[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Rowland Penny
rowlandpenny241155 at gmail.com
Mon Nov 30 21:07:13 UTC 2015
On 30/11/15 20:52, Jonathan S. Fisher wrote:
> /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.168.127.129
> search windows.corp.XXX.com <http://windows.corp.XXX.com>
I take it 192.168.127.129 is your AD DC.
>
> /etc/hosts
>
> 127.0.0.1 localhost
> 127.0.1.1 freeradius.windows.corp.XXX.com
> <http://freeradius.windows.corp.XXX.com> freeradius
> 192.168.127.131 whiskey.windows.corp.XXX.com
> <http://whiskey.windows.corp.XXX.com> whiskey
> 192.168.112.4 wine..windows.corp.XXX.com <http://windows.corp.XXX.com>
> wine
Hmm, I think you are using Network Manager, which uses dnsmasq as a
cache, I would suggest you stop this ( open the network-manager conf and
comment out the dnsmasq line, restart network-manager). If you are using
DHCP, I would also suggest you remove the three lines below '127.0.0.1
localhost', if your machine has a fixed ip, I would remove any of the
three lines that doesn't point to your machine.
>
> /etc/krb5.conf
>
> [libdefaults]
> default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
Believe it or not, you do not need any of /etc/krb5 from here on, you
only need the two lines above
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> = {
> kdc = whiskey.windows.corp.XXX.com:88
> <http://whiskey.windows.corp.XXX.com:88>
> kdc = wine.windows.corp.XXX.com:88 <http://wine.windows.corp.XXX.com:88>
> admin_server = whiskey.windows.corp.XXX.com:749
> <http://whiskey.windows.corp.XXX.com:749>
> }
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> debug = false
> }
>
> [domain_realm]
> .windows.corp.XXX.com <http://windows.corp.XXX.com> =
> WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
> windows.corp.XXX.com <http://windows.corp.XXX.com> =
> WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM>
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
>
I would also go here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Setup samba as described there, you will need to follow the hyperlinks.
Rowland
> On Mon, Nov 30, 2015 at 2:43 PM, Rowland Penny
> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
> wrote:
>
> On 30/11/15 20:30, Jonathan S. Fisher wrote:
>
> Same results with that command. And the same DNS query occurred
>
> On Mon, Nov 30, 2015 at 2:20 PM, Rowland Penny
> <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>
> <mailto:rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>> wrote:
>
> On 30/11/15 20:01, Jonathan S. Fisher wrote:
>
> Hey guys,
>
> I've successfully joined the domain with "sudo net ads
> join
> -k". However,
> when I try to run this: "sudo net rpc info" I get this
> error:
> "Unable to
> find a suitable server for domain WINDOWS"
>
> I dumped the DNS requests and it looks like the problem is
> that it's asking
> for ldap entries under the workgroup name, not the FQDN:
>
> From Wireshark:
>
> Queries
> _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN
> Name: _ldap._tcp.pdc._msdcs.WINDOWS
>
> Ok great, so if I dig that with the command: "dig
> _ldap._tcp.pdc._msdcs.WINDOWS" dig times out. If I
> dig the
> FQDN: "dig
> _ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM
> <http://msdcs.WINDOWS.CORP.XXX.COM>
> <http://msdcs.WINDOWS.CORP.XXX.COM>" I get a response
> instantly.
>
> Is this a problem with my windows domain controller
> (how do I
> make it
> respond to those queries)? Or is this a problem with
> my samba
> setup?
>
> Samba version: 4.2.5-SerNet-Ubuntu-8.trusty
>
> Here is my smb.conf:
>
> [global]
> security=ads
> realm=WINDOWS.CORP.XXX.COM
> <http://WINDOWS.CORP.XXX.COM> <http://WINDOWS.CORP.XXX.COM>
>
> workgroup=WINDOWS
> domain master=no
> local master=no
> preferred master=no
> load printers=no
> printing=bsd
> printcap name=/dev/null
> disable spoolss=yes
> idmap backend=tdb
> idmap uid=10000-99999
> idmap gid=10000-99999
> winbind enum users=yes
> winbind enum groups=yes
> winbind use default domain=yes
> winbind nested groups=yes
> winbind refresh tickets=yes
> winbind offline logon=yes
> template shell=/bin/false
> client use spnego=yes
> client ntlmv2 auth=yes
> encrypt passwords=yes
> restrict anonymous=2
> log file=/var/log/samba/samba.log
> log level=2
> dcerpc endpoint servers=remote
> wins support=no
>
>
> Try it like this: sudo net rpc info -UAdministrator
>
> Rowland
>
>
>
> OK, what have you got in /etc/resolv.conf & /etc/krb5.conf
>
>
> Rowland
>
> --
>
More information about the samba
mailing list