[Samba] using samba-tool from a domain member other than the DC

Rowland penny rpenny at samba.org
Fri Jul 24 07:49:26 UTC 2020

On 24/07/2020 01:01, Jason Keltz via samba wrote:
> Hi Rowland,
> Speaking of senior moment. I just figured out the problem...
> My DC host has its regular name - dc01.example.com and then its AD 
> name dc01.ad.example.com.  Even though both resolve to the same IP, I 
> was using dc01.example.com which is apparently a no no because 
> Kerberos is particular about name.  If I use dc01.ad.example.com it 
> actually works!!!!!!!!!!  Using either dc01.example.com or using the 
> IP address both do not work.

Why does your DC have two FQDN's ???

This is a NO-NO, a DC must be authoritative for the AD dns domain, how 
can it do this reliably if it is schizophrenic. I would remove 
'dc01.example.com' or make it a CNAME.

Whilst a kerberos realm != dns domain, it is expected to be the dns 
domain in uppercase, also kerberos will not work with ipaddresses.

> And just to prove that this has nothing whatsoever to do with 
> smb.conf, I moved it out of the way completely, and it now works as 
> well!!
Could have told you that, provided you have a kerberos ticket granted by 
a domain DC, samba-tool will work against a domain DC.
> Thanks a lot! I've spent *hours* looking at this.  I think I have a 
> few extra gray hairs.

Sign of wisdom lol


More information about the samba mailing list