[Samba] using samba-tool from a domain member other than the DC

Fri Jul 24 06:41:49 UTC 2020

Just word of warning there... 

If you AD-DC has 2 hostnames. 
Does it also has 2 ipnumbers, if not.. And you have setup in
the DNS 2x an A record, then beware and rethink your setup.
And do check if you then also have 2 x a PTR record. 

If you have 1 PTR record and 1 ipadres, which i assumbe based on
the info i saw, and setup A+PTR+CNAME and not 2xA and PTR
You have less problems with A + PTR + CNAME with kerberos. 

dc01.ad.example.com A -> PTR IP -> CNAME dc01.example.com
Also, resolving order and routing can bork the setup.
So since it now works, just a notice. 

But this triggered me to reply. 

> My DC host has its regular name - dc01.example.com and then 
> its AD name dc01.ad.example.com.  

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Keltz via samba
> Verzonden: vrijdag 24 juli 2020 2:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] using samba-tool from a domain member 
> other than the DC
> 
> Hi Rowland,
> 
> Speaking of senior moment. I just figured out the problem...
> 
> My DC host has its regular name - dc01.example.com and then 
> its AD name 
> dc01.ad.example.com.  Even though both resolve to the same IP, I was 
> using dc01.example.com which is apparently a no no because 
> Kerberos is 
> particular about name.  If I use dc01.ad.example.com it actually 
> works!!!!!!!!!!  Using either dc01.example.com or using the 
> IP address 
> both do not work.
> 
> And just to prove that this has nothing whatsoever to do with 
> smb.conf, 
> I moved it out of the way completely, and it now works as well!!
> 
> Thanks a lot! I've spent *hours* looking at this.  I think I 
> have a few 
> extra gray hairs.
> 
> Jason.
> 
> On 7/23/2020 3:58 PM, Rowland penny via samba wrote:
> > On 23/07/2020 20:36, Jason Keltz via samba wrote:
> >>
> >>
> >>
> >> On the client, I have the same krb5.conf as above.  For smb.conf I 
> >> have the following (I don't even really know if it's 
> required but I 
> >> highly suspect samba-tool is at least reading it):
> >>
> >> [global]
> >>         workgroup =<workgroup name>
> >>         security = ADS
> >>         realm = <realm server name>
> >>
> >> I was under the impression that in order to use ldap:// 
> URLs, on the 
> >> DC smb.conf, you need to add "ldap server require strong 
> auth = no".  
> >> You said the default is no, but at least in my 
> configuration on the 
> >> server it is "yes":
> >
> > OOPS, senior moment there ;-)
> >
> > The 'no' should have been 'yes' and it still works for me ;-)
> >
> >>
> >> I'm not permitted to set ldap server require strong auth = no. 
> >> Ideally, samba-tool would work with ldaps, but if I can use 
> >> samba-tool over ldap without having to set the require 
> strong auth = 
> >> no, then that would be great.
> >
> > You should be able to use samba-tool with kerberos:
> >
> > rowland at devstation:~$ samba-tool user list -H 
> > ldap://dc01.samdom.example.com -k yes -d5
> > < snipped for brevity >
> > Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM 
> will expire 
> > in 33327 secs
> > gensec_gssapi: NO credentials were delegated
> > GSSAPI Connection will be cryptographically signed
> > <LONG LIST OF USERS>
> >
> > This is from a domain joined Unix client and 'rowland' has a valid 
> > kerberos ticket.
> >
> > The client is running nmbd, smbd and winbind.
> >
> > You say that you are running sssd, we cannot help you with 
> this, we do 
> > not produce sssd etc.
> >
> > Rowland
> >
> >
> >
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 