[Samba] Question about KDC Resolution with Samba

Jim Brand JHBRAND at up.com
Sun Jan 8 14:39:15 UTC 2023


> nslookup -type=SRV _kerberos._tcp.mycorp.com

>

> ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN

>



As 'hostname -d' is returning 'mycorp.com' it would seem that is the dns

domain your computer is in. 'mycorp.com' != 'wgname.ad.mycorp.com'

(which appears to be the dns domain of your DC) and Samba does not do

subdomains or to put it it another way, your clients have to be in the

same dns domain as your DC's.



I'm pursuing this with our Windows AD administrators.



>

> kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at WGNAME.AD.MYCORP.COM>

> returns:

> Authenticated to Kerberos v5



More proof that you have it wrong



What should kinit -V return?



>

> And klist commands show tickets with today's date.  We are running CentOS 7, samba-4.10.16-20.el7_9.x86_64



That is a very old version of Smba.



Agreed!  Downloading and making a newer version is on my to-do list.  Need to thoroughly test all dependencies.



>

> wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP



That does surprise me.



Me too, but I don't argue with success.



(BTW those wbinfo commands start to fail along with Samba a few days after joining AD on our CentOS 6 servers.  Not going to trouble you with that here, other than to ask what version of Samba 4 would you recommend we try using on Linux 6?)



>

> No problems so far other than "net ads join" fails, have to use "realm join" instead which messes up smb.conf



You shouldn't use 'realm' with Samba.



I've gathered as much but why?



>

> smb.conf

> [global]

> kerberos method = system keytab

> log level = 3

> max log size = 5000

> log file = /var/log/samba/log.%h.%m

> template homedir = /home/%U@%D

> template shell = /bin/bash

> security = ads

> realm = WGNAME.AD.MYCORP.COM



As the realm is the dns domain in uppercase, your realm should be

'MYCORP.COM' which would fail because it doesn't exist.



> idmap config MYCORP : range = 1000-2999999

> idmap config MYCORP : backend = ad

> idmap config MYCORP : schema_mode = rfc2307

> idmap config MYCORP : unix_primary_group = yes

> idmap config MYCORP : unix_nss_info = yes

> idmap config * : range = 3000000-39999999



Why such high numbers ?



My understanding is that "idmap config WGNAME" should be the range of all possible UIDs assigned by our enterprise [in AD].  That was the range given to me.

And "idmap config *" is a catch all for any users that don't fit under the above specified range.



> idmap config * : backend = tdb

> winbind use default domain = yes

> winbind refresh tickets = yes

> winbind offline logon = yes

> winbind enum groups = no

> winbind enum users = no

> workgroup = WGNAME



Another problem there, the 'idmap config' lines should be using the

workgroup 'WGNAME', but they seem to be using 'MYCORP', why?



My error when I sanitized the file. Those 'idmap config' entries are using 'WGNAME' instead of 'MYCORP'.



> kpasswd port = 0



I have never changed that port, why have you ?



This was done to mitigate https://www.samba.org/samba/security/CVE-2022-32744.html

Later found not necessary since our KDC's are on Windows, not Linux.

Just never removed it but will do so.



>

> krb5.conf

> # Configuration snippets may be placed in this directory as well

> includedir /etc/krb5.conf.d/

>

> includedir /etc/krb5.conf.d



Samba does not like the 'includedir' line, I would remove it.



Will remove 'includedir'.



> [logging]

> default = FILE:/var/log/krb5libs.log

> kdc = FILE:/var/log/krb5kdc.log

> admin_server = FILE:/var/log/kadmind.log

>

> [libdefaults]

> dns_lookup_realm = false

> ticket_lifetime = 24h

> renew_lifetime = 7d

> forwardable = true

> rdns = false

> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt

> default_ccache_name = KEYRING:persistent:%{uid}

> default_realm = WGNAME.AD.MYCORP.COM



It might be set as the default realm, but on this machine (at present)

it is wrong.



> dns_lookup_kdc = true

>

> [realms]

> WGNAME.AD.MYCORP.COM = {

> }

> [domain_realm]

> wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM

> .wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM

>



Rowland


Thanks,
Jim Brand



This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies.


More information about the samba mailing list