[Samba] using samba-tool from a domain member other than the DC

[Jason Keltz]

Oh boy.  Looks like I still have a lot to learn!  I was taking non AD hosts and bringing them in to AD by adding A records to AD. So far it worked but I understand it's in for trouble. You've just given me something big to think about on my day 'off' :).  


On Jul. 24, 2020, 3:50 a.m., at 3:50 a.m., Rowland penny via samba <samba at lists.samba.org> wrote:
>On 24/07/2020 01:01, Jason Keltz via samba wrote:
>> Hi Rowland,
>>
>> Speaking of senior moment. I just figured out the problem...
>>
>> My DC host has its regular name - dc01.example.com and then its AD 
>> name dc01.ad.example.com.  Even though both resolve to the same IP, I
>
>> was using dc01.example.com which is apparently a no no because 
>> Kerberos is particular about name.  If I use dc01.ad.example.com it 
>> actually works!!!!!!!!!!  Using either dc01.example.com or using the 
>> IP address both do not work.
>
>Why does your DC have two FQDN's ???
>
>This is a NO-NO, a DC must be authoritative for the AD dns domain, how 
>can it do this reliably if it is schizophrenic. I would remove 
>'dc01.example.com' or make it a CNAME.
>
>Whilst a kerberos realm != dns domain, it is expected to be the dns 
>domain in uppercase, also kerberos will not work with ipaddresses.
>
>>
>> And just to prove that this has nothing whatsoever to do with 
>> smb.conf, I moved it out of the way completely, and it now works as 
>> well!!
>Could have told you that, provided you have a kerberos ticket granted
>by 
>a domain DC, samba-tool will work against a domain DC.
>>
>> Thanks a lot! I've spent *hours* looking at this.  I think I have a 
>> few extra gray hairs.
>
>Sign of wisdom lol
>
>Rowland
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba