[Samba] Use of specific DCs within smb.conf
mathias dufresne
infractory at gmail.com
Thu Aug 25 08:41:08 UTC 2016
2016-08-24 1:32 GMT+02:00 Sean via samba <samba at lists.samba.org>:
> I found adcli a little too late; I plan to use it in the future but for
> the time being I just deployed 16 VMs using Samba so we’re going to keep
> that for now!
>
> Also, the rest of what I wrote can be disregarded – I figured out exactly
> why my hosts were failing to authenticate after a period of time. It’s too
> stupid to admit publicly.
>
Don't be ashamed, we all do stupid errors. Admitting them don't make us
more stupid but sharing them can help some doing the same (error) to solve
it ;)
My 2 cents :)
>
> On 8/23/16, 3:50 PM, "samba on behalf of Kris Lou via samba" <
> samba-bounces at lists.samba.org on behalf of samba at lists.samba.org> wrote:
>
> This doesn't really answer your question, but it already looks like
> you're
> using SSSD for authentication, and specifying local DC's (instead of
> DNS
> lookups). Why not bind to AD directly with that? Using realmd/adcli
> makes
> it easy, and with a minimal samba installation (libs only)
>
> -Kris
>
>
> Kris Lou
> klou at themusiclink.net
>
> On Tue, Aug 23, 2016 at 2:47 PM, Sean via samba <samba at lists.samba.org
> >
> wrote:
>
> > You believe that SSSD is bypassing Samba entirely and going direct to
> > Kerberos? That’s possible. At the moment, to the best of my
> understanding,
> > Samba is only being used to join the domain. There are no
> file/printer/etc.
> > shares happening; this is just basic domain join/membership and
> keytab
> > generation and after that it’s done.
> >
> > The question was still specific to Samba itself: can I specify the
> DCs
> > used rather than rely on dynamic lookup via DNS?
> >
> > On 8/23/16, 2:19 PM, "samba on behalf of Rowland Penny via samba" <
> > samba-bounces at lists.samba.org on behalf of samba at lists.samba.org>
> wrote:
> >
> > On Tue, 23 Aug 2016 13:01:09 -0700
> > Sean via samba <samba at lists.samba.org> wrote:
> >
> > > Is it possible to specify a list of DCs for Samba to use,
> rather than
> > > have it look them up dynamically via DNS?
> > >
> > >
> > >
> > > I have an issue with Kerberos, Samba, and SSSD where my
> machines stop
> > > authenticating after a period of time – preAuthentication
> errors,
> > > etc. I suspect it's because of a "DC mismatch" between the
> three.
> > > Because we have numerous DCs all over the world, I specifically
> > > configure krb5.conf and sssd.conf to point to local DCs rather
> than
> > > allow them to be selected via DNS - examples below. This
> speeds up
> > > the authentication process; I have local access should the
> local DCs
> > > drop offline, so I'm not worried about cross-site/remote site
> > > redundancies.
> > >
> > >
> > >
> > > Samba appears to use "realm =" to perform a DNS lookup which
> are
> > > logged during my `net ads join` as `ads_dns_parse_rr_srv`
> messages.
> > > From the log, I can see Samba parsing numerous DCs, some
> local, some
> > > remote.
> > >
> > >
> > >
> > > internal_resolve_name: looking up example.domain.com#dcdc
> (sitename
> > > (null))
> > >
> > > resolve_ads: Attempting to resolve KDCs for example.domain.com
> using
> > > DNS
> > >
> > > ads_dns_lookup_srv: 13 records returned in the answer section.
> > >
> > > ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100,
> 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com
> [0,
> > > 100, 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100,
> 88]
> > >
> > > ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100,
> 88]
> > >
> > > remove_duplicate_addrs2: looking for duplicate address/port
> pairs
> > >
> > > internal_resolve_name: returning 13 addresses: <bunch_of_ips>
> > >
> > > Adding 13 DC's from auto lookup
> > >
> > >
> > >
> > > We do not allow LDAP pings through our remote firewalls, so the
> > > join/authentication process stalls while these timeout until
> it finds
> > > a local DC in the list that responds. Once it hits a local DC,
> the
> > > process picks back up. This presents a problem because the
> initial
> > > DNS lookup doesn't always appear to resolve the entire list of
> DCs.
> > > Sometimes I see five DCs returned, sometimes more than ten. It
> could
> > > be possible for Samba to resolve five DCs that it cannot reach.
> > >
> > >
> > >
> > > I can't fix the DNS problem since it's outside of my scope and
> would
> > > affect the larger corporate environment. I'm more or less
> forced to
> > > work around any limitations or issues found there. I tried to
> use
> > > "password server = dc01.example.domain.com,
> dc02.example.domain.com,
> > > dc03.example.domain.com," but it did not affect Samba's
> behavior.
> > > I've parsed the manual for smb.conf
> > > (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html)
> and
> > > haven't found another option to point to specific DCs, if it's
> even
> > > possible.
> > >
> > >
> > >
> > > Is this the correct approach? Is it possible? Is there a
> work-around?
> > >
> > >
> > >
> > > What I suspect is that because Kerberos and sssd use dc01 thru
> dc03
> > > and samba uses whatever it finds via DNS, it may be possible
> for me
> > > to have some kind of DC mismatch when my machine credentials
> are
> > > refreshed. Does that sound crazy?
> > >
> > >
> > >
> > > I'm still getting used to working with Kerberos + Samba +
> SSSD, so
> > > please excuse my ignorance. I've picked this apart for several
> days
> > > and have reached a point where I'm stuck. I would be obscenely
> happy
> > > if there was someone on the list with more experience in this
> area
> > > than I have that could point me in the right direction on
> either
> > > issue.
> > >
> > >
> > >
> > > /etc/krb5.conf
> > >
> > >
> > >
> > > [libdefaults]
> > >
> > > default_realm = EXAMPLE.DOMAIN.COM
> > >
> > >
> > >
> > > [realms]
> > >
> > > EXAMPLE.DOMAIN.COM = {
> > >
> > > default_domain = example.domain.com
> > >
> > > kdc = dc01.example.domain.com
> > >
> > > kdc = dc02.example.domain.com
> > >
> > > kdc = dc03.example.domain.com
> > >
> > > admin_server = dc01.example.domain.com
> > >
> > > }
> > >
> > >
> > >
> > > /etc/samba/smb.conf
> > >
> > >
> > >
> > > [global]
> > >
> > > workgroup = SHORT-NAME
> > >
> > > client signing = yes
> > >
> > > client use spnego = yes
> > >
> > > kerberos method = secrets and keytab
> > >
> > > realm = EXAMPLE.DOMAIN.COM
> > >
> > > security = ads
> > >
> > >
> > >
> > > /etc/sssd/sssd.conf
> > >
> > >
> > >
> > > [sssd]
> > >
> > > services = nss, pam
> > >
> > > config_file_version = 2
> > >
> > > domains = EXAMPLE.DOMAIN.COM
> > >
> > >
> > >
> > > [nss]
> > >
> > >
> > >
> > > [pam]
> > >
> > >
> > >
> > > [domain/EXAMPLE.DOMAIN.COM]
> > >
> > > id_provider = ad
> > >
> > > access_provider = ad
> > >
> > > ad_domain = example.domain.com
> > >
> > > ad_server = dc01.example.domain.com, dc02.example.domain.com,
> > > dc03.example.domain.com
> > >
> > >
> > >
> > > default_shell = /bin/bash
> > >
> > > override_homedir = /home/%u
> > >
> >
> > Can I point out that because you are using sssd, that is what is
> doing
> > your authentication and Samba isn't. So winbind will ignore
> anything
> > you put in smb.conf, this is because you are not using winbind.
> >
> > sssd is not part of Samba.
> >
> > Have you tried asking the sssd users mailing list ?
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read
> the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list