[Samba] Samba DNS Accounts

Bo Kersey bo at vircio.com
Thu Feb 4 17:19:08 UTC 2021 

Nothing is updating samba DNS....

dns_tkey_gssnegotiate: TKEY is unacceptable

the SPN name in the dns-dc01 record does not match any of the entries in klist -k /var/lib/samba/bind-dns/dns.keytab


Bo Kersey 
VirCIO - managed network solutions 
4314 Avenue C 
Austin, TX 78751 
phone: (512)374-0500 

In theory there is no difference between theory and practice.  In practice, there is.

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Thursday, February 4, 2021 11:14:04 AM
> Subject: Re: [Samba] Samba DNS Accounts

> On 04/02/2021 16:30, Bo Kersey wrote:
>> Actually, based on some of my working servers, the dns record should be:
>> DC=ad01,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> However, this is what I'm seeing:
>> dn:
>> DC=ad01.,DC=example.info,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM
>> dn:
>> DC=ad01.samdom,DC=EXAMPLE.COM,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM
> 
> 
> Not good, what is updating the records in AD ?
> 
>>
>> I'm thinking the problem is that the workgroup is set to EXAMPLE instead of
>> SAMDOM - smb.conf below
> 
> 
> Whilst it is common practise to name the workgroup after the lefthand
> part of the realm, it isn't mandatory, in fact you can call it anything,
> as long as it isn't more than 15 characters long, so EXAMPLE is ok.
> 
> 
>>
>> [global]
>> 	ldap server require strong auth = allow_sasl_over_tls
>> 	passdb backend = samba_dsdb
>> 	realm = SAMDOM.EXAMPLE.COM
>> 	server role = active directory domain controller
>> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
>> 	ntp_signd, kcc, dnsupdate
>> 	template shell = /bin/bash
>> 	tls verify peer = no_check
>> 	usershare path =
>> 	winbind enum groups = Yes
>> 	winbind enum users = Yes
>> 	winbind nss info = rfc2307
>> 	winbind offline logon = Yes
>> 	winbind use default domain = Yes
>> 	workgroup = EXAMPLE
>> 	rpc_daemon:spoolssd = embedded
>> 	rpc_server:spoolss = embedded
>> 	idmap_ldb:use rfc2307 = yes
>> 	winbindd:use external pipes = true
>> 	rpc_server:default = external
>> 	rpc_server:svcctl = embedded
>> 	rpc_server:srvsvc = embedded
>> 	rpc_server:eventlog = embedded
>> 	rpc_server:ntsvcs = embedded
>> 	rpc_server:winreg = embedded
>> 	rpc_server:tcpip = no
>> 	idmap config * : backend = tdb
>> 	map archive = No
>> 	vfs objects = dfs_samba4 acl_xatt
> 
> 
> Can I suggest you remove the 'winbind lines, they do nothing on a Samba DC.
> 
> Rowland
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list