[Samba] Mssql with AD authentication

[Kees van Vloten]

Hi Team,

I am trying to setup Microsoft Sqlserver with AD authentication on 
bullseye with Samba 4.16 on the DCs.

It looks like the setup as described by MS and adapted for Samba/ 
Winbind  (instead of sssd) works pretty well.

However when I try to setup a "login" in sqlcmd: "create login 
[SAMDOM\some_ad_group] from windows", I am running into an error "Could 
not look up short domain name due to error: Name or service not known".
MS explains this with:
"
The NetBIOS name (CONTOSO) is required in the command, but in the 
backend when performing an LDAP connection, the FQDN of the domain 
(contoso.com) must be provided. To do this conversion, a DNS lookup is 
performed on CONTOSO to resolve to the IP of a domain controller, which 
can then be bound to for LDAP queries.
Guidance

The error message "Could not look up short domain name due to error" 
suggests that nslookup for contoso doesn't resolve to IP address of the 
domain controller. You should review DNS and reverse DNS lookups to 
confirm that nslookup for both the NetBIOS and domain name should match.
"

It looks like Samba' s default setup is missing a dns record "SAMDOM" 
that should point to the DCs.
Of course I would be able to create such a record, but it sounds like a 
tiny compatibility mismatch with how MS delivers its AD DNS.

Should I create a bug for this?

Is the best short-term approach indeed to create a dns record?
How do I do that?  Should it point to all DCs or to the one that is 
serving the dns request or a cname to _ldap._tcp.samdom.com or something 
else?

- Kees