[Samba] Two problems with Samba in AD realm

Guillaume Rousse Guillaume.Rousse at inria.fr
Fri Nov 14 17:10:28 GMT 2008 

Pascal Levy a écrit :
> On Wednesday 12 November 2008 19:23:52 Guillaume Rousse wrote:
>> Hello list.
>>
>> I recently moved to an AD environment. I'm still keeping a samba servers
>> to make my cups-managed printers available to windows users, rather than
>> duplicating configuration with a Windows print service. But I'm facing
>> two problems, probably due to the way we manage AD.
>>
>> First, all my host belong to a Unix-managed DNS domain
>> (msr-inria.inria.fr), not to the windows-managed one corresponding to
>> the AD realm (msr-inria.idf). It means resolving their IP address result
>> in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a
>> secondary server for the foo.msr-inria.idf, meaning SRV record lookup
>> still works. But all CIFS kerberos authentication attempt for the host
>> unqualified, or realm-qualified fails: I can't use \\foo, nor
>> \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr
>>
>> I know this is probably due to kerberos DNS-based hostname
>> canonicalisation, and not samba-specific (it also occurs with netapp
>> filers), but I initially understood it with my samba server. Is there
>> anything I could do there to make user's life easier ?
>>
> 
> seems very complicated to me. Maybe you could use only one DNS system with 
> differents dns zones (something like msr-inria.inria.fr for your general 
> domain and windows.msr-inria.inria.fr for the AD part) all managed with bind ? 
> This is what we have here and this allow a box to know is actual name without 
> any kind of schizophrenia.
It doesn't change very much: you're just trading bind with dynamic 
update vs microsoft DNS, and subzone vs foreign private zone. And the 
result is the same, as you still have three different identities for any 
  host belonging to your domain:
- unqualified name
- legacy DNS-qualified name
- AD-qualified name

> if you need foo to be resolve as foo.msr-inria.inria.fr, you could have
>  foo.msr-inria.inria.fr CNAME  foo.windows.msr-inria.inria.fr
>  foo.windows.msr-inria.inria.fr A x.x.x.x
> x.x.x.x PTR  foo.windows.msr-inria.inria.fr
> 
> (...)
>> There is a user mapping option in samba, but it is primary meant for
>> mapping Windows users to Unix users, whereas I'd need there to map
>> Windows unqualified users to kerberos-realm users, instead of ad-realm
>> users. Is this possible someway ?
> 
> I'm not sure to understand exactly your problem but I think that samba can't 
> use a non-AD-kerberos-realm. If there is a way, i'm very interesting, though.
It does. The simple fact than accessing any host with its legacy 
DNS-qualified name works show than SSO works.

The problem I'm facing here is precisely when it doesn't, and when the 
client apparently fallback to NTLM autentication. The samba server 
apparently tries to autenticate on the AD controler as <AD realm>\user, 
whereas I can only autenticate through alternative identity <Kerberos 
realm>\user. I've to check against a Windows server to compare behaviour.

-- 
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Ile de France
Tel: 01 69 35 69 62

More information about the samba mailing list