[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Jonathan S. Fisher
jonathan at springventuregroup.com
Thu Dec 3 16:06:03 UTC 2015
> host -t SRV _ldap._tcp.windows.corp.XXX.com
_ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389
whiskey.windows.corp.XXX.com.
_ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389
wine.windows.corp.XXX.com.
> host -t SRV _kerberos._udp.windows.corp.XXX.com
_kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88
whiskey.windows.corp.XXX.com.
_kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88
wine.windows.corp.XXX.com.
> host -t A freeradius.windows.corp.XXX.com.
freeradius.windows.corp.XXX.com has address 192.168.127.134
> host -t SRV 192.168.127.134
134.127.168.192.in-addr.arpa domain name pointer
freeradius.windows.corp.XXX.com.
I tried the same thing with ".WINDOWS" and it doesn't work of course...
On Thu, Dec 3, 2015 at 7:15 AM, Rowland penny <rpenny at samba.org> wrote:
> On 03/12/15 13:07, Rowland Penny wrote:
>
>>
>>
>>
>>
>> 2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher <
>> jonathan at springventuregroup.com>:
>>
>> > Great thanks, I'll start digging into that. So your running theory is
>> that
>> > one of the DNS resolution attempts is returning .WINDOWS not .
>> > WINDOWS.CORP.XXX.com?
>> >
>>
>> I'm not sure, that's your issue, not mine, but you seemed to mean that
>> FQDN
>> are truncated in some DNS search.
>> At least that's what I understand from your first mail when you wrote:
>>
>> "From Wireshark:
>>
>> Queries
>> _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN
>> Name: _ldap._tcp.pdc._msdcs.WINDOWS"
>>
>> So yes I would say there is something wrong in the way your DNS requests
>> are forged: they are using the domain name.
>>
>> So, for me, the next question is: is that domain reduction happens on all
>> requests or only those made by Samba.
>>
>> To know that the point is to avoid Samba.
>>
>> That's why I proposed to proceed with:
>> - some DNS requests -> you said they worked using the three DNS servers
>> you
>> have (the real one, the two from Samba) -> the system does not seem to
>> truncat by himself / always the requests.
>> - some kinit -> kinit with no configuration to force Kerberos servers
>> should send SRV requests to guess how to contact a kerberos server. You
>> seemed to say kinit was working.
>>
>> Next step I would change my resolv.conf to put as nameserver in it only
>> your DC, no search, no domain. The point here is to test your DNS from
>> Samba, and in parallel to avoid the main DNS server which uses dnsmasq.
>>
>> And I would then redo all these tests, including those proposed by
>> Rowland.
>>
>> If you don't have truncated requests until there, I would suggest you find
>> something strange in Samba. But as long as you didn't performed all that
>> successfully, I would suggest an issue in your DNS resolving stack.
>>
>> Cheers,
>>
>> mathias
>>
>>
>>
> This is basically what I wanted to find out, does the OP have a problem or
> not, if he answers my post, we may find out and move on from there.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Email Confidentiality Notice: The information contained in this
transmission is confidential, proprietary or privileged and may be subject
to protection under the law, including the Health Insurance Portability and
Accountability Act (HIPAA). The message is intended for the sole use of the
individual or entity to whom it is addressed. If you are not the intended
recipient, you are notified that any use, distribution or copying of the
message is strictly prohibited and may subject you to criminal or civil
penalties. If you received this transmission in error, please contact the
sender immediately by replying to this email and delete the material from
any computer.
More information about the samba
mailing list