 12 November 2008 19:23:52 Guillaume Rousse wrote:
> Hello list.
> I recently moved to an AD environment. I'm still keeping a samba servers
> to make my cups-managed printers available to windows users, rather than
> duplicating configuration with a Windows print service. But I'm facing
> two problems, probably due to the way we manage AD.
> First, all my host belong to a Unix-managed DNS domain
> (msr-inria.inria.fr), not to the windows-managed one corresponding to
> the AD realm (msr-inria.idf). It means resolving their IP address result
> in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a
> secondary server for the foo.msr-inria.idf, meaning SRV record lookup
> still works. But all CIFS kerberos authentication attempt for the host
> unqualified, or realm-qualified fails: I can't use \\foo, nor
> \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr
> I know this is probably due to kerberos DNS-based hostname
> canonicalisation, and not samba-specific (it also occurs with netapp
> filers), but I initially understood it with my samba server. Is there
> anything I could do there to make user's life easier ?

seems very complicated to me. Maybe you could use only one DNS system with 
differents dns zones (something like msr-inria.inria.fr for your general 
domain and windows.msr-inria.inria.fr for the AD part) all managed with bind ? 
This is what we have here and this allow a box to know is actual name without 
any kind of schizophrenia.

if you need foo to be resolve as foo.msr-inria.inria.fr, you could have
 foo.msr-inria.inria.fr CNAME  foo.windows.msr-inria.inria.fr
 foo.windows.msr-inria.inria.fr A x.x.x.x
x.x.x.x PTR  foo.windows.msr-inria.inria.fr

> There is a user mapping option in samba, but it is primary meant for
> mapping Windows users to Unix users, whereas I'd need there to map
> Windows unqualified users to kerberos-realm users, instead of ad-realm
> users. Is this possible someway ?

I'm not sure to understand exactly your problem but I think that samba can't 
use a non-AD-kerberos-realm. If there is a way, i'm very interesting, though.

Pascal Levy
Ingénieur réseaux & ressources informatiques

Bibliothèque InterUniversitaire Sainte Geneviève
tél. : (33) 1 44 41 97 53
Bibliothèque InterUniversitaire de Langues Orientales
tél. : (33) 1 44 77 95 00

pascal.levy at univ-paris3.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba/attachments/20081112/4e99fdf7/attachment.bin

More information about the samba mailing list