Is it possible to specify a list of DCs for Samba to use, rather than have it
look them up dynamically via DNS?
I have an issue with Kerberos, Samba, and SSSD where my machines stop
authenticating after a period of time – preAuthentication errors, etc. I suspect
it's because of a "DC mismatch" between the three. Because we have
numerous DCs all over the world, I specifically configure krb5.conf and
sssd.conf to point to local DCs rather than allow them to be selected via DNS -
examples below. This speeds up the authentication process; I have local access
should the local DCs drop offline, so I'm not worried about
cross-site/remote site redundancies.
Samba appears to use "realm =" to perform a DNS lookup which are
logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. From the
log, I can see Samba parsing numerous DCs, some local, some remote.
internal_resolve_name: looking up example.domain.com#dcdc (sitename (null))
resolve_ads: Attempting to resolve KDCs for example.domain.com using DNS
ads_dns_lookup_srv: 13 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88]
ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88]
remove_duplicate_addrs2: looking for duplicate address/port pairs
internal_resolve_name: returning 13 addresses: <bunch_of_ips>
Adding 13 DC's from auto lookup
We do not allow LDAP pings through our remote firewalls, so the
join/authentication process stalls while these timeout until it finds a local DC
in the list that responds. Once it hits a local DC, the process picks back up.
This presents a problem because the initial DNS lookup doesn't always appear
to resolve the entire list of DCs. Sometimes I see five DCs returned, sometimes
more than ten. It could be possible for Samba to resolve five DCs that it cannot
reach.
I can't fix the DNS problem since it's outside of my scope and would
affect the larger corporate environment. I'm more or less forced to work
around any limitations or issues found there. I tried to use "password
server = dc01.example.domain.com, dc02.example.domain.com,
dc03.example.domain.com," but it did not affect Samba's behavior.
I've parsed the manual for smb.conf
(https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and haven't
found another option to point to specific DCs, if it's even possible.
Is this the correct approach? Is it possible? Is there a work-around?
What I suspect is that because Kerberos and sssd use dc01 thru dc03 and samba
uses whatever it finds via DNS, it may be possible for me to have some kind of
DC mismatch when my machine credentials are refreshed. Does that sound crazy?
I'm still getting used to working with Kerberos + Samba + SSSD, so please
excuse my ignorance. I've picked this apart for several days and have
reached a point where I'm stuck. I would be obscenely happy if there was
someone on the list with more experience in this area than I have that could
point me in the right direction on either issue.
/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.DOMAIN.COM
[realms]
EXAMPLE.DOMAIN.COM = {
default_domain = example.domain.com
kdc = dc01.example.domain.com
kdc = dc02.example.domain.com
kdc = dc03.example.domain.com
admin_server = dc01.example.domain.com
}
/etc/samba/smb.conf
[global]
workgroup = SHORT-NAME
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = EXAMPLE.DOMAIN.COM
security = ads
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = EXAMPLE.DOMAIN.COM
[nss]
[pam]
[domain/EXAMPLE.DOMAIN.COM]
id_provider = ad
access_provider = ad
ad_domain = example.domain.com
ad_server = dc01.example.domain.com, dc02.example.domain.com,
dc03.example.domain.com
default_shell = /bin/bash
override_homedir = /home/%u
On Tue, 23 Aug 2016 13:01:09 -0700 Sean via samba <samba at lists.samba.org> wrote:> Is it possible to specify a list of DCs for Samba to use, rather than > have it look them up dynamically via DNS? > > > > I have an issue with Kerberos, Samba, and SSSD where my machines stop > authenticating after a period of time – preAuthentication errors, > etc. I suspect it's because of a "DC mismatch" between the three. > Because we have numerous DCs all over the world, I specifically > configure krb5.conf and sssd.conf to point to local DCs rather than > allow them to be selected via DNS - examples below. This speeds up > the authentication process; I have local access should the local DCs > drop offline, so I'm not worried about cross-site/remote site > redundancies. > > > > Samba appears to use "realm =" to perform a DNS lookup which are > logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. > From the log, I can see Samba parsing numerous DCs, some local, some > remote. > > > > internal_resolve_name: looking up example.domain.com#dcdc (sitename > (null)) > > resolve_ads: Attempting to resolve KDCs for example.domain.com using > DNS > > ads_dns_lookup_srv: 13 records returned in the answer section. > > ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88] > > remove_duplicate_addrs2: looking for duplicate address/port pairs > > internal_resolve_name: returning 13 addresses: <bunch_of_ips> > > Adding 13 DC's from auto lookup > > > > We do not allow LDAP pings through our remote firewalls, so the > join/authentication process stalls while these timeout until it finds > a local DC in the list that responds. Once it hits a local DC, the > process picks back up. This presents a problem because the initial > DNS lookup doesn't always appear to resolve the entire list of DCs. > Sometimes I see five DCs returned, sometimes more than ten. It could > be possible for Samba to resolve five DCs that it cannot reach. > > > > I can't fix the DNS problem since it's outside of my scope and would > affect the larger corporate environment. I'm more or less forced to > work around any limitations or issues found there. I tried to use > "password server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com," but it did not affect Samba's behavior. > I've parsed the manual for smb.conf > (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and > haven't found another option to point to specific DCs, if it's even > possible. > > > > Is this the correct approach? Is it possible? Is there a work-around? > > > > What I suspect is that because Kerberos and sssd use dc01 thru dc03 > and samba uses whatever it finds via DNS, it may be possible for me > to have some kind of DC mismatch when my machine credentials are > refreshed. Does that sound crazy? > > > > I'm still getting used to working with Kerberos + Samba + SSSD, so > please excuse my ignorance. I've picked this apart for several days > and have reached a point where I'm stuck. I would be obscenely happy > if there was someone on the list with more experience in this area > than I have that could point me in the right direction on either > issue. > > > > /etc/krb5.conf > > > > [libdefaults] > > default_realm = EXAMPLE.DOMAIN.COM > > > > [realms] > > EXAMPLE.DOMAIN.COM = { > > default_domain = example.domain.com > > kdc = dc01.example.domain.com > > kdc = dc02.example.domain.com > > kdc = dc03.example.domain.com > > admin_server = dc01.example.domain.com > > } > > > > /etc/samba/smb.conf > > > > [global] > > workgroup = SHORT-NAME > > client signing = yes > > client use spnego = yes > > kerberos method = secrets and keytab > > realm = EXAMPLE.DOMAIN.COM > > security = ads > > > > /etc/sssd/sssd.conf > > > > [sssd] > > services = nss, pam > > config_file_version = 2 > > domains = EXAMPLE.DOMAIN.COM > > > > [nss] > > > > [pam] > > > > [domain/EXAMPLE.DOMAIN.COM] > > id_provider = ad > > access_provider = ad > > ad_domain = example.domain.com > > ad_server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com > > > > default_shell = /bin/bash > > override_homedir = /home/%u >Can I point out that because you are using sssd, that is what is doing your authentication and Samba isn't. So winbind will ignore anything you put in smb.conf, this is because you are not using winbind. sssd is not part of Samba. Have you tried asking the sssd users mailing list ? Rowland
You believe that SSSD is bypassing Samba entirely and going direct to Kerberos?
That’s possible. At the moment, to the best of my understanding, Samba is only
being used to join the domain. There are no file/printer/etc. shares happening;
this is just basic domain join/membership and keytab generation and after that
it’s done.
The question was still specific to Samba itself: can I specify the DCs used
rather than rely on dynamic lookup via DNS?
On 8/23/16, 2:19 PM, "samba on behalf of Rowland Penny via samba"
<samba-bounces at lists.samba.org on behalf of samba at lists.samba.org>
wrote:
On Tue, 23 Aug 2016 13:01:09 -0700
Sean via samba <samba at lists.samba.org> wrote:
> Is it possible to specify a list of DCs for Samba to use, rather than
> have it look them up dynamically via DNS?
>
>
>
> I have an issue with Kerberos, Samba, and SSSD where my machines stop
> authenticating after a period of time – preAuthentication errors,
> etc. I suspect it's because of a "DC mismatch" between
the three.
> Because we have numerous DCs all over the world, I specifically
> configure krb5.conf and sssd.conf to point to local DCs rather than
> allow them to be selected via DNS - examples below. This speeds up
> the authentication process; I have local access should the local DCs
> drop offline, so I'm not worried about cross-site/remote site
> redundancies.
>
>
>
> Samba appears to use "realm =" to perform a DNS lookup which
are
> logged during my `net ads join` as `ads_dns_parse_rr_srv` messages.
> From the log, I can see Samba parsing numerous DCs, some local, some
> remote.
>
>
>
> internal_resolve_name: looking up example.domain.com#dcdc (sitename
> (null))
>
> resolve_ads: Attempting to resolve KDCs for example.domain.com using
> DNS
>
> ads_dns_lookup_srv: 13 records returned in the answer section.
>
> ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0,
> 100, 88]
>
> ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88]
>
> ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88]
>
> remove_duplicate_addrs2: looking for duplicate address/port pairs
>
> internal_resolve_name: returning 13 addresses: <bunch_of_ips>
>
> Adding 13 DC's from auto lookup
>
>
>
> We do not allow LDAP pings through our remote firewalls, so the
> join/authentication process stalls while these timeout until it finds
> a local DC in the list that responds. Once it hits a local DC, the
> process picks back up. This presents a problem because the initial
> DNS lookup doesn't always appear to resolve the entire list of DCs.
> Sometimes I see five DCs returned, sometimes more than ten. It could
> be possible for Samba to resolve five DCs that it cannot reach.
>
>
>
> I can't fix the DNS problem since it's outside of my scope and
would
> affect the larger corporate environment. I'm more or less forced to
> work around any limitations or issues found there. I tried to use
> "password server = dc01.example.domain.com,
dc02.example.domain.com,
> dc03.example.domain.com," but it did not affect Samba's
behavior.
> I've parsed the manual for smb.conf
> (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and
> haven't found another option to point to specific DCs, if it's
even
> possible.
>
>
>
> Is this the correct approach? Is it possible? Is there a work-around?
>
>
>
> What I suspect is that because Kerberos and sssd use dc01 thru dc03
> and samba uses whatever it finds via DNS, it may be possible for me
> to have some kind of DC mismatch when my machine credentials are
> refreshed. Does that sound crazy?
>
>
>
> I'm still getting used to working with Kerberos + Samba + SSSD, so
> please excuse my ignorance. I've picked this apart for several days
> and have reached a point where I'm stuck. I would be obscenely
happy
> if there was someone on the list with more experience in this area
> than I have that could point me in the right direction on either
> issue.
>
>
>
> /etc/krb5.conf
>
>
>
> [libdefaults]
>
> default_realm = EXAMPLE.DOMAIN.COM
>
>
>
> [realms]
>
> EXAMPLE.DOMAIN.COM = {
>
> default_domain = example.domain.com
>
> kdc = dc01.example.domain.com
>
> kdc = dc02.example.domain.com
>
> kdc = dc03.example.domain.com
>
> admin_server = dc01.example.domain.com
>
> }
>
>
>
> /etc/samba/smb.conf
>
>
>
> [global]
>
> workgroup = SHORT-NAME
>
> client signing = yes
>
> client use spnego = yes
>
> kerberos method = secrets and keytab
>
> realm = EXAMPLE.DOMAIN.COM
>
> security = ads
>
>
>
> /etc/sssd/sssd.conf
>
>
>
> [sssd]
>
> services = nss, pam
>
> config_file_version = 2
>
> domains = EXAMPLE.DOMAIN.COM
>
>
>
> [nss]
>
>
>
> [pam]
>
>
>
> [domain/EXAMPLE.DOMAIN.COM]
>
> id_provider = ad
>
> access_provider = ad
>
> ad_domain = example.domain.com
>
> ad_server = dc01.example.domain.com, dc02.example.domain.com,
> dc03.example.domain.com
>
>
>
> default_shell = /bin/bash
>
> override_homedir = /home/%u
>
Can I point out that because you are using sssd, that is what is doing
your authentication and Samba isn't. So winbind will ignore anything
you put in smb.conf, this is because you are not using winbind.
sssd is not part of Samba.
Have you tried asking the sssd users mailing list ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba