[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command

mathias dufresne infractory at gmail.com
Tue Dec 1 16:15:29 UTC 2015


Could you please extract there the content of the following files on host
named freeradius please:
/etc/resolv.conf
/etc/krb5.conf
/etc/samba/smb.conf



2015-12-01 17:02 GMT+01:00 Jonathan S. Fisher <
jonathan at springventuregroup.com>:

> Well I got one step farther...
>
> hostname -d and hostname -f now work correctly if I add this line to
> /etc/hosts
>
> /etc/hosts
> 127.0.0.1   localhost
> 127.0.1.1 freeradius.windows.corp.springventuregroup.com freeradius
>
> But same error on the rpc command. It's still asking DNS for
> "_ldap._tcp.pdc._msdcs.WINDOWS"
> not "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM"
>
> Can you do a tcpdump on yours and see what the desired behavior is? I used
> this command: "sudo tcpdump -vvv -s 0 -l -n port 53 -w dns.pcap". Start the
> dump, then run "sudo net rpc info -Uadministrator"
>
>
> On Tue, Dec 1, 2015 at 9:47 AM, Jonathan S. Fisher <
> jonathan at springventuregroup.com> wrote:
>
> > Great things to investigate... thank you.
> >
> > Ok, so everything is pingable. I've checked to make sure I can send TCP
> > and UDP traffic between the hosts with netcat.
> >
> > > Does your dhcp server deliver the required info?
> > For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a
> > world of hurt otherwise!
> >
> > > Does 'hostname -d' return the fully qualified domain name of the
> client?
> > No, it doesn't return anything actually! Maybe this is why is keeps
> trying
> > to send ask for SRV records in WINDOWS instead of WINDOWS.CORP.XXX.COM
> >
> > > Is there a firewall running on the client? if so, try turning it off.
> > Yep, it's off. Off on the servers too.
> >
> > > If you follow the Samba wiki, I can assure you that it does work:
> > I know :) The documentation is very clear, it's some oddity about my
> > network I'm sure.
> >
> > I'll look into the hostname -d and see if I can figure out why that's not
> > returning anything
> >
> >
> > On Tue, Dec 1, 2015 at 4:31 AM, Rowland Penny <
> > rowlandpenny241155 at gmail.com> wrote:
> >
> >> On 30/11/15 22:38, Jonathan S. Fisher wrote:
> >>
> >>> Thank you Rowland for the help so far. I followed the directions on
> that
> >>> page very precisely. I was able to join the domain, but the RPC stuff
> still
> >>> doesn't work and I'm still having the same problem. The actual root
> problem
> >>> is that up to this point, winbind works for about a day or so then I
> start
> >>> getting NT_STATUS_ACCESS_DENIED.
> >>>
> >>> Anyway, after the join, winbind works right now:
> >>>
> >>> sudo wbinfo -a administrator
> >>> Enter administrator's password:
> >>> plaintext password authentication succeeded
> >>>
> >>> Checking RPC:
> >>>
> >>> sudo net rpc info -Uadministrator
> >>> Unable to find a suitable server for domain WINDOWS
> >>>
> >>> Here is my new config:
> >>>
> >>>  /etc/hosts
> >>> 127.0.0.1   localhost
> >>>
> >>> /etc/krb5.conf
> >>> [libdefaults]
> >>> default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
> >>>
> >>> /etc/samba/smb.conf
> >>> [global]
> >>> netbios name=freeradius
> >>> security=ADS
> >>> workgroup=WINDOWS
> >>> realm=WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
> >>>
> >>> log file=/var/log/samba/%m.log
> >>> log level=1
> >>>
> >>> dedicated keytab file=/etc/krb5.keytab
> >>> kerberos method=secrets and keytab
> >>> winbind refresh tickets=yes
> >>>
> >>> winbind trusted domains only=no
> >>> winbind use default domain=yes
> >>> winbind enum users=yes
> >>> winbind enum groups=yes
> >>>
> >>> load printers=no
> >>> template shell=/bin/false
> >>>
> >>> idmap config WINDOWS:backend=rid
> >>> idmap config WINDOWS:range=10000-99999
> >>>
> >>>
> >>>
> >>>
> >> You still need  a bit more in your smb.conf:
> >>
> >> idmap config *:backend = tdb
> >> idmap config *:range = 2000-9999
> >>
> >> You need these lines to get the builtin users & groups mapped.
> >>
> >> I think your problem is DNS related, you should be able to ping a DC via
> >> ipaddress & hostname
> >>
> >> ping -c1 192.168.127.131
> >> ping -c1 whiskey.windows.corp.XXX.com
> >> ping -c1 whiskey
> >> ping -c1 192.168.112.4
> >> ping -c1 wine.windows.corp.XXX.com
> >> ping -c1 wine
> >>
> >> The above commands should all return a reply.
> >>
> >> Does your dhcp server deliver the required info?
> >>
> >> Does 'hostname -d' return the fully qualified domain name of the client?
> >>
> >> Is there a firewall running on the client? if so, try turning it off.
> >>
> >> If you follow the Samba wiki, I can assure you that it does work:
> >>
> >> rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator
> >> [sudo] password for rowland:
> >> Enter administrator's password:
> >> Domain Name: SAMDOM
> >> Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
> >> Sequence number: 1
> >> Num users: XXXXX
> >> Num domain groups: XXXX
> >> Num local groups: XXXX
> >>
> >> If you are having any problems understanding or following the wiki,
> >> please tell us, otherwise we will just assume everybody understands it
> :-)
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
> --
> Email Confidentiality Notice: The information contained in this
> transmission is confidential, proprietary or privileged and may be subject
> to protection under the law, including the Health Insurance Portability and
> Accountability Act (HIPAA). The message is intended for the sole use of the
> individual or entity to whom it is addressed. If you are not the intended
> recipient, you are notified that any use, distribution or copying of the
> message is strictly prohibited and may subject you to criminal or civil
> penalties. If you received this transmission in error, please contact the
> sender immediately by replying to this email and delete the material from
> any computer.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list