[Samba] Question about KDC Resolution with Samba

Sun Jan 8 15:03:06 UTC 2023

On 08/01/2023 14:39, Jim Brand via samba wrote:
>> nslookup -type=SRV _kerberos._tcp.mycorp.com
> 
>>
> 
>> ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN
> 
>>
> 
> 
> 
> As 'hostname -d' is returning 'mycorp.com' it would seem that is the dns
> 
> domain your computer is in. 'mycorp.com' != 'wgname.ad.mycorp.com'
> 
> (which appears to be the dns domain of your DC) and Samba does not do
> 
> subdomains or to put it it another way, your clients have to be in the
> 
> same dns domain as your DC's.
> 
> 
> 
> I'm pursuing this with our Windows AD administrators.

I wouldn't bother, just understand that when using Samba, your kerberos 
realm must be your dns domain in uppercase.

> 
> 
> 
>>
> 
>> kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at WGNAME.AD.MYCORP.COM>
> 
>> returns:
> 
>> Authenticated to Kerberos v5
> 
> 
> 
> More proof that you have it wrong
> 
> 
> 
> What should kinit -V return?

Well, '-V' is for 'verbose' so a bit meaningless, what I meant was that 
your kerberos realm is @WGNAME.AD.MYCORP.COM' and not 'MYCORP.COM' as 
you have it.

> 
> 
> 
>>
> 
>> And klist commands show tickets with today's date.  We are running CentOS 7, samba-4.10.16-20.el7_9.x86_64
> 
> 
> 
> That is a very old version of Smba.
> 
> 
> 
> Agreed!  Downloading and making a newer version is on my to-do list.  Need to thoroughly test all dependencies.

Can I suggest you use a different OS, Centos is stable because it is old.

> 
> 
> 
>>
> 
>> wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP
> 
> 
> 
> That does surprise me.
> 
> 
> 
> Me too, but I don't argue with success.

There is definitely something going on here, are you sure that you are 
not getting ID's (not names) in the default '*' range ?

> 
> 
> 
> (BTW those wbinfo commands start to fail along with Samba a few days after joining AD on our CentOS 6 servers.  Not going to trouble you with that here, other than to ask what version of Samba 4 would you recommend we try using on Linux 6?)

This is getting worse, Centos 6 is dead, it had a very nice funeral.

> 
> 
> 
>>
> 
>> No problems so far other than "net ads join" fails, have to use "realm join" instead which messes up smb.conf
> 
> 
> 
> You shouldn't use 'realm' with Samba.
> 
> 
> 
> I've gathered as much but why?

The 'realm' command has nothing to do with Samba, whilst it works in a 
similar way to 'net ads join', it doesn't work exactly the same. Stick 
to using 'realm' with sssd and freeipa.

> 
> 
> 
>>
> 
>> smb.conf
> 
>> [global]
> 
>> kerberos method = system keytab
> 
>> log level = 3
> 
>> max log size = 5000
> 
>> log file = /var/log/samba/log.%h.%m
> 
>> template homedir = /home/%U@%D
> 
>> template shell = /bin/bash
> 
>> security = ads
> 
>> realm = WGNAME.AD.MYCORP.COM
> 
> 
> 
> As the realm is the dns domain in uppercase, your realm should be
> 
> 'MYCORP.COM' which would fail because it doesn't exist.
> 
> 
> 
>> idmap config MYCORP : range = 1000-2999999
> 
>> idmap config MYCORP : backend = ad
> 
>> idmap config MYCORP : schema_mode = rfc2307
> 
>> idmap config MYCORP : unix_primary_group = yes
> 
>> idmap config MYCORP : unix_nss_info = yes
> 
>> idmap config * : range = 3000000-39999999
> 
> 
> 
> Why such high numbers ?

The '3000000' numbers that are only used on a Samba AD DC.

> 
> 
> 
> My understanding is that "idmap config WGNAME" should be the range of all possible UIDs assigned by our enterprise [in AD].  That was the range given to me.

Well yes, but you are not using 'idmap config WGNAME' are you ?
Also, even if you were, it would only apply to computers that are in the 
workgroup/NetBIOS domain 'WGNAME' and that have a uidNumber (for a user) 
and a gidNumber (for a group) inside that range AND the Domain Users 
group MUST have a gidNumber.

> 
> And "idmap config *" is a catch all for any users that don't fit under the above specified range.

Not quite, the default domain '*' is meant for the Well Known SIDs and 
anything that is outside the 'WGNAME' domain or any other trusted domain 
that is listed in smb.conf and has a trust setup.

> 
> 
> 
>> idmap config * : backend = tdb
> 
>> winbind use default domain = yes
> 
>> winbind refresh tickets = yes
> 
>> winbind offline logon = yes
> 
>> winbind enum groups = no
> 
>> winbind enum users = no
> 
>> workgroup = WGNAME
> 
> 
> 
> Another problem there, the 'idmap config' lines should be using the
> 
> workgroup 'WGNAME', but they seem to be using 'MYCORP', why?
> 
> 
> 
> My error when I sanitized the file. Those 'idmap config' entries are using 'WGNAME' instead of 'MYCORP'.

Now you tell me ;-).

Rowland