samba - May 2007 - Restricting to a subset of the domain controllers on a site

Had a situation where users could not map drives from Windows XP to 
Solaris 9 system running Samba-3.0.10 for Active Directory.  This
system has been running for a couple of years without problems. Now
recently, the site administrators have added some new servers to the
domain which may have introduced a problem.


This krb5.conf file has been modified to hide the site in question.
[libdefaults]
        default_realm = sanatized
        default_tgs-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
        default_tkt-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
        default_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
        sanatized = {
                kdc = DC1a.sanatized
                kdc = DC2a.sanatized
                kdc = DC3a.sanatized
                kdc = DC4a.sanatized
                admin_server = DC3a.sanatized
        }

[domain_realm]
	.sanatized = sanatized
	sanatized = sanatized

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        admin_server = FILE:/var/log/kadmin.log
	kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

		period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1,
...)

		versions = 10
	}

[appdefaults]
	kinit = {
		renewable = true
		forwardable= true
	}
	gkadmin = {
		help_url http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
	}


So the system is expecting to see the following Domain Controllers:
   DC1a DC2a DC3a DC4a

However, when users were experiencing problems, we saw the following
when
klist was run.


Ticket cache: FILE:/tmp/krb5cc_0
Default principal: IL02mcs@sanatized

Valid starting     Expires            Service principal
05/29/07 11:04:53  05/29/07 21:04:53  krbtgt/sanatized@sanatized
	renew until 05/30/07 11:04:53
05/29/07 11:05:09  05/29/07 21:04:53  exchgc01a$@sanatized
	renew until 05/30/07 11:04:53
05/29/07 11:05:09  05/29/07 11:07:09  kadmin/changepw@sanatized
	renew until 05/29/07 11:07:09


Kerberos 4 ticket cache: /tmp/tkt0


The line that concerns me is:
05/29/07 11:05:09  05/29/07 21:04:53  exchgc01a$@sanatized
   renew until 05/30/07 11:04:53

Anytime a DC other than DC1a DC2a DC3a DC4a gets used, users have
problems
mapping drives.

We had no record of a domain controller named exchgc01a in the
environment.
The admins have recently added a number of servers which they are saying
they are catalog servers as part of their exchange setup and should not
be used for authentication at all.  The domain controllers they have
added 
are: EXCHGC01A EXCHGC02A EXCHGC03A EXCHGC04A DC1SE DC2SE

They are telling us that we must restrict to only authenticating to the
domain controllers: DC1a DC2a DC3a DC4a

Is there a way to do this?  Is their request unreasonable?

There is a password server setting, but is that good enough and can you
give it more than a single machine? What if the machine is down for an
unscheduled problem?

Personally, I don't think the new servers should be issuing tickets if
they are not used for authentication.  They just called be and will
checking to see if that is the case...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wayne Rasmussen wrote:
> They are telling us that we must restrict to only 
> authenticating to the domain controllers: DC1a DC2a
> DC3a DC4a
What version of Samba are you running?
> Is there a way to do this?  Is their request unreasonable?
How are they enforcing this requirement on the Windows
clients?  Using AD Sites top group DCs?






cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGXW/DIR7qMdg1EfYRAp5SAJ9k0cpWsNRA6Itf3kDkx5CN4by++QCdHnqj
Hx0OJr/mJOvgvnHEmoXi0YY=FUhH
-----END PGP SIGNATURE-----

>What version of Samba are you running?
 

We are running samba-3.0.10 on Solaris 9.

 
> How are they enforcing this requirement on the Windows
> clients?  Using AD Sites top group DCs?
Their Answer:

 

Those other servers, while part of the domain are part of a separate
site used for exchange services.  They referred to the following links:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/directory/activedirectory/stepbystep/adsrv.mspx 

http://technet.microsoft.com/en-us/library/bb124367.aspx

 

So when the server boots and runs:

/usr/local/bin/kinit  IL02mcs@sanatized

/usr/local/samba/bin/net ads join

What determines which DCs are granting tickets/authenticating?
/etc/krb5.conf doesn't seem to be the limiting factor as in this case we
got machines not in krb5.conf.

 

They are basically telling us that samba needs to limit which DCs it is
using for lookup.  This seems counter intuitive to me.

 

 

 

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
Sent: Wednesday, May 30, 2007 5:36 AM
To: Wayne Rasmussen
Cc: samba@lists.samba.org
Subject: Re: [Samba] Restricting to a subset of the domain controllers
on a site

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Wayne Rasmussen wrote:

 
> They are telling us that we must restrict to only 
> authenticating to the domain controllers: DC1a DC2a
> DC3a DC4a
 

What version of Samba are you running?

 

 
> Is there a way to do this?  Is their request unreasonable?
 

How are they enforcing this requirement on the Windows

clients?  Using AD Sites top group DCs?

 

 

 

 

 

 

cheers, jerry

====================================================================
Samba                                    ------- http://www.samba.org

Centeris                         -----------  http://www.centeris.com

"What man is a man who does not make the world better?"      --Balian

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.6 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 

iD8DBQFGXW/DIR7qMdg1EfYRAp5SAJ9k0cpWsNRA6Itf3kDkx5CN4by++QCdHnqj

Hx0OJr/mJOvgvnHEmoXi0YY
=FUhH

-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wayne,
>> How are they enforcing this requirement on the Windows
>> clients?  Using AD Sites top group DCs?
> 
> Their Answer:
> 
> Those other servers, while part of the domain are part of a separate
> site used for exchange services.  
Support for AD sites was introduced in the Samba 3.0.25 series.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGXcESIR7qMdg1EfYRAtK0AJ9ET3SlQM4aboN4JY2Yv6NAqX+MpACgy26T
NCzGaN2FhHYAmMoDoB0F6p8=dKty
-----END PGP SIGNATURE-----

Is there any settings in smb.conf file which are required for this?

Thanks,
Wayne

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
Sent: Wednesday, May 30, 2007 11:23 AM
To: Wayne Rasmussen
Cc: samba@lists.samba.org
Subject: Re: [Samba] Restricting to a subset of the domain controllers
on a site

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wayne,
>> How are they enforcing this requirement on the Windows
>> clients?  Using AD Sites top group DCs?
> 
> Their Answer:
> 
> Those other servers, while part of the domain are part of a separate
> site used for exchange services.  
Support for AD sites was introduced in the Samba 3.0.25 series.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGXcESIR7qMdg1EfYRAtK0AJ9ET3SlQM4aboN4JY2Yv6NAqX+MpACgy26T
NCzGaN2FhHYAmMoDoB0F6p8=dKty
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wayne Rasmussen wrote:
> Is there any settings in smb.conf file which are 
> required for this?
Nope.  Just coded internally to the DC lookup routines
used by smbd and winbindd.  Also generates private
krb5.conf files used to enforce server affinity
at the krb5 clientlib layer.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGXcXPIR7qMdg1EfYRAn98AKCXfsKdmJ4FVd1sjXcXfbpDKhIrwgCfarKb
44oHaen3JYAcyll7vn+Tcho=0YCi
-----END PGP SIGNATURE-----