[Samba] name resolve order parameter for security=ads
Rowland Penny
rpenny at samba.org
Mon Jul 11 12:54:26 UTC 2022
On Mon, 2022-07-11 at 14:34 +0200, Jonathan Neuhauser via samba wrote:
> Dear Rowland,
>
> I had one more idea where my setup might be different from yours -
> our
> domain uses disjoint namespaces, i.e. my PC is
> "hostname.subdomain.example.org", while the domain is located at
> "example.org".
You have found your problem, Samba (at this time) does not do
subdomains.
You should have set up a new AD domain using 'subdomain.example.org' as
the dns domain (and the REALM in uppercase) and then used trusts
between the two AD domains.
> Anyway, here's the debug info you requested, with
> relevant parts replaced (I hope consistently so):
>
> Config collected --- 2022-07-11-11:25 -----------
>
> Hostname: hostname
> DNS Domain: subdomain.example.org
> Realm: SUBDOMAIN.EXAMPLE.ORG
> FQDN: hostname.subdomain.example.org
> ipaddress: <my.static.ipv4.address> 172.17.0.1
> <my.temporary.ipv6.address> <my.static.ipv6.address>
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by resolvconf
> domain subdomain.example.org
> <here, the DNS resolvers of my domain are listed, which are set by
> DHCP>
Yes, but are they in the 'subdomain.example.org' dns domain or in the
'example.org' dns domain ?
>
> -----------
>
> WARNING: 'kinit Administrator' will fail, you need to fix this.
> Unable to verify DNS kerberos._tcp SRV records
>
> -----------
>
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.
Sort of says it all.
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = EXAMPLE.ORG
Wrong realm.
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> # Logging options
> debug level = 3
> log file = /var/log/samba/log.%m
> max log size = 1000
> logging = file
> panic action = /usr/share/samba/panic-action %d
>
> # domain settings
> security = ADS
> workgroup = EXAMPLE
> ntlm auth = no
> pam password change = no
> map to guest = bad user
>
> # Winbind
> idmap config * : backend = tdb
> idmap config * : range = 3000 - 7999
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : range = 8000 - 9999999
> idmap config EXAMPLE : unix_nss_info = yes
> idmap config EXAMPLE : schema_mode = rfc2307
> idmap config EXAMPLE : unix_primary_group = yes
>
> winbind nss info = rfc2307
> # This parameter controls whether groups should be filled with
> usernames, which is slow (sequential request for each group). It is
> not
> needed to evaluate group memberships, so we disable it.
> winbind expand groups = 0
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = yes
> winbind enum users = yes
> # this doesn't work, since we allow offline logon (for which this
> parameter is disabled)
> # winbind max domain connections = 10
> # Kerberos
> kerberos method = system keytab
> realm = EXAMPLE.ORG
Yes, but your realm should be 'SUBDOMAIN.EXAMPLE.ORG'
Rowland
More information about the samba
mailing list