[Samba] Question about KDC Resolution with Samba
Rowland Penny
rpenny at samba.org
Fri Jan 6 07:41:48 UTC 2023
On 05/01/2023 22:45, Jim Brand via samba wrote:
> I'm running a debug script from this site (Dated 16 Aug 2019, created and maintained by Rowland Penny and Louis van Belle). The script obtains the Linux server DOMAIN by running "hostname -d" which returns "mycorp.com". Next the script runs
>
> nslookup -type=SRV _kerberos._tcp.mycorp.com
>
> which fails
>
> ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN
>
> and the script exits. However, this is command does return the Windows KDC servers -
>
> nslookup -type=SRV _kerberos._tcp.wgname.ad.mycorp.com
>
> We only have one domain and I have no idea why it was set up this way. (I did modify the script to find the KDC's). Begs the question: Since the script fails, how can I verify Kerberos is working properly with Samba? Running
As 'hostname -d' is returning 'mycorp.com' it would seem that is the dns
domain your computer is in. 'mycorp.com' != 'wgname.ad.mycorp.com'
(which appears to be the dns domain of your DC) and Samba does not do
subdomains or to put it it another way, your clients have to be in the
same dns domain as your DC's.
>
> kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at WGNAME.AD.MYCORP.COM>
> returns:
> Authenticated to Kerberos v5
More proff that you have it wrong
>
> And klist commands show tickets with today's date. We are running CentOS 7, samba-4.10.16-20.el7_9.x86_64
That is a very old version of Smba.
>
> wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP
That does surprise me.
>
> No problems so far other than "net ads join" fails, have to use "realm join" instead which messes up smb.conf
You shouldn't use 'realm' with Samba.
>
> smb.conf
> [global]
> kerberos method = system keytab
> log level = 3
> max log size = 5000
> log file = /var/log/samba/log.%h.%m
> template homedir = /home/%U@%D
> template shell = /bin/bash
> security = ads
> realm = WGNAME.AD.MYCORP.COM
As the realm is the dns domain in uppercase, your realm should be
'MYCORP.COM' which would fail because it doesn't exist.
> idmap config MYCORP : range = 1000-2999999
> idmap config MYCORP : backend = ad
> idmap config MYCORP : schema_mode = rfc2307
> idmap config MYCORP : unix_primary_group = yes
> idmap config MYCORP : unix_nss_info = yes
> idmap config * : range = 3000000-39999999
Why such high numbers ?
> idmap config * : backend = tdb
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> workgroup = WGNAME
Another problem there, the 'idmap config' lines should be using the
workgroup 'WGNAME', but they seem to be using 'MYCORP', why ?
> kpasswd port = 0
I have never changed that port, why have you ?
>
> krb5.conf
> # Configuration snippets may be placed in this directory as well
> includedir /etc/krb5.conf.d/
>
> includedir /etc/krb5.conf.d
Samba does not like the 'includedir' line, I would remove it.
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_ccache_name = KEYRING:persistent:%{uid}
> default_realm = WGNAME.AD.MYCORP.COM
It might be set as the default realm, but on this machine (at present)
it is wrong.
> dns_lookup_kdc = true
>
> [realms]
> WGNAME.AD.MYCORP.COM = {
> }
> [domain_realm]
> wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
> .wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
>
Rowland
More information about the samba
mailing list