[Samba] Question about KDC Resolution with Samba

Rowland Penny rpenny at samba.org
Fri Jan 6 07:41:48 UTC 2023 


On 05/01/2023 22:45, Jim Brand via samba wrote:
> I'm running a debug script from this site (Dated 16 Aug 2019, created and maintained by Rowland Penny and Louis van Belle).  The script obtains the Linux server DOMAIN by running "hostname -d" which returns "mycorp.com".  Next the script runs
> 
> nslookup -type=SRV _kerberos._tcp.mycorp.com
> 
> which fails
> 
> ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN
> 
> and the script exits.  However, this is command does return the Windows KDC servers -
> 
> nslookup -type=SRV _kerberos._tcp.wgname.ad.mycorp.com
> 
> We only have one domain and I have no idea why it was set up this way.  (I did modify the script to find the KDC's).  Begs the question:  Since the script fails, how can I verify Kerberos is working properly with Samba?  Running

As 'hostname -d' is returning 'mycorp.com' it would seem that is the dns 
domain your computer is in. 'mycorp.com' != 'wgname.ad.mycorp.com' 
(which appears to be the dns domain of your DC) and Samba does not do 
subdomains or to put it it another way, your clients have to be in the 
same dns domain as your DC's.

> 
> kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at WGNAME.AD.MYCORP.COM>
> returns:
> Authenticated to Kerberos v5

More proff that you have it wrong

> 
> And klist commands show tickets with today's date.  We are running CentOS 7, samba-4.10.16-20.el7_9.x86_64

That is a very old version of Smba.

> 
> wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP

That does surprise me.

> 
> No problems so far other than "net ads join" fails, have to use "realm join" instead which messes up smb.conf

You shouldn't use 'realm' with Samba.

> 
> smb.conf
> [global]
> kerberos method = system keytab
> log level = 3
> max log size = 5000
> log file = /var/log/samba/log.%h.%m
> template homedir = /home/%U@%D
> template shell = /bin/bash
> security = ads
> realm = WGNAME.AD.MYCORP.COM

As the realm is the dns domain in uppercase, your realm should be 
'MYCORP.COM' which would fail because it doesn't exist.

> idmap config MYCORP : range = 1000-2999999
> idmap config MYCORP : backend = ad
> idmap config MYCORP : schema_mode = rfc2307
> idmap config MYCORP : unix_primary_group = yes
> idmap config MYCORP : unix_nss_info = yes
> idmap config * : range = 3000000-39999999

Why such high numbers ?

> idmap config * : backend = tdb
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> workgroup = WGNAME

Another problem there, the 'idmap config' lines should be using the 
workgroup 'WGNAME', but they seem to be using 'MYCORP', why ?

> kpasswd port = 0

I have never changed that port, why have you ?

> 
> krb5.conf
> # Configuration snippets may be placed in this directory as well
> includedir /etc/krb5.conf.d/
> 
> includedir /etc/krb5.conf.d

Samba does not like the 'includedir' line, I would remove it.

> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_ccache_name = KEYRING:persistent:%{uid}
> default_realm = WGNAME.AD.MYCORP.COM

It might be set as the default realm, but on this machine (at present) 
it is wrong.

> dns_lookup_kdc = true
> 
> [realms]
> WGNAME.AD.MYCORP.COM = {
> }
> [domain_realm]
> wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
> .wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
> 

Rowland

More information about the samba mailing list