[Samba] Two problems with Samba in AD realm
Guillaume Rousse
Guillaume.Rousse at inria.fr
Fri Nov 14 17:10:28 GMT 2008
Pascal Levy a écrit :
> On Wednesday 12 November 2008 19:23:52 Guillaume Rousse wrote:
>> Hello list.
>>
>> I recently moved to an AD environment. I'm still keeping a samba servers
>> to make my cups-managed printers available to windows users, rather than
>> duplicating configuration with a Windows print service. But I'm facing
>> two problems, probably due to the way we manage AD.
>>
>> First, all my host belong to a Unix-managed DNS domain
>> (msr-inria.inria.fr), not to the windows-managed one corresponding to
>> the AD realm (msr-inria.idf). It means resolving their IP address result
>> in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a
>> secondary server for the foo.msr-inria.idf, meaning SRV record lookup
>> still works. But all CIFS kerberos authentication attempt for the host
>> unqualified, or realm-qualified fails: I can't use \\foo, nor
>> \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr
>>
>> I know this is probably due to kerberos DNS-based hostname
>> canonicalisation, and not samba-specific (it also occurs with netapp
>> filers), but I initially understood it with my samba server. Is there
>> anything I could do there to make user's life easier ?
>>
>
> seems very complicated to me. Maybe you could use only one DNS system with
> differents dns zones (something like msr-inria.inria.fr for your general
> domain and windows.msr-inria.inria.fr for the AD part) all managed with bind ?
> This is what we have here and this allow a box to know is actual name without
> any kind of schizophrenia.
It doesn't change very much: you're just trading bind with dynamic
update vs microsoft DNS, and subzone vs foreign private zone. And the
result is the same, as you still have three different identities for any
host belonging to your domain:
- unqualified name
- legacy DNS-qualified name
- AD-qualified name
> if you need foo to be resolve as foo.msr-inria.inria.fr, you could have
> foo.msr-inria.inria.fr CNAME foo.windows.msr-inria.inria.fr
> foo.windows.msr-inria.inria.fr A x.x.x.x
> x.x.x.x PTR foo.windows.msr-inria.inria.fr
>
> (...)
>> There is a user mapping option in samba, but it is primary meant for
>> mapping Windows users to Unix users, whereas I'd need there to map
>> Windows unqualified users to kerberos-realm users, instead of ad-realm
>> users. Is this possible someway ?
>
> I'm not sure to understand exactly your problem but I think that samba can't
> use a non-AD-kerberos-realm. If there is a way, i'm very interesting, though.
It does. The simple fact than accessing any host with its legacy
DNS-qualified name works show than SSO works.
The problem I'm facing here is precisely when it doesn't, and when the
client apparently fallback to NTLM autentication. The samba server
apparently tries to autenticate on the AD controler as <AD realm>\user,
whereas I can only autenticate through alternative identity <Kerberos
realm>\user. I've to check against a Windows server to compare behaviour.
--
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Ile de France
Tel: 01 69 35 69 62
More information about the samba
mailing list