[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Rowland Penny
rowlandpenny at googlemail.com
Thu Mar 12 16:05:11 MDT 2015
On 12/03/15 21:57, Peter Serbe wrote:
>
> Matthias Busch schrieb am 12.03.2015 22:08:
>
>
>> --- this is my /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = MY-DOMAIN.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
> add these (partly done below)
> forwardable = true
> renewable = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> debug = false
>
> delete from here .....
>
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>>
>> # The following libdefaults parameters are only for Heimdal Kerberos.
>> v4_instance_resolve = false
>> v4_name_convert = {
>> host = {
>> rcmd = host
>> ftp = ftp
>> }
>> plain = {
>> something = something-else
>> }
>> }
>> fcc-mit-ticketflags = true
> .... to here.
>
>> [realms]
>> MY-DOMAIN.LOCAL = {
>> kdc = adserver.my-domain.local <-- tried with adserver
>> admin_server = adserver.my-domain.local and
>> adserver.my-domain.local
> add:
> default_domain = my-domain.local
>
>> }
> delete from here ......
>
>
>> ... lots of .MIT.EDU entries ...
>>
> .... to here
>
>> [domain_realm]
> should be:
> .my-domain.local = MY-DOMAIN.LOCAL
> my-domain.local = MY-DOMAIN.LOCAL
>
> [logging]
> # kdc = /var/log/kdc.log
> # admin_server = /var/log/kadmin.log
> default = /var/log/kdc.log
>
> delete the remaining stuff...
>
>
>> .mit.edu = ATHENA.MIT.EDU
>> mit.edu = ATHENA.MIT.EDU
>> .media.mit.edu = MEDIA-LAB.MIT.EDU
>> media.mit.edu = MEDIA-LAB.MIT.EDU
>> .csail.mit.edu = CSAIL.MIT.EDU
>> csail.mit.edu = CSAIL.MIT.EDU
>> .whoi.edu = ATHENA.MIT.EDU
>> whoi.edu = ATHENA.MIT.EDU
>> .stanford.edu = stanford.edu
>> .slac.stanford.edu = SLAC.STANFORD.EDU
>> .toronto.edu = UTORONTO.CA
>> .utoronto.ca = UTORONTO.CA
>>
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>>
>>
> Regarding the nsswitch.conf I am a bit clueless. I use sssd, and therefore
> nearly all the lines got an sss as second entry. Maybe winbind would be
> the correct one for You. But this should be examined _after_ Kerberos is
> working OK. At least we now know, that Kerberos couldn't have worked with
> this configuration. Btw, we would like to check the smb.conf, too...
>
> HTH
> Peter
>
>> --- this is my /etc/nsswitch.conf:
>>
>> passwd: compat
>> group: compat
>> shadow: compat
>>
>> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>> ---
>>
>> Matze
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Don't add the lines to krb5.conf, you only need the top four lines:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
and yes, you do need winbind adding to the passwd & group lines in
/etc/nsswitch.conf, but you need more, see the wiki page I posted earlier.
Rowland
More information about the samba
mailing list