[Samba] Mssql with AD authentication

Kees van Vloten keesvanvloten at gmail.com
Wed Dec 21 23:12:43 UTC 2022

Hi Team,

I am trying to setup Microsoft Sqlserver with AD authentication on 
bullseye with Samba 4.16 on the DCs.

It looks like the setup as described by MS and adapted for Samba/ 
Winbind  (instead of sssd) works pretty well.

However when I try to setup a "login" in sqlcmd: "create login 
[SAMDOM\some_ad_group] from windows", I am running into an error "Could 
not look up short domain name due to error: Name or service not known".
MS explains this with:
The NetBIOS name (CONTOSO) is required in the command, but in the 
backend when performing an LDAP connection, the FQDN of the domain 
(contoso.com) must be provided. To do this conversion, a DNS lookup is 
performed on CONTOSO to resolve to the IP of a domain controller, which 
can then be bound to for LDAP queries.

The error message "Could not look up short domain name due to error" 
suggests that nslookup for contoso doesn't resolve to IP address of the 
domain controller. You should review DNS and reverse DNS lookups to 
confirm that nslookup for both the NetBIOS and domain name should match.

It looks like Samba' s default setup is missing a dns record "SAMDOM" 
that should point to the DCs.
Of course I would be able to create such a record, but it sounds like a 
tiny compatibility mismatch with how MS delivers its AD DNS.

Should I create a bug for this?

Is the best short-term approach indeed to create a dns record?
How do I do that?  Should it point to all DCs or to the one that is 
serving the dns request or a cname to _ldap._tcp.samdom.com or something 

- Kees

More information about the samba mailing list