[Samba] using samba-tool from a domain member other than the DC
L.P.H. van Belle
belle at bazuin.nl
Fri Jul 24 06:41:49 UTC 2020
Just word of warning there...
If you AD-DC has 2 hostnames.
Does it also has 2 ipnumbers, if not.. And you have setup in
the DNS 2x an A record, then beware and rethink your setup.
And do check if you then also have 2 x a PTR record.
If you have 1 PTR record and 1 ipadres, which i assumbe based on
the info i saw, and setup A+PTR+CNAME and not 2xA and PTR
You have less problems with A + PTR + CNAME with kerberos.
dc01.ad.example.com A -> PTR IP -> CNAME dc01.example.com
Also, resolving order and routing can bork the setup.
So since it now works, just a notice.
But this triggered me to reply.
> My DC host has its regular name - dc01.example.com and then
> its AD name dc01.ad.example.com.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jason Keltz via samba
> Verzonden: vrijdag 24 juli 2020 2:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] using samba-tool from a domain member
> other than the DC
>
> Hi Rowland,
>
> Speaking of senior moment. I just figured out the problem...
>
> My DC host has its regular name - dc01.example.com and then
> its AD name
> dc01.ad.example.com. Even though both resolve to the same IP, I was
> using dc01.example.com which is apparently a no no because
> Kerberos is
> particular about name. If I use dc01.ad.example.com it actually
> works!!!!!!!!!! Using either dc01.example.com or using the
> IP address
> both do not work.
>
> And just to prove that this has nothing whatsoever to do with
> smb.conf,
> I moved it out of the way completely, and it now works as well!!
>
> Thanks a lot! I've spent *hours* looking at this. I think I
> have a few
> extra gray hairs.
>
> Jason.
>
> On 7/23/2020 3:58 PM, Rowland penny via samba wrote:
> > On 23/07/2020 20:36, Jason Keltz via samba wrote:
> >>
> >>
> >>
> >> On the client, I have the same krb5.conf as above. For smb.conf I
> >> have the following (I don't even really know if it's
> required but I
> >> highly suspect samba-tool is at least reading it):
> >>
> >> [global]
> >> workgroup =<workgroup name>
> >> security = ADS
> >> realm = <realm server name>
> >>
> >> I was under the impression that in order to use ldap://
> URLs, on the
> >> DC smb.conf, you need to add "ldap server require strong
> auth = no".
> >> You said the default is no, but at least in my
> configuration on the
> >> server it is "yes":
> >
> > OOPS, senior moment there ;-)
> >
> > The 'no' should have been 'yes' and it still works for me ;-)
> >
> >>
> >> I'm not permitted to set ldap server require strong auth = no.
> >> Ideally, samba-tool would work with ldaps, but if I can use
> >> samba-tool over ldap without having to set the require
> strong auth =
> >> no, then that would be great.
> >
> > You should be able to use samba-tool with kerberos:
> >
> > rowland at devstation:~$ samba-tool user list -H
> > ldap://dc01.samdom.example.com -k yes -d5
> > < snipped for brevity >
> > Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM
> will expire
> > in 33327 secs
> > gensec_gssapi: NO credentials were delegated
> > GSSAPI Connection will be cryptographically signed
> > <LONG LIST OF USERS>
> >
> > This is from a domain joined Unix client and 'rowland' has a valid
> > kerberos ticket.
> >
> > The client is running nmbd, smbd and winbind.
> >
> > You say that you are running sssd, we cannot help you with
> this, we do
> > not produce sssd etc.
> >
> > Rowland
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list