[Samba] name resolve order parameter for security=ads

Jonathan Neuhauser jonathan.neuhauser at kit.edu
Mon Jul 11 06:23:21 UTC 2022 

Dear Samba list,

I noticed that the recommendation for the "name resolve order" parameter 
for security = ads, namely "wins bcast", breaks everything on my test 
domain client (Rowland Penny asked me to post this issue on the mailing 
list to exclude misconfiguration on my part).

samba --version: Version 4.13.17-Ubuntu, Ubuntu 20.04 LTS, uname -r: 
5.13.0-52-generic

Here's my smb.conf as shown by testparm (realm replaced by EXAMPLE.ORG):

[global]
     kerberos method = system keytab
     log file = /var/log/samba/log.%m
     logging = file
     log level = 3
     map to guest = Bad User
     max log size = 1000
     ntlm auth = ntlmv2-only
     panic action = /usr/share/samba/panic-action %d
     realm = EXAMPLE.ORG
     security = ADS
     template shell = /bin/bash
     winbind enum groups = Yes
     winbind enum users = Yes
     winbind nss info = rfc2307
     winbind offline logon = Yes
     winbind refresh tickets = Yes
     winbind use default domain = Yes
     workgroup = EXAMPLE
     idmap config example : unix_primary_group = yes
     idmap config example : schema_mode = rfc2307
     idmap config example : unix_nss_info = yes
     idmap config example : range = 8000 - 9999999
     idmap config example : backend = ad
     idmap config * : range = 3000 - 7999
     idmap config * : backend = tdb

and krb5.conf:

[libdefaults]
   default_realm = EXAMPLE.ORG
   kdc_timesync = 1
   ccache_type = 4
   forward = true
   forwardable = true
   proxiable = true
   dns_lookup_realm = true
   dns_lookup_kdc = true

With this setting, wbinfo -i username as well as wbinfo -i 
"EXAMPLE\username" works fine and shows correct uid/gid and home 
directory, and domain integration works mostly fine - including PAM & 
NSS integration and graphical login, as well as Kerberos access to 
shares hosted by this machine. So thanks to the samba team for providing 
a great tool!

If I additionally set

    name resolve order = wins bcast

wbinfo -P shows

checking the NETLOGON for domain[EXAMPLE] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND

wbinfo -i username or wbinfo -i "EXAMPLE\username"

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user username

I can resolve the SRV records: host -t SRV _ldap._tcp.example.org still 
shows the available domain controllers.

It is from these observations that I filed bug 
https://bugzilla.samba.org/show_bug.cgi?id=15117, but maybe there's an 
issue with my configuration as shown above. I'll also provide further 
logs on request.

Thanks in advance,

Jonathan

More information about the samba mailing list