[Samba] Question about KDC Resolution with Samba
Jim Brand
JHBRAND at up.com
Sun Jan 8 14:39:15 UTC 2023
> nslookup -type=SRV _kerberos._tcp.mycorp.com
>
> ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN
>
As 'hostname -d' is returning 'mycorp.com' it would seem that is the dns
domain your computer is in. 'mycorp.com' != 'wgname.ad.mycorp.com'
(which appears to be the dns domain of your DC) and Samba does not do
subdomains or to put it it another way, your clients have to be in the
same dns domain as your DC's.
I'm pursuing this with our Windows AD administrators.
>
> kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at WGNAME.AD.MYCORP.COM>
> returns:
> Authenticated to Kerberos v5
More proof that you have it wrong
What should kinit -V return?
>
> And klist commands show tickets with today's date. We are running CentOS 7, samba-4.10.16-20.el7_9.x86_64
That is a very old version of Smba.
Agreed! Downloading and making a newer version is on my to-do list. Need to thoroughly test all dependencies.
>
> wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP
That does surprise me.
Me too, but I don't argue with success.
(BTW those wbinfo commands start to fail along with Samba a few days after joining AD on our CentOS 6 servers. Not going to trouble you with that here, other than to ask what version of Samba 4 would you recommend we try using on Linux 6?)
>
> No problems so far other than "net ads join" fails, have to use "realm join" instead which messes up smb.conf
You shouldn't use 'realm' with Samba.
I've gathered as much but why?
>
> smb.conf
> [global]
> kerberos method = system keytab
> log level = 3
> max log size = 5000
> log file = /var/log/samba/log.%h.%m
> template homedir = /home/%U@%D
> template shell = /bin/bash
> security = ads
> realm = WGNAME.AD.MYCORP.COM
As the realm is the dns domain in uppercase, your realm should be
'MYCORP.COM' which would fail because it doesn't exist.
> idmap config MYCORP : range = 1000-2999999
> idmap config MYCORP : backend = ad
> idmap config MYCORP : schema_mode = rfc2307
> idmap config MYCORP : unix_primary_group = yes
> idmap config MYCORP : unix_nss_info = yes
> idmap config * : range = 3000000-39999999
Why such high numbers ?
My understanding is that "idmap config WGNAME" should be the range of all possible UIDs assigned by our enterprise [in AD]. That was the range given to me.
And "idmap config *" is a catch all for any users that don't fit under the above specified range.
> idmap config * : backend = tdb
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> workgroup = WGNAME
Another problem there, the 'idmap config' lines should be using the
workgroup 'WGNAME', but they seem to be using 'MYCORP', why?
My error when I sanitized the file. Those 'idmap config' entries are using 'WGNAME' instead of 'MYCORP'.
> kpasswd port = 0
I have never changed that port, why have you ?
This was done to mitigate https://www.samba.org/samba/security/CVE-2022-32744.html
Later found not necessary since our KDC's are on Windows, not Linux.
Just never removed it but will do so.
>
> krb5.conf
> # Configuration snippets may be placed in this directory as well
> includedir /etc/krb5.conf.d/
>
> includedir /etc/krb5.conf.d
Samba does not like the 'includedir' line, I would remove it.
Will remove 'includedir'.
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_ccache_name = KEYRING:persistent:%{uid}
> default_realm = WGNAME.AD.MYCORP.COM
It might be set as the default realm, but on this machine (at present)
it is wrong.
> dns_lookup_kdc = true
>
> [realms]
> WGNAME.AD.MYCORP.COM = {
> }
> [domain_realm]
> wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
> .wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
>
Rowland
Thanks,
Jim Brand
This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies.
More information about the samba
mailing list