Greetings, Sketch!>> Did I simply provision the REALM or domain incorrectly from the start? >> testparm -v output shows I provided the following: >> >> workgroup = INTERNAL >> realm = EXAMPLE.COM >> netbios name = SAMBA> Looks that way to me. Your realm should include the workgroup name: > INTERNAL.EXAMPLE.COM.> See:> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Server_Information> It _might_ work if you don't specify the domain when you kinit ("kinit > Administrator"), since kerberos will normally look up the default domain, > or use whatever is configured as default in your krb5.conf, but I suspect > you will have issues with anything that tries to do automatic ticket > acquisition.Nothing is "SHOULD" as long as the settings follow basic requirements (single-label NETBIOS domain name, resolvable REALM name). I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>" All works fine, given correct DNS configuration. -- With best regards, Andrey Repin Wednesday, April 29, 2015 22:07:19 Sorry for my terrible english...
On Wed, 29 Apr 2015, Andrey Repin wrote:> Greetings, Sketch! > >>> workgroup = INTERNAL >>> realm = EXAMPLE.COM >>> netbios name = SAMBA > >> Looks that way to me. Your realm should include the workgroup name: >> INTERNAL.EXAMPLE.COM. > > Nothing is "SHOULD" as long as the settings follow basic requirements > (single-label NETBIOS domain name, resolvable REALM name). > I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>" > All works fine, given correct DNS configuration.Netbios name is basically irrelevant here. Do you mean that the realm name does not have to match the workgroup name?
Greetings, Sketch!>>>> workgroup = INTERNAL >>>> realm = EXAMPLE.COM >>>> netbios name = SAMBA >> >>> Looks that way to me. Your realm should include the workgroup name: >>> INTERNAL.EXAMPLE.COM. >> >> Nothing is "SHOULD" as long as the settings follow basic requirements >> (single-label NETBIOS domain name, resolvable REALM name). >> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>" >> All works fine, given correct DNS configuration.> Netbios name is basically irrelevant here.NETBIOS HOST name? Irrelevant. NETBIOS DOMAIN name? Not quite.> Do you mean that the realm > name does not have to match the workgroup name?There's no such requirement. AD domain is resolved from NETBIOS multicast or from domain suffix provided by DHCP or configured in system settings. But the end result is that the system receive correct DNS name once and then work out from that purely through DNS. I can show you examples of systems working from both premises in the same domain. P.S. Please don't CC me, I'm subscribed to the list. -- With best regards, Andrey Repin Wednesday, April 29, 2015 23:04:06 Sorry for my terrible english...
On 29/04/15 20:37, Sketch wrote:> On Wed, 29 Apr 2015, Andrey Repin wrote: > >> Greetings, Sketch! >> >>>> workgroup = INTERNAL >>>> realm = EXAMPLE.COM >>>> netbios name = SAMBA >> >>> Looks that way to me. Your realm should include the workgroup name: >>> INTERNAL.EXAMPLE.COM. >> >> Nothing is "SHOULD" as long as the settings follow basic requirements >> (single-label NETBIOS domain name, resolvable REALM name). >> I.e. I have domains provisioned with "ADS.<netbios domain name>.<tld>" >> All works fine, given correct DNS configuration. > > Netbios name is basically irrelevant here. Do you mean that the realm > name does not have to match the workgroup name?I don't know how I can say this plainer, the only thing that has to match is the realm name and the dns domain name, if your dns domain name is 'internal.example.com' then your kerberos realm must be 'INTERNAL.EXAMPLE.COM' The netbios domain name (also known as workgroup name), can be *anything* you like, but it is usually the lefthand hand part of the dns domain name, 'INTERNAL' from the given example, but you could use 'BUTTERCUP' or 'MOON' or *ANYTHING* else, just as long as it is a single word, of not more than 15 characters. Rowland