[Samba] Use of specific DCs within smb.conf

Sean spedersen.lists at gmail.com
Tue Aug 23 20:01:09 UTC 2016 

Is it possible to specify a list of DCs for Samba to use, rather than have it look them up dynamically via DNS?

 

I have an issue with Kerberos, Samba, and SSSD where my machines stop authenticating after a period of time – preAuthentication errors, etc. I suspect it's because of a "DC mismatch" between the three. Because we have numerous DCs all over the world, I specifically configure krb5.conf and sssd.conf to point to local DCs rather than allow them to be selected via DNS - examples below. This speeds up the authentication process; I have local access should the local DCs drop offline, so I'm not worried about cross-site/remote site redundancies.

 

Samba appears to use "realm =" to perform a DNS lookup which are logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. From the log, I can see Samba parsing numerous DCs, some local, some remote. 

 

internal_resolve_name: looking up example.domain.com#dcdc (sitename (null))

resolve_ads: Attempting to resolve KDCs for example.domain.com using DNS

ads_dns_lookup_srv: 13 records returned in the answer section.

ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88]

ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88]

remove_duplicate_addrs2: looking for duplicate address/port pairs

internal_resolve_name: returning 13 addresses: <bunch_of_ips>

Adding 13 DC's from auto lookup

 

We do not allow LDAP pings through our remote firewalls, so the join/authentication process stalls while these timeout until it finds a local DC in the list that responds. Once it hits a local DC, the process picks back up. This presents a problem because the initial DNS lookup doesn't always appear to resolve the entire list of DCs. Sometimes I see five DCs returned, sometimes more than ten. It could be possible for Samba to resolve five DCs that it cannot reach.

 

I can't fix the DNS problem since it's outside of my scope and would affect the larger corporate environment. I'm more or less forced to work around any limitations or issues found there. I tried to use "password server = dc01.example.domain.com, dc02.example.domain.com, dc03.example.domain.com," but it did not affect Samba's behavior. I've parsed the manual for smb.conf (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and haven't found another option to point to specific DCs, if it's even possible.

 

Is this the correct approach? Is it possible? Is there a work-around?

 

What I suspect is that because Kerberos and sssd use dc01 thru dc03 and samba uses whatever it finds via DNS, it may be possible for me to have some kind of DC mismatch when my machine credentials are refreshed. Does that sound crazy?

 

I'm still getting used to working with Kerberos + Samba + SSSD, so please excuse my ignorance. I've picked this apart for several days and have reached a point where I'm stuck. I would be obscenely happy if there was someone on the list with more experience in this area than I have that could point me in the right direction on either issue.

 

/etc/krb5.conf

 

[libdefaults]

    default_realm = EXAMPLE.DOMAIN.COM

 

[realms]

       EXAMPLE.DOMAIN.COM = {

               default_domain = example.domain.com

               kdc = dc01.example.domain.com

               kdc = dc02.example.domain.com

               kdc = dc03.example.domain.com

               admin_server = dc01.example.domain.com

    }

    

/etc/samba/smb.conf

 

[global]

workgroup = SHORT-NAME

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

realm = EXAMPLE.DOMAIN.COM

security = ads

 

/etc/sssd/sssd.conf

 

[sssd]

services = nss, pam

config_file_version = 2

domains = EXAMPLE.DOMAIN.COM

 

[nss]

 

[pam]

 

[domain/EXAMPLE.DOMAIN.COM]

id_provider = ad

access_provider = ad

ad_domain = example.domain.com

ad_server = dc01.example.domain.com, dc02.example.domain.com, dc03.example.domain.com

 

default_shell = /bin/bash

override_homedir = /home/%u

More information about the samba mailing list