[Samba] using samba-tool from a domain member other than the DC
rpenny at samba.org
Fri Jul 24 07:49:26 UTC 2020
On 24/07/2020 01:01, Jason Keltz via samba wrote:
> Hi Rowland,
> Speaking of senior moment. I just figured out the problem...
> My DC host has its regular name - dc01.example.com and then its AD
> name dc01.ad.example.com. Even though both resolve to the same IP, I
> was using dc01.example.com which is apparently a no no because
> Kerberos is particular about name. If I use dc01.ad.example.com it
> actually works!!!!!!!!!! Using either dc01.example.com or using the
> IP address both do not work.
Why does your DC have two FQDN's ???
This is a NO-NO, a DC must be authoritative for the AD dns domain, how
can it do this reliably if it is schizophrenic. I would remove
'dc01.example.com' or make it a CNAME.
Whilst a kerberos realm != dns domain, it is expected to be the dns
domain in uppercase, also kerberos will not work with ipaddresses.
> And just to prove that this has nothing whatsoever to do with
> smb.conf, I moved it out of the way completely, and it now works as
Could have told you that, provided you have a kerberos ticket granted by
a domain DC, samba-tool will work against a domain DC.
> Thanks a lot! I've spent *hours* looking at this. I think I have a
> few extra gray hairs.
Sign of wisdom lol
More information about the samba