[Samba] name resolve order parameter for security=ads

Jonathan Neuhauser jonathan.neuhauser at kit.edu
Mon Jul 11 12:34:40 UTC 2022

Dear Rowland,

I had one more idea where my setup might be different from yours - our 
domain uses disjoint namespaces, i.e. my PC is 
"hostname.subdomain.example.org", while the domain is located at 
"example.org". Anyway, here's the debug info you requested, with 
relevant parts replaced (I hope consistently so):

Config collected --- 2022-07-11-11:25 -----------

Hostname:   hostname
DNS Domain: subdomain.example.org
FQDN:       hostname.subdomain.example.org
ipaddress:  <my.static.ipv4.address> 
<my.temporary.ipv6.address> <my.static.ipv6.address>


This computer is running Ubuntu 20.04.4 LTS x86_64


running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet scope host lo
     inet6 ::1/128 scope host
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel 
state UP group default qlen 1000
     link/ether <my:mac:address> brd ff:ff:ff:ff:ff:ff
     inet <my.static.ipv4.address>/26 brd <my.subnet.broadcast.address> 
scope global dynamic noprefixroute enp4s0
        valid_lft 2906sec preferred_lft 2906sec
     inet6 <my.temporary.ipv6.address>/64 scope global dynamic 
mngtmpaddr noprefixroute
        valid_lft 2591940sec preferred_lft 604740sec
     inet6 <my.static.ipv6.address>/64 scope global dynamic noprefixroute
        valid_lft 2591940sec preferred_lft 604740sec
     inet6 fe80::785b:6c9a:15e2:1646/64 scope link noprefixroute
     inet6 fe80::f22f:74ff:fe1e:32c8/64 scope link noprefixroute


Checking file: /etc/hosts    localhost
<my.static.ipv4.address> hostname.subdomain.example.org 
hostname.subdomain.example.org hostname hostname

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts


Checking file: /etc/resolv.conf

# Generated by resolvconf
domain subdomain.example.org
<here, the DNS resolvers of my domain are listed, which are set by DHCP>


WARNING: 'kinit Administrator' will fail, you need to fix this.
Unable to verify DNS kerberos._tcp SRV records


'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.


Samba is running as a Unix domain member


Checking file: /etc/krb5.conf

   default_realm = EXAMPLE.ORG
   dns_lookup_realm = false
   dns_lookup_kdc = true


Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       files
sudoers:        files


Checking file: /etc/samba/smb.conf

   # Logging options
   debug level = 3
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d

   # domain settings
   security = ADS
   workgroup = EXAMPLE
   ntlm auth = no
   pam password change = no
   map to guest = bad user

   # Winbind
   idmap config *   : backend = tdb
   idmap config *   : range = 3000 - 7999
   idmap config EXAMPLE : backend = ad
   idmap config EXAMPLE : range = 8000 - 9999999
   idmap config EXAMPLE : unix_nss_info = yes
   idmap config EXAMPLE : schema_mode = rfc2307
   idmap config EXAMPLE : unix_primary_group = yes

   winbind nss info = rfc2307
   # This parameter controls whether groups should be filled with 
usernames, which is slow (sequential request for each group). It is not 
needed to evaluate group memberships, so we disable it.
   winbind expand groups = 0
   winbind use default domain = yes
   winbind refresh tickets = yes
   winbind offline logon = yes
   winbind enum groups = yes
   winbind enum users = yes
   # this doesn't work, since we allow offline logon (for which this 
parameter is disabled)
   # winbind max domain connections = 10
   # Kerberos
   kerberos method = system keytab
   realm = EXAMPLE.ORG
   template homedir = /home/ws/%U
   template shell = /bin/bash

   # include this file where we define shares (via ansible)
   include = /etc/samba/shares.conf


Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts


Checking file: /etc/idmapd.conf


Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain


Nobody-User = nobody
Nobody-Group = nogroup


This Unix domain member is using 'winbind' in /etc/nsswitch.conf.


Time on the DC with PDC Emulator role is: 2022-07-11T11:25:40

Time on this computer is:                 2022-07-11T11:25:40

Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds


Installed packages:
ii  acl 2.2.53-6                                       amd64 access 
control list - utilities
ii  attr 1:2.4.48-5                                     amd64 utilities 
for manipulating filesystem extended attributes
ii  fonts-quicksand 0.2016-2                                       all 
sans-serif font with round attributes
ii  kde-spectacle 19.12.3-1ubuntu1                               amd64 
Screenshot capture utility
ii  krb5-config 2.6ubuntu1                                     all 
Configuration files for Kerberos Version 5
ii  krb5-locales 1.17-6ubuntu4.1                                all 
internationalization support for MIT Kerberos
ii  krb5-user 1.17-6ubuntu4.1                                amd64 basic 
programs to authenticate using MIT Kerberos
ii  libacl1:amd64 2.2.53-6                                       amd64 
access control list - shared library
ii  libattr1:amd64 1:2.4.48-5                                     amd64 
extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64 
1.17-6ubuntu4.1                                amd64        MIT Kerberos 
runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64 
7.7.0+dfsg-1ubuntu1                            amd64 Heimdal Kerberos - 
ii  libkrb5-3:amd64 1.17-6ubuntu4.1                                
amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64 1.17-6ubuntu4.1                                
amd64        MIT Kerberos runtime libraries - Support library
ii  libnfs13:amd64 4.0.0-1                                        
amd64        NFS client library (shared library)
ii  libnfsidmap2:amd64 0.25-5.1ubuntu1                                
amd64        NFS idmapping library
ii  libnss-winbind:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2                
amd64 Samba nameservice integration plugins
ii  libpam-krb5:amd64 4.8-2ubuntu1                                   
amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2                
amd64 Windows domain authentication integration plugin
ii  libsmbclient:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2                
amd64 shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2                
amd64 Samba winbind client library
ii  nfs-common 1:1.3.4-2.5ubuntu3.4                           
amd64        NFS support files common to client and server
ii  nfs-kernel-server 1:1.3.4-2.5ubuntu3.4                           
amd64 support for NFS kernel server
ii  python3-attr 19.3.0-2                                       all 
Attributes without boilerplate (Python 3)
ii  python3-nacl 1.3.0-5                                        amd64 
Python bindings to libsodium (Python 3)
ii  python3-samba 2:4.13.17~dfsg-0ubuntu0.21.04.2                amd64 
Python 3 bindings for Samba
ii  samba 2:4.13.17~dfsg-0ubuntu0.21.04.2                amd64 SMB/CIFS 
file, print, and login server for Unix
ii  samba-common 2:4.13.17~dfsg-0ubuntu0.21.04.2                all 
common files used by both the Samba server and client
ii  samba-common-bin 2:4.13.17~dfsg-0ubuntu0.21.04.2                
amd64 Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64 
2:4.13.17~dfsg-0ubuntu0.21.04.2                amd64 Samba Directory 
Services Database
ii  samba-libs:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2                
amd64 Samba core libraries
ii  samba-vfs-modules:amd64 
2:4.13.17~dfsg-0ubuntu0.21.04.2                amd64 Samba Virtual 
FileSystem plugins
ii  smbclient 2:4.13.17~dfsg-0ubuntu0.21.04.2                amd64 
command-line SMB/CIFS clients for Unix
ii  sssd-krb5 2.2.3-3ubuntu0.8                               amd64 
System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common 2.2.3-3ubuntu0.8                               
amd64 System Security Services Daemon -- Kerberos helpers
ii  vlc-plugin-samba:amd64                                      amd64 Samba plugin for VLC
ii  winbind 2:4.13.17~dfsg-0ubuntu0.21.04.2                amd64 service 
to resolve user and group information from Windows NT servers


Thanks in advance,


On 11.07.22 11:21, Rowland Penny via samba wrote:
> On Mon, 2022-07-11 at 10:17 +0200, Jonathan Neuhauser via samba wrote:
>> Dear Rowland,
>> thanks for your response! I've tried your krb5.conf without better
>> results. However I noticed that that this time after enabling "name
>> resolve order = wins bcast" and restarting winbind, the error
>> doesn't
>> occur immediately, but requires a restart of the machine (however
>> afterwards, the errors are the same as in my original email). Does
>> this
>> make a difference for you?
>> Jonathan
> I am running Linux Mint LMDE 5 in a VM, just fully updated it (so Samba
> is probably very similar to your 4.13.17) and it still works.
> Can you go here:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> Download the script and run it on your Samba server, post the output
> here in a reply to this, do not attach it, this list strips
> attachments.
> Rowland
Karlsruhe Institute of Technology (KIT)
Institute of Fluid Mechanics (ISTM)

Jonathan Neuhauser MSc.
Scientific Staff

Kaiserstr. 10
76131 Karlsruhe

E-mail: neuhauser∂kit.edu
Web: www.istm.kit.edu

Registered office:
Kaiserstraße 12, 76131 Karlsruhe, Germany

KIT – The Research University in the Helmholtz Association

More information about the samba mailing list