[Samba] Multi-homed Samba 4 file server on Samba 4 AD domain - cross network authentication

Rowland penny rpenny at samba.org
Thu May 14 18:50:27 UTC 2020 

On 14/05/2020 18:58, David Lomax via samba wrote:
> Hi Rowland,
>
> Thank you very much, you were spot on.  I had changed the Windows 7 client to LM compatibility level, and now that I reverted it back to 5 (use NTLMv2) it works.  It was this registry key that made it start working:
Good ;-)
> * I changed the username map as you suggested:
>
>>      #username map = /etc/samba/user.map
>>      username map script = /bin/echo
> (Should it be "username map" or "username map script"?)
It should be 'username map'
>
> * I removed the [netlogon] share.  Should I also remove [profiles] from the client?  I have user directories on the file server, but not sure if it is the role of the DC or not to host that.
The netlogon share should be on an AD DC, but 'profiles' can be on any 
machine.
> * I removed winbind from nsswitch.conf as you suggest, but isn't it needed to look up computer names from the DC?  Or it uses regular DNS nowadays?
Active directory lives on DNS, so it isn't required in the hosts line.
> * I removed the domain line from resolv.conf, although I'm still not sure what it does  :-)

The way you had it, nothing ;-)

'domain' and 'search' in /etc/resolv.conf are mutually exclusive and if 
they are both there, then the last one wins and you need search.

> * I removed the nameserver entry for the gateway, and added 2 nameserver entries with each of the DCs IPs.
>
> Question ... I configured my gateway (pfsense) to delegate DNS lookups for nsa.int to the DCs.  Does that mean I can keep all machines pointing their DNS lookups to the gateway?
> Or do domain members need to make the DCs their first port-of-call for DNS lookups?
As the DC's are authoritative for the dns domain, then the dns clients 
should use them as their nameservers and you should forward anything 
outside the AD dns domain to the gateway, that is unless you want create 
all the AD dns records on the gateway and keep it in sync with the DC's.
>
> I've always scratched my head over trying to understand what are the samba options applicable to the latest version.  What resources can you recommend I look at?
>
Try reading the samba wiki: https://wiki.samba.org/index.php/Main_Page 
and the various Samba manpages.

Rowland

More information about the samba mailing list