[Samba] name resolve order parameter for security=ads
Jonathan Neuhauser
jonathan.neuhauser at kit.edu
Mon Jul 11 14:07:28 UTC 2022
Dear Rowland,
thanks for your feedback! I don't have permissions to manage trusts on
the example.org domain (for an incoming trust, it looks like one needs
to be a member of Incoming Forest Trust Builders), so at least from a
cursory search, what you're suggesting might not possible for me.
>> # Generated by resolvconf
>> domain subdomain.example.org
>> <here, the DNS resolvers of my domain are listed, which are set by
>> DHCP>
> Yes, but are they in the 'subdomain.example.org' dns domain or in the
> 'example.org' dns domain ?
The DNS resolvers are the central ones of the domain ('example.org').
> Yes, but your realm should be 'SUBDOMAIN.EXAMPLE.ORG'
>
> Rowland
"subdomain.example.org" is only a DNS domain at the moment. My
organisation uses this to avoid name collisions between different
working groups who manage their IT more or less independently, however
there is only once central DNS service for the domain, and only one AD
domain. We have several hundreds of these DNS subdomains, surely the
solution can't be to create and manage an extra DC for each working
group that wants to use samba?
May I ask what would be the consequences of not creating an additional
domain, i.e. what could break? Without the "name resolve order"
parameter, almost everything works fine: kinit, wbinfo -i username,
local login, PAM / NSS integration, permissions, domain groups, SSO from
Windows to access the shares hosted by this host, even SSO for websites
hosted by this host...
The only issue I have with my production config, really, is that login
with a domain account doesn't work after the machine was resumed from
hibernation (but nothing is logged at all). Since login normally works,
I doubt this has something to do with the disjoint namespace situation
that I unfortunately have, and I might create a separate thread for that
at some point.
Thanks in advance,
Jonathan
More information about the samba
mailing list