[Samba] Question about KDC Resolution with Samba

Jim Brand JHBRAND at up.com
Thu Jan 5 22:45:35 UTC 2023

I'm running a debug script from this site (Dated 16 Aug 2019, created and maintained by Rowland Penny and Louis van Belle).  The script obtains the Linux server DOMAIN by running "hostname -d" which returns "mycorp.com".  Next the script runs

nslookup -type=SRV _kerberos._tcp.mycorp.com

which fails

** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN

and the script exits.  However, this is command does return the Windows KDC servers -

nslookup -type=SRV _kerberos._tcp.wgname.ad.mycorp.com

We only have one domain and I have no idea why it was set up this way.  (I did modify the script to find the KDC's).  Begs the question:  Since the script fails, how can I verify Kerberos is working properly with Samba?  Running

kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at WGNAME.AD.MYCORP.COM>
Authenticated to Kerberos v5

And klist commands show tickets with today's date.  We are running CentOS 7, samba-4.10.16-20.el7_9.x86_64

wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP

No problems so far other than "net ads join" fails, have to use "realm join" instead which messes up smb.conf

kerberos method = system keytab
log level = 3
max log size = 5000
log file = /var/log/samba/log.%h.%m
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
idmap config MYCORP : range = 1000-2999999
idmap config MYCORP : backend = ad
idmap config MYCORP : schema_mode = rfc2307
idmap config MYCORP : unix_primary_group = yes
idmap config MYCORP : unix_nss_info = yes
idmap config * : range = 3000000-39999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
workgroup = WGNAME
kpasswd port = 0

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /etc/krb5.conf.d
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = WGNAME.AD.MYCORP.COM
dns_lookup_kdc = true

wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
.wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM

Jim Brand

This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies.

More information about the samba mailing list