[Samba] Issue with Keytab memory

L.P.H. van Belle belle at bazuin.nl
Thu Jul 23 12:28:24 UTC 2020 

No sorry its wrong. 

There are rules to follow to make sure you servers work as they should.
This is covert in the internet standards: Request For Change (RFC).

And per example, these 2 shown RFC's involve the "example" setups.
 https://tools.ietf.org/html/rfc2606 
 https://tools.ietf.org/html/rfc6761 

Domain name choices for these examples/howto's. 
- StandAlone: Home use: private.example
- StandAlone/Internet/business use :    example.tld
- Office domainname office. example.tld 
! Dont use .local or .lan these are reserved names for Apple's mDNS
See:  https://en.wikipedia.org/wiki/.local and https://tools.ietf.org/html/rfc6762.

Other good articals with examples: 
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx.
And a security consideration:  https://www.us-cert.gov/ncas/alerts/TA16-144A  (Leaking DNS info)

And since most of my howto's will involve a Active Directory, this is a must read :
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and  
And looking at table 6.2 here: 
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959336(v=technet.10) 

Example of "lables" as mentioned in table 6.2
hostname(=label).office(= label).example(= label).tld( = label)


When you combine these rules, we end up with something like this example: hostname.office.example.tld  

We want to setup so its compatible for any setup. 
- hostname , min 1, max 15 characters, a-Z,0-9, -
- DNS domain name, max total FQDN 254 characters, include the dot's. 
    And 254-15, results in 239 characters left for the domain.tld part.  
    The FQDN for an Active Directory domain name is limited to 64 bytes, 
    including the dots, an Active directory server name example : 
    s4ad01.office.example.tld 

I recommend to remove the server from the samba domain, with : net ads remove
Change the hostname on the server, check the dns A and PTR, remove/add the correct one.s 
Reboot the member, verifiy logs and everyting on the old name. Correct that. 
Reboot, verify logs again, error free? 
Now, you can join samba again. 

Then run the command showed and cifs will work. 

Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Georg.Biberger--- via samba
> Verzonden: donderdag 23 juli 2020 14:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Issue with Keytab memory
> 
> Hi Louis,
> 
> >Try 
> >
> >net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator 
> >And i hope this is not your hostname : lpeda1.muc 
> >Because thats a domainname. 
> >
> >Also make sure you check the resolving of the A and PTR records
> >
> >Greetz, 
> >
> >Louis
> 
> My hostname is lpeda1!
> hostname returns "lpeda1"
> hostname -f returns "lpeda1.muc".
> 
> Is this OK for "net ads keytab add_update_ads cifs/$(hostname 
> -f) -U Administrator"
> 
> Kind regards
> 
> Georg
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list