[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

Fri Nov 22 21:07:24 UTC 2019

So to me this doesn't look like a DNS issue. (Maybe I'm missing something.)
Should I file a bug?

On Wed, Nov 20, 2019 at 12:54 PM Nathaniel W. Turner <nate at houseofnate.net>
wrote:

> Hi Louis,
>
> On Wed, Nov 20, 2019 at 3:27 AM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>> Your config looks ok, as far i can tell.
>>
>> This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"
>> As it should spn/hostname.fqdn at REALM nothing wrong with that.
>>
>> But if i understand it right.
>>
>> Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL  (
>> NTDOM:TC83 )
>> But you get TC84 back?.
>>
>> On the problem server run the following:
>>
>> dig a kvm7246-vm022.maas.local @IP_of_AD-DC
>> Gives an Returned_IP
>>
>
> ubuntu at kvm7246-vm022:~/samba$ host -t srv _ldap._tcp.tc83.local
> _ldap._tcp.tc83.local has SRV record 0 100 389 tc83dc2.tc83.local.
> _ldap._tcp.tc83.local has SRV record 0 100 389 tc83dc.tc83.local.
> ubuntu at kvm7246-vm022:~/samba$ host tc83dc2.tc83.local.
> tc83dc2.tc83.local has address 172.21.83.6
> ubuntu at kvm7246-vm022:~/samba$ host tc83dc.tc83.local.
> tc83dc.tc83.local has address 172.21.83.4
> ubuntu at kvm7246-vm022:~/samba$ dig a kvm7246-vm022.maas.local @172.21.83.4
>
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> a kvm7246-vm022.maas.local @
> 172.21.83.4
> ;; global options: +cmd
> ;; Got answer:
> ;; WARNING: .local is reserved for Multicast DNS
> ;; You are currently testing what happens when an mDNS query is leaked to
> DNS
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46573
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;kvm7246-vm022.maas.local. IN A
>
> ;; ANSWER SECTION:
> kvm7246-vm022.maas.local. 26 IN A 172.23.4.52
>
> ;; Query time: 1 msec
> ;; SERVER: 172.21.83.4#53(172.21.83.4)
> ;; WHEN: Wed Nov 20 17:45:41 UTC 2019
> ;; MSG SIZE  rcvd: 69
>
> (The other DC gives the same answer.)
>
>
> dig -x Returned_IP @IP_of_AD-DC
>>
>
> ubuntu at kvm7246-vm022:~/samba$ dig -x 172.23.4.52 @172.21.83.4
>
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> -x 172.23.4.52 @172.21.83.4
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13322
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;52.4.23.172.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 52.4.23.172.in-addr.arpa. 25 IN PTR kvm7246-vm022.maas.local.
>
> ;; Query time: 2 msec
> ;; SERVER: 172.21.83.4#53(172.21.83.4)
> ;; WHEN: Wed Nov 20 17:46:07 UTC 2019
> ;; MSG SIZE  rcvd: 91
>
> (The other DC gives the same answer.)
>
>
>
>> hostname -s
>> hostname -f
>> hostname -I
>> hostname -A
>>
>
> ubuntu at kvm7246-vm022:~/samba$ hostname -s
> kvm7246-vm022
> ubuntu at kvm7246-vm022:~/samba$ hostname -f
> kvm7246-vm022.maas.local
> ubuntu at kvm7246-vm022:~/samba$ hostname -I
> 172.23.4.52
> ubuntu at kvm7246-vm022:~/samba$ hostname -A
> kvm7246-vm022.maas.local
>
>
>
>> cat /etc/resolv.conf
>>
>
> ubuntu at kvm7246-vm022:~/samba$ grep -v ^# /etc/resolv.conf
>
> nameserver 172.23.4.4
> options edns0
> search maas.local tc82.local local
>
> (DNS is in sync between this nameserver and the DC, and it give the same
> answers to the queries above.)
>
>
>
>> route -n|grep default
>>
>
> I don't have the legacy route command installed, but I think this is what
> you want:
>
> ubuntu at kvm7246-vm022:~/samba$ ip route
> default via 172.23.4.1 dev ens6 proto static
> 172.23.4.0/24 dev ens6 proto kernel scope link src 172.23.4.52
>
> cat /etc/krb5.conf
>>
>
> ubuntu at kvm7246-vm022:~/samba$ cat /etc/krb5.conf
> [libdefaults]
> default_realm = TC83.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
>> Do you have 2 servers with the same hostname but in different DNS
>> domains?
>> Like this one vm7246-vm022  <<
>>
>
> No.
>