[Samba] samba and RODC

Alex Samad - Yieldbroker Alex.Samad at yieldbroker.com
Fri Nov 30 01:44:16 MST 2012 

Hi

I am trying to setup samba (rhel6/centos 6.2) and I am having some issues.

So what I have is

Server A (centos 6.2)
It exists in my DMZ so very limited access to thing. Juts mainly DNS and some ports for RODC

Sever B (W2k8r2) 
RODC, exists in my insecure vlan, stepping stone into the DMZ (dmz-inside)
My Windows box work fine talking to the RODC

When I try wbinfo -u it fails. I have opened up the kerbos and the ldap ports for a -> b.  I drop the old still netbios, but I do allow port 445 tcp

The wbinfo -u waits a long time then fails

Note xyz.com is not the real domain :)


My smb.conf
[global]
#--authconfig--start-line--

# Generated by authconfig on 2012/11/28 10:16:49
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = XYZ
   password server = int3.xyz.com
   realm = XYZ.COM
   security = ads
   idmap uid = 5000-10000
   idmap gid = 5000-10000
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--

 winbind enum users = 1
 winbind enum groups = 1
 winbind nested groups = Yes

 preferred master = no
 encrypt passwords = yes
 log level = 3


 server string = Samba Server Version %v
 
 # logs split per machine
 log file = /var/log/samba/log.%m
 # max 50KB per log file, then rotate
 max log size = 50
 
 passdb backend = tdbsam
 
 # the login script name depends on the machine name
 # the login script name depends on the unix user used
 # disables profiles support by specifing an empty path
 
 load printers = yes
 cups options = raw
 #obtain list of printers automatically on SystemV
        
[homes]
 comment = Home Directories
 browseable = no
 writable = yes
        
[printers]
 comment = All Printers
 path = /var/spool/samba
 browseable = no
 guest ok = no
 writable = no
 printable = yes




my /etc/krb.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = XYZ.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

[realms]
XYZ.COM = {
  admin_server = int3.xyz.com
  default_domain = xyz.com
  kdc = int3.xyz.com
}

[domain_realm]
.kerberos.server = XYZ.COM
.zyx.com = XYZ.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}


I have done tcpdumps and it seems like when it gets stuck on is on Kerberos (UDP) .. I see quit a few UDP A to B and no replies from B

Thanks
Alex

More information about the samba mailing list