[Samba] name resolve order parameter for security=ads

Rowland Penny rpenny at samba.org
Mon Jul 11 12:54:26 UTC 2022 

On Mon, 2022-07-11 at 14:34 +0200, Jonathan Neuhauser via samba wrote:
> Dear Rowland,
> 
> I had one more idea where my setup might be different from yours -
> our 
> domain uses disjoint namespaces, i.e. my PC is 
> "hostname.subdomain.example.org", while the domain is located at 
> "example.org".

You have found your problem, Samba (at this time) does not do
subdomains.

You should have set up a new AD domain using 'subdomain.example.org' as
the dns domain (and the REALM in uppercase) and then used trusts
between the two AD domains.


>  Anyway, here's the debug info you requested, with 
> relevant parts replaced (I hope consistently so):
> 
> Config collected --- 2022-07-11-11:25 -----------
> 
> Hostname:   hostname
> DNS Domain: subdomain.example.org
> Realm:      SUBDOMAIN.EXAMPLE.ORG
> FQDN:       hostname.subdomain.example.org
> ipaddress:  <my.static.ipv4.address> 172.17.0.1 
> <my.temporary.ipv6.address> <my.static.ipv6.address>
> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> # Generated by resolvconf
> domain subdomain.example.org
> <here, the DNS resolvers of my domain are listed, which are set by
> DHCP>

Yes, but are they in the 'subdomain.example.org' dns domain or in the
'example.org' dns domain ?

> 
> -----------
> 
> WARNING: 'kinit Administrator' will fail, you need to fix this.
> Unable to verify DNS kerberos._tcp SRV records
> 
> -----------
> 
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.

Sort of says it all.

> 
> -----------
> 
> Checking file: /etc/krb5.conf
> 
> [libdefaults]
>    default_realm = EXAMPLE.ORG

Wrong realm.

>    dns_lookup_realm = false
>    dns_lookup_kdc = true
> 
> -----------
> 
> Checking file: /etc/samba/smb.conf
> 
> [global]
>    # Logging options
>    debug level = 3
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    logging = file
>    panic action = /usr/share/samba/panic-action %d
> 
>    # domain settings
>    security = ADS
>    workgroup = EXAMPLE
>    ntlm auth = no
>    pam password change = no
>    map to guest = bad user
> 
>    # Winbind
>    idmap config *   : backend = tdb
>    idmap config *   : range = 3000 - 7999
>    idmap config EXAMPLE : backend = ad
>    idmap config EXAMPLE : range = 8000 - 9999999
>    idmap config EXAMPLE : unix_nss_info = yes
>    idmap config EXAMPLE : schema_mode = rfc2307
>    idmap config EXAMPLE : unix_primary_group = yes
> 
>    winbind nss info = rfc2307
>    # This parameter controls whether groups should be filled with 
> usernames, which is slow (sequential request for each group). It is
> not 
> needed to evaluate group memberships, so we disable it.
>    winbind expand groups = 0
>    winbind use default domain = yes
>    winbind refresh tickets = yes
>    winbind offline logon = yes
>    winbind enum groups = yes
>    winbind enum users = yes
>    # this doesn't work, since we allow offline logon (for which this 
> parameter is disabled)
>    # winbind max domain connections = 10
>    # Kerberos
>    kerberos method = system keytab
>    realm = EXAMPLE.ORG

Yes, but your realm should be 'SUBDOMAIN.EXAMPLE.ORG'

Rowland

More information about the samba mailing list