[Samba] name resolve order parameter for security=ads
Jonathan Neuhauser
jonathan.neuhauser at kit.edu
Mon Jul 11 12:34:40 UTC 2022
Dear Rowland,
I had one more idea where my setup might be different from yours - our
domain uses disjoint namespaces, i.e. my PC is
"hostname.subdomain.example.org", while the domain is located at
"example.org". Anyway, here's the debug info you requested, with
relevant parts replaced (I hope consistently so):
Config collected --- 2022-07-11-11:25 -----------
Hostname: hostname
DNS Domain: subdomain.example.org
Realm: SUBDOMAIN.EXAMPLE.ORG
FQDN: hostname.subdomain.example.org
ipaddress: <my.static.ipv4.address> 172.17.0.1
<my.temporary.ipv6.address> <my.static.ipv6.address>
-----------
This computer is running Ubuntu 20.04.4 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
link/ether <my:mac:address> brd ff:ff:ff:ff:ff:ff
inet <my.static.ipv4.address>/26 brd <my.subnet.broadcast.address>
scope global dynamic noprefixroute enp4s0
valid_lft 2906sec preferred_lft 2906sec
inet6 <my.temporary.ipv6.address>/64 scope global dynamic
mngtmpaddr noprefixroute
valid_lft 2591940sec preferred_lft 604740sec
inet6 <my.static.ipv6.address>/64 scope global dynamic noprefixroute
valid_lft 2591940sec preferred_lft 604740sec
inet6 fe80::785b:6c9a:15e2:1646/64 scope link noprefixroute
inet6 fe80::f22f:74ff:fe1e:32c8/64 scope link noprefixroute
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
<my.static.ipv4.address> hostname.subdomain.example.org
hostname.subdomain.example.org hostname hostname
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
-----------
Checking file: /etc/resolv.conf
# Generated by resolvconf
domain subdomain.example.org
<here, the DNS resolvers of my domain are listed, which are set by DHCP>
-----------
WARNING: 'kinit Administrator' will fail, you need to fix this.
Unable to verify DNS kerberos._tcp SRV records
-----------
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
-----------
Samba is running as a Unix domain member
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: files
sudoers: files
-----------
Checking file: /etc/samba/smb.conf
[global]
# Logging options
debug level = 3
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
# domain settings
security = ADS
workgroup = EXAMPLE
ntlm auth = no
pam password change = no
map to guest = bad user
# Winbind
idmap config * : backend = tdb
idmap config * : range = 3000 - 7999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : range = 8000 - 9999999
idmap config EXAMPLE : unix_nss_info = yes
idmap config EXAMPLE : schema_mode = rfc2307
idmap config EXAMPLE : unix_primary_group = yes
winbind nss info = rfc2307
# This parameter controls whether groups should be filled with
usernames, which is slow (sequential request for each group). It is not
needed to evaluate group memberships, so we disable it.
winbind expand groups = 0
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = yes
winbind enum users = yes
# this doesn't work, since we allow offline logon (for which this
parameter is disabled)
# winbind max domain connections = 10
# Kerberos
kerberos method = system keytab
realm = EXAMPLE.ORG
template homedir = /home/ws/%U
template shell = /bin/bash
# include this file where we define shares (via ansible)
include = /etc/samba/shares.conf
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Checking file: /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-----------
This Unix domain member is using 'winbind' in /etc/nsswitch.conf.
-----------
Time on the DC with PDC Emulator role is: 2022-07-11T11:25:40
Time on this computer is: 2022-07-11T11:25:40
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii acl 2.2.53-6 amd64 access
control list - utilities
ii attr 1:2.4.48-5 amd64 utilities
for manipulating filesystem extended attributes
ii fonts-quicksand 0.2016-2 all
sans-serif font with round attributes
ii kde-spectacle 19.12.3-1ubuntu1 amd64
Screenshot capture utility
ii krb5-config 2.6ubuntu1 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.1 amd64 basic
programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-5 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64
1.17-6ubuntu4.1 amd64 MIT Kerberos
runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64
7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos -
libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries - Support library
ii libnfs13:amd64 4.0.0-1
amd64 NFS client library (shared library)
ii libnfsidmap2:amd64 0.25-5.1ubuntu1
amd64 NFS idmapping library
ii libnss-winbind:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2ubuntu1
amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2
amd64 Samba winbind client library
ii nfs-common 1:1.3.4-2.5ubuntu3.4
amd64 NFS support files common to client and server
ii nfs-kernel-server 1:1.3.4-2.5ubuntu3.4
amd64 support for NFS kernel server
ii python3-attr 19.3.0-2 all
Attributes without boilerplate (Python 3)
ii python3-nacl 1.3.0-5 amd64
Python bindings to libsodium (Python 3)
ii python3-samba 2:4.13.17~dfsg-0ubuntu0.21.04.2 amd64
Python 3 bindings for Samba
ii samba 2:4.13.17~dfsg-0ubuntu0.21.04.2 amd64 SMB/CIFS
file, print, and login server for Unix
ii samba-common 2:4.13.17~dfsg-0ubuntu0.21.04.2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.13.17~dfsg-0ubuntu0.21.04.2
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64
2:4.13.17~dfsg-0ubuntu0.21.04.2 amd64 Samba Directory
Services Database
ii samba-libs:amd64 2:4.13.17~dfsg-0ubuntu0.21.04.2
amd64 Samba core libraries
ii samba-vfs-modules:amd64
2:4.13.17~dfsg-0ubuntu0.21.04.2 amd64 Samba Virtual
FileSystem plugins
ii smbclient 2:4.13.17~dfsg-0ubuntu0.21.04.2 amd64
command-line SMB/CIFS clients for Unix
ii sssd-krb5 2.2.3-3ubuntu0.8 amd64
System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 2.2.3-3ubuntu0.8
amd64 System Security Services Daemon -- Kerberos helpers
ii vlc-plugin-samba:amd64
3.0.9.2-1 amd64 Samba plugin for VLC
ii winbind 2:4.13.17~dfsg-0ubuntu0.21.04.2 amd64 service
to resolve user and group information from Windows NT servers
-----------
Thanks in advance,
Jonathan
On 11.07.22 11:21, Rowland Penny via samba wrote:
> On Mon, 2022-07-11 at 10:17 +0200, Jonathan Neuhauser via samba wrote:
>> Dear Rowland,
>>
>> thanks for your response! I've tried your krb5.conf without better
>> results. However I noticed that that this time after enabling "name
>> resolve order = wins bcast" and restarting winbind, the error
>> doesn't
>> occur immediately, but requires a restart of the machine (however
>> afterwards, the errors are the same as in my original email). Does
>> this
>> make a difference for you?
>>
>> Jonathan
> I am running Linux Mint LMDE 5 in a VM, just fully updated it (so Samba
> is probably very similar to your 4.13.17) and it still works.
>
> Can you go here:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Download the script and run it on your Samba server, post the output
> here in a reply to this, do not attach it, this list strips
> attachments.
>
> Rowland
>
>
>
--
Karlsruhe Institute of Technology (KIT)
Institute of Fluid Mechanics (ISTM)
Jonathan Neuhauser MSc.
Scientific Staff
Kaiserstr. 10
76131 Karlsruhe
E-mail: neuhauser∂kit.edu
Web: www.istm.kit.edu
Registered office:
Kaiserstraße 12, 76131 Karlsruhe, Germany
KIT – The Research University in the Helmholtz Association
More information about the samba
mailing list