Is it possible to specify a list of DCs for Samba to use, rather than have it look them up dynamically via DNS? I have an issue with Kerberos, Samba, and SSSD where my machines stop authenticating after a period of time – preAuthentication errors, etc. I suspect it's because of a "DC mismatch" between the three. Because we have numerous DCs all over the world, I specifically configure krb5.conf and sssd.conf to point to local DCs rather than allow them to be selected via DNS - examples below. This speeds up the authentication process; I have local access should the local DCs drop offline, so I'm not worried about cross-site/remote site redundancies. Samba appears to use "realm =" to perform a DNS lookup which are logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. From the log, I can see Samba parsing numerous DCs, some local, some remote. internal_resolve_name: looking up example.domain.com#dcdc (sitename (null)) resolve_ads: Attempting to resolve KDCs for example.domain.com using DNS ads_dns_lookup_srv: 13 records returned in the answer section. ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88] remove_duplicate_addrs2: looking for duplicate address/port pairs internal_resolve_name: returning 13 addresses: <bunch_of_ips> Adding 13 DC's from auto lookup We do not allow LDAP pings through our remote firewalls, so the join/authentication process stalls while these timeout until it finds a local DC in the list that responds. Once it hits a local DC, the process picks back up. This presents a problem because the initial DNS lookup doesn't always appear to resolve the entire list of DCs. Sometimes I see five DCs returned, sometimes more than ten. It could be possible for Samba to resolve five DCs that it cannot reach. I can't fix the DNS problem since it's outside of my scope and would affect the larger corporate environment. I'm more or less forced to work around any limitations or issues found there. I tried to use "password server = dc01.example.domain.com, dc02.example.domain.com, dc03.example.domain.com," but it did not affect Samba's behavior. I've parsed the manual for smb.conf (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and haven't found another option to point to specific DCs, if it's even possible. Is this the correct approach? Is it possible? Is there a work-around? What I suspect is that because Kerberos and sssd use dc01 thru dc03 and samba uses whatever it finds via DNS, it may be possible for me to have some kind of DC mismatch when my machine credentials are refreshed. Does that sound crazy? I'm still getting used to working with Kerberos + Samba + SSSD, so please excuse my ignorance. I've picked this apart for several days and have reached a point where I'm stuck. I would be obscenely happy if there was someone on the list with more experience in this area than I have that could point me in the right direction on either issue. /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.DOMAIN.COM [realms] EXAMPLE.DOMAIN.COM = { default_domain = example.domain.com kdc = dc01.example.domain.com kdc = dc02.example.domain.com kdc = dc03.example.domain.com admin_server = dc01.example.domain.com } /etc/samba/smb.conf [global] workgroup = SHORT-NAME client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = EXAMPLE.DOMAIN.COM security = ads /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = EXAMPLE.DOMAIN.COM [nss] [pam] [domain/EXAMPLE.DOMAIN.COM] id_provider = ad access_provider = ad ad_domain = example.domain.com ad_server = dc01.example.domain.com, dc02.example.domain.com, dc03.example.domain.com default_shell = /bin/bash override_homedir = /home/%u
On Tue, 23 Aug 2016 13:01:09 -0700 Sean via samba <samba at lists.samba.org> wrote:> Is it possible to specify a list of DCs for Samba to use, rather than > have it look them up dynamically via DNS? > > > > I have an issue with Kerberos, Samba, and SSSD where my machines stop > authenticating after a period of time – preAuthentication errors, > etc. I suspect it's because of a "DC mismatch" between the three. > Because we have numerous DCs all over the world, I specifically > configure krb5.conf and sssd.conf to point to local DCs rather than > allow them to be selected via DNS - examples below. This speeds up > the authentication process; I have local access should the local DCs > drop offline, so I'm not worried about cross-site/remote site > redundancies. > > > > Samba appears to use "realm =" to perform a DNS lookup which are > logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. > From the log, I can see Samba parsing numerous DCs, some local, some > remote. > > > > internal_resolve_name: looking up example.domain.com#dcdc (sitename > (null)) > > resolve_ads: Attempting to resolve KDCs for example.domain.com using > DNS > > ads_dns_lookup_srv: 13 records returned in the answer section. > > ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88] > > remove_duplicate_addrs2: looking for duplicate address/port pairs > > internal_resolve_name: returning 13 addresses: <bunch_of_ips> > > Adding 13 DC's from auto lookup > > > > We do not allow LDAP pings through our remote firewalls, so the > join/authentication process stalls while these timeout until it finds > a local DC in the list that responds. Once it hits a local DC, the > process picks back up. This presents a problem because the initial > DNS lookup doesn't always appear to resolve the entire list of DCs. > Sometimes I see five DCs returned, sometimes more than ten. It could > be possible for Samba to resolve five DCs that it cannot reach. > > > > I can't fix the DNS problem since it's outside of my scope and would > affect the larger corporate environment. I'm more or less forced to > work around any limitations or issues found there. I tried to use > "password server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com," but it did not affect Samba's behavior. > I've parsed the manual for smb.conf > (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and > haven't found another option to point to specific DCs, if it's even > possible. > > > > Is this the correct approach? Is it possible? Is there a work-around? > > > > What I suspect is that because Kerberos and sssd use dc01 thru dc03 > and samba uses whatever it finds via DNS, it may be possible for me > to have some kind of DC mismatch when my machine credentials are > refreshed. Does that sound crazy? > > > > I'm still getting used to working with Kerberos + Samba + SSSD, so > please excuse my ignorance. I've picked this apart for several days > and have reached a point where I'm stuck. I would be obscenely happy > if there was someone on the list with more experience in this area > than I have that could point me in the right direction on either > issue. > > > > /etc/krb5.conf > > > > [libdefaults] > > default_realm = EXAMPLE.DOMAIN.COM > > > > [realms] > > EXAMPLE.DOMAIN.COM = { > > default_domain = example.domain.com > > kdc = dc01.example.domain.com > > kdc = dc02.example.domain.com > > kdc = dc03.example.domain.com > > admin_server = dc01.example.domain.com > > } > > > > /etc/samba/smb.conf > > > > [global] > > workgroup = SHORT-NAME > > client signing = yes > > client use spnego = yes > > kerberos method = secrets and keytab > > realm = EXAMPLE.DOMAIN.COM > > security = ads > > > > /etc/sssd/sssd.conf > > > > [sssd] > > services = nss, pam > > config_file_version = 2 > > domains = EXAMPLE.DOMAIN.COM > > > > [nss] > > > > [pam] > > > > [domain/EXAMPLE.DOMAIN.COM] > > id_provider = ad > > access_provider = ad > > ad_domain = example.domain.com > > ad_server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com > > > > default_shell = /bin/bash > > override_homedir = /home/%u >Can I point out that because you are using sssd, that is what is doing your authentication and Samba isn't. So winbind will ignore anything you put in smb.conf, this is because you are not using winbind. sssd is not part of Samba. Have you tried asking the sssd users mailing list ? Rowland
You believe that SSSD is bypassing Samba entirely and going direct to Kerberos? That’s possible. At the moment, to the best of my understanding, Samba is only being used to join the domain. There are no file/printer/etc. shares happening; this is just basic domain join/membership and keytab generation and after that it’s done. The question was still specific to Samba itself: can I specify the DCs used rather than rely on dynamic lookup via DNS? On 8/23/16, 2:19 PM, "samba on behalf of Rowland Penny via samba" <samba-bounces at lists.samba.org on behalf of samba at lists.samba.org> wrote: On Tue, 23 Aug 2016 13:01:09 -0700 Sean via samba <samba at lists.samba.org> wrote: > Is it possible to specify a list of DCs for Samba to use, rather than > have it look them up dynamically via DNS? > > > > I have an issue with Kerberos, Samba, and SSSD where my machines stop > authenticating after a period of time – preAuthentication errors, > etc. I suspect it's because of a "DC mismatch" between the three. > Because we have numerous DCs all over the world, I specifically > configure krb5.conf and sssd.conf to point to local DCs rather than > allow them to be selected via DNS - examples below. This speeds up > the authentication process; I have local access should the local DCs > drop offline, so I'm not worried about cross-site/remote site > redundancies. > > > > Samba appears to use "realm =" to perform a DNS lookup which are > logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. > From the log, I can see Samba parsing numerous DCs, some local, some > remote. > > > > internal_resolve_name: looking up example.domain.com#dcdc (sitename > (null)) > > resolve_ads: Attempting to resolve KDCs for example.domain.com using > DNS > > ads_dns_lookup_srv: 13 records returned in the answer section. > > ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88] > > remove_duplicate_addrs2: looking for duplicate address/port pairs > > internal_resolve_name: returning 13 addresses: <bunch_of_ips> > > Adding 13 DC's from auto lookup > > > > We do not allow LDAP pings through our remote firewalls, so the > join/authentication process stalls while these timeout until it finds > a local DC in the list that responds. Once it hits a local DC, the > process picks back up. This presents a problem because the initial > DNS lookup doesn't always appear to resolve the entire list of DCs. > Sometimes I see five DCs returned, sometimes more than ten. It could > be possible for Samba to resolve five DCs that it cannot reach. > > > > I can't fix the DNS problem since it's outside of my scope and would > affect the larger corporate environment. I'm more or less forced to > work around any limitations or issues found there. I tried to use > "password server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com," but it did not affect Samba's behavior. > I've parsed the manual for smb.conf > (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and > haven't found another option to point to specific DCs, if it's even > possible. > > > > Is this the correct approach? Is it possible? Is there a work-around? > > > > What I suspect is that because Kerberos and sssd use dc01 thru dc03 > and samba uses whatever it finds via DNS, it may be possible for me > to have some kind of DC mismatch when my machine credentials are > refreshed. Does that sound crazy? > > > > I'm still getting used to working with Kerberos + Samba + SSSD, so > please excuse my ignorance. I've picked this apart for several days > and have reached a point where I'm stuck. I would be obscenely happy > if there was someone on the list with more experience in this area > than I have that could point me in the right direction on either > issue. > > > > /etc/krb5.conf > > > > [libdefaults] > > default_realm = EXAMPLE.DOMAIN.COM > > > > [realms] > > EXAMPLE.DOMAIN.COM = { > > default_domain = example.domain.com > > kdc = dc01.example.domain.com > > kdc = dc02.example.domain.com > > kdc = dc03.example.domain.com > > admin_server = dc01.example.domain.com > > } > > > > /etc/samba/smb.conf > > > > [global] > > workgroup = SHORT-NAME > > client signing = yes > > client use spnego = yes > > kerberos method = secrets and keytab > > realm = EXAMPLE.DOMAIN.COM > > security = ads > > > > /etc/sssd/sssd.conf > > > > [sssd] > > services = nss, pam > > config_file_version = 2 > > domains = EXAMPLE.DOMAIN.COM > > > > [nss] > > > > [pam] > > > > [domain/EXAMPLE.DOMAIN.COM] > > id_provider = ad > > access_provider = ad > > ad_domain = example.domain.com > > ad_server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com > > > > default_shell = /bin/bash > > override_homedir = /home/%u > Can I point out that because you are using sssd, that is what is doing your authentication and Samba isn't. So winbind will ignore anything you put in smb.conf, this is because you are not using winbind. sssd is not part of Samba. Have you tried asking the sssd users mailing list ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba