[Samba] name resolve order parameter for security=ads
Jonathan Neuhauser
jonathan.neuhauser at kit.edu
Mon Jul 11 06:23:21 UTC 2022
Dear Samba list,
I noticed that the recommendation for the "name resolve order" parameter
for security = ads, namely "wins bcast", breaks everything on my test
domain client (Rowland Penny asked me to post this issue on the mailing
list to exclude misconfiguration on my part).
samba --version: Version 4.13.17-Ubuntu, Ubuntu 20.04 LTS, uname -r:
5.13.0-52-generic
Here's my smb.conf as shown by testparm (realm replaced by EXAMPLE.ORG):
[global]
kerberos method = system keytab
log file = /var/log/samba/log.%m
logging = file
log level = 3
map to guest = Bad User
max log size = 1000
ntlm auth = ntlmv2-only
panic action = /usr/share/samba/panic-action %d
realm = EXAMPLE.ORG
security = ADS
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = EXAMPLE
idmap config example : unix_primary_group = yes
idmap config example : schema_mode = rfc2307
idmap config example : unix_nss_info = yes
idmap config example : range = 8000 - 9999999
idmap config example : backend = ad
idmap config * : range = 3000 - 7999
idmap config * : backend = tdb
and krb5.conf:
[libdefaults]
default_realm = EXAMPLE.ORG
kdc_timesync = 1
ccache_type = 4
forward = true
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
With this setting, wbinfo -i username as well as wbinfo -i
"EXAMPLE\username" works fine and shows correct uid/gid and home
directory, and domain integration works mostly fine - including PAM &
NSS integration and graphical login, as well as Kerberos access to
shares hosted by this machine. So thanks to the samba team for providing
a great tool!
If I additionally set
name resolve order = wins bcast
wbinfo -P shows
checking the NETLOGON for domain[EXAMPLE] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
wbinfo -i username or wbinfo -i "EXAMPLE\username"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user username
I can resolve the SRV records: host -t SRV _ldap._tcp.example.org still
shows the available domain controllers.
It is from these observations that I filed bug
https://bugzilla.samba.org/show_bug.cgi?id=15117, but maybe there's an
issue with my configuration as shown above. I'll also provide further
logs on request.
Thanks in advance,
Jonathan
More information about the samba
mailing list