samba - Jul 2022 - name resolve order parameter for security=ads

Dear Samba list,

I noticed that the recommendation for the "name resolve order"
parameter
for security = ads, namely "wins bcast", breaks everything on my test 
domain client (Rowland Penny asked me to post this issue on the mailing 
list to exclude misconfiguration on my part).

samba --version: Version 4.13.17-Ubuntu, Ubuntu 20.04 LTS, uname -r: 
5.13.0-52-generic

Here's my smb.conf as shown by testparm (realm replaced by EXAMPLE.ORG):

[global]
 ?? ?kerberos method = system keytab
 ?? ?log file = /var/log/samba/log.%m
 ?? ?logging = file
 ?? ?log level = 3
 ?? ?map to guest = Bad User
 ?? ?max log size = 1000
 ?? ?ntlm auth = ntlmv2-only
 ?? ?panic action = /usr/share/samba/panic-action %d
 ?? ?realm = EXAMPLE.ORG
 ?? ?security = ADS
 ?? ?template shell = /bin/bash
 ?? ?winbind enum groups = Yes
 ?? ?winbind enum users = Yes
 ?? ?winbind nss info = rfc2307
 ?? ?winbind offline logon = Yes
 ?? ?winbind refresh tickets = Yes
 ?? ?winbind use default domain = Yes
 ?? ?workgroup = EXAMPLE
 ?? ?idmap config example : unix_primary_group = yes
 ?? ?idmap config example : schema_mode = rfc2307
 ?? ?idmap config example : unix_nss_info = yes
 ?? ?idmap config example : range = 8000 - 9999999
 ?? ?idmap config example : backend = ad
 ?? ?idmap config * : range = 3000 - 7999
 ?? ?idmap config * : backend = tdb

and krb5.conf:

[libdefaults]
 ? default_realm = EXAMPLE.ORG
 ? kdc_timesync = 1
 ? ccache_type = 4
 ? forward = true
 ? forwardable = true
 ? proxiable = true
 ? dns_lookup_realm = true
 ? dns_lookup_kdc = true

With this setting, wbinfo -i username as well as wbinfo -i 
"EXAMPLE\username" works fine and shows correct uid/gid and home 
directory, and domain integration works mostly fine - including PAM & 
NSS integration and graphical login, as well as Kerberos access to 
shares hosted by this machine. So thanks to the samba team for providing 
a great tool!

If I additionally set

 ?? name resolve order = wins bcast

wbinfo -P shows

checking the NETLOGON for domain[EXAMPLE] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND

wbinfo -i username or wbinfo -i "EXAMPLE\username"

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user username

I can resolve the SRV records: host -t SRV _ldap._tcp.example.org still 
shows the available domain controllers.

It is from these observations that I filed bug 
https://bugzilla.samba.org/show_bug.cgi?id=15117, but maybe there's an 
issue with my configuration as shown above. I'll also provide further 
logs on request.

Thanks in advance,

Jonathan

On Mon, 2022-07-11 at 08:23 +0200, Jonathan Neuhauser via samba
wrote:
> Dear Samba list,
> 
> I noticed that the recommendation for the "name resolve order"
> parameter 
> for security = ads, namely "wins bcast", breaks everything on my
> test 
> domain client (Rowland Penny asked me to post this issue on the
> mailing 
> list to exclude misconfiguration on my part).
> 
> samba --version: Version 4.13.17-Ubuntu, Ubuntu 20.04 LTS, uname -r: 
> 5.13.0-52-generic
> 
> Here's my smb.conf as shown by testparm (realm replaced by
> EXAMPLE.ORG):
> 
> [global]
>      kerberos method = system keytab
>      log file = /var/log/samba/log.%m
>      logging = file
>      log level = 3
>      map to guest = Bad User
>      max log size = 1000
>      ntlm auth = ntlmv2-only
>      panic action = /usr/share/samba/panic-action %d
>      realm = EXAMPLE.ORG
>      security = ADS
>      template shell = /bin/bash
>      winbind enum groups = Yes
>      winbind enum users = Yes
>      winbind nss info = rfc2307
>      winbind offline logon = Yes
>      winbind refresh tickets = Yes
>      winbind use default domain = Yes
>      workgroup = EXAMPLE
>      idmap config example : unix_primary_group = yes
>      idmap config example : schema_mode = rfc2307
>      idmap config example : unix_nss_info = yes
>      idmap config example : range = 8000 - 9999999
>      idmap config example : backend = ad
>      idmap config * : range = 3000 - 7999
>      idmap config * : backend = tdb
> 
> and krb5.conf:
> 
> [libdefaults]
>    default_realm = EXAMPLE.ORG
>    kdc_timesync = 1
>    ccache_type = 4
>    forward = true
>    forwardable = true
>    proxiable = true
>    dns_lookup_realm = true
>    dns_lookup_kdc = true
> 
> With this setting, wbinfo -i username as well as wbinfo -i 
> "EXAMPLE\username" works fine and shows correct uid/gid and home 
> directory, and domain integration works mostly fine - including PAM
> & 
> NSS integration and graphical login, as well as Kerberos access to 
> shares hosted by this machine. So thanks to the samba team for
> providing 
> a great tool!
> 
> If I additionally set
> 
>     name resolve order = wins bcast
> 
> wbinfo -P shows
> 
> checking the NETLOGON for domain[EXAMPLE] dc connection to ""
failed
> failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
> 
> wbinfo -i username or wbinfo -i "EXAMPLE\username"
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user username
> 
> I can resolve the SRV records: host -t SRV _ldap._tcp.example.org
> still 
> shows the available domain controllers.
> 
> It is from these observations that I filed bug 
> https://bugzilla.samba.org/show_bug.cgi?id=15117, but maybe there's
> an 
> issue with my configuration as shown above. I'll also provide
> further 
> logs on request.
> 
> Thanks in advance,
> 
> Jonathan
Hi Jonathan, thanks for posting your smb.conf, which doesn't really
have anything wrong with it.

I have tried 'wbinfo -P' & 'wbinfo -i' on two machines, one
running
4.15.7 with the 'ad' backend and 4.13.3 with the 'rid' backend.
Both
succeed.

What is different between your set up and mine is krb5.conf, so can you
try this one:

[libdefaults]
   default_realm = EXAMPLE.ORG
   dns_lookup_realm = false
   dns_lookup_kdc = true

Rowland