[Samba] using samba-tool from a domain member other than the DC
jas at eecs.yorku.ca
Fri Jul 24 11:23:10 UTC 2020
Oh boy. Looks like I still have a lot to learn! I was taking non AD hosts and bringing them in to AD by adding A records to AD. So far it worked but I understand it's in for trouble. You've just given me something big to think about on my day 'off' :).
On Jul. 24, 2020, 3:50 a.m., at 3:50 a.m., Rowland penny via samba <samba at lists.samba.org> wrote:
>On 24/07/2020 01:01, Jason Keltz via samba wrote:
>> Hi Rowland,
>> Speaking of senior moment. I just figured out the problem...
>> My DC host has its regular name - dc01.example.com and then its AD
>> name dc01.ad.example.com. Even though both resolve to the same IP, I
>> was using dc01.example.com which is apparently a no no because
>> Kerberos is particular about name. If I use dc01.ad.example.com it
>> actually works!!!!!!!!!! Using either dc01.example.com or using the
>> IP address both do not work.
>Why does your DC have two FQDN's ???
>This is a NO-NO, a DC must be authoritative for the AD dns domain, how
>can it do this reliably if it is schizophrenic. I would remove
>'dc01.example.com' or make it a CNAME.
>Whilst a kerberos realm != dns domain, it is expected to be the dns
>domain in uppercase, also kerberos will not work with ipaddresses.
>> And just to prove that this has nothing whatsoever to do with
>> smb.conf, I moved it out of the way completely, and it now works as
>Could have told you that, provided you have a kerberos ticket granted
>a domain DC, samba-tool will work against a domain DC.
>> Thanks a lot! I've spent *hours* looking at this. I think I have a
>> few extra gray hairs.
>Sign of wisdom lol
>To unsubscribe from this list go to the following URL and read the
More information about the samba