Jonathan S. Fisher
2015-Dec-03 16:06 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
> host -t SRV _ldap._tcp.windows.corp.XXX.com_ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389 whiskey.windows.corp.XXX.com. _ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389 wine.windows.corp.XXX.com.> host -t SRV _kerberos._udp.windows.corp.XXX.com_kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88 whiskey.windows.corp.XXX.com. _kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88 wine.windows.corp.XXX.com.> host -t A freeradius.windows.corp.XXX.com.freeradius.windows.corp.XXX.com has address 192.168.127.134> host -t SRV 192.168.127.134134.127.168.192.in-addr.arpa domain name pointer freeradius.windows.corp.XXX.com. I tried the same thing with ".WINDOWS" and it doesn't work of course... On Thu, Dec 3, 2015 at 7:15 AM, Rowland penny <rpenny at samba.org> wrote:> On 03/12/15 13:07, Rowland Penny wrote: > >> >> >> >> >> 2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >> > Great thanks, I'll start digging into that. So your running theory is >> that >> > one of the DNS resolution attempts is returning .WINDOWS not . >> > WINDOWS.CORP.XXX.com? >> > >> >> I'm not sure, that's your issue, not mine, but you seemed to mean that >> FQDN >> are truncated in some DNS search. >> At least that's what I understand from your first mail when you wrote: >> >> "From Wireshark: >> >> Queries >> _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN >> Name: _ldap._tcp.pdc._msdcs.WINDOWS" >> >> So yes I would say there is something wrong in the way your DNS requests >> are forged: they are using the domain name. >> >> So, for me, the next question is: is that domain reduction happens on all >> requests or only those made by Samba. >> >> To know that the point is to avoid Samba. >> >> That's why I proposed to proceed with: >> - some DNS requests -> you said they worked using the three DNS servers >> you >> have (the real one, the two from Samba) -> the system does not seem to >> truncat by himself / always the requests. >> - some kinit -> kinit with no configuration to force Kerberos servers >> should send SRV requests to guess how to contact a kerberos server. You >> seemed to say kinit was working. >> >> Next step I would change my resolv.conf to put as nameserver in it only >> your DC, no search, no domain. The point here is to test your DNS from >> Samba, and in parallel to avoid the main DNS server which uses dnsmasq. >> >> And I would then redo all these tests, including those proposed by >> Rowland. >> >> If you don't have truncated requests until there, I would suggest you find >> something strange in Samba. But as long as you didn't performed all that >> successfully, I would suggest an issue in your DNS resolving stack. >> >> Cheers, >> >> mathias >> >> >> > This is basically what I wanted to find out, does the OP have a problem or > not, if he answers my post, we may find out and move on from there. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Rowland penny
2015-Dec-03 16:26 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 03/12/15 16:06, Jonathan S. Fisher wrote:> > host -t SRV _ldap._tcp.windows.corp.XXX.com > <http://tcp.windows.corp.XXX.com> > _ldap._tcp.windows.corp.XXX.com <http://tcp.windows.corp.XXX.com> has > SRV record 0 100 389 whiskey.windows.corp.XXX.com > <http://whiskey.windows.corp.XXX.com>. > _ldap._tcp.windows.corp.XXX.com <http://tcp.windows.corp.XXX.com> has > SRV record 0 100 389 wine.windows.corp.XXX.com > <http://wine.windows.corp.XXX.com>. > > > host -t SRV _kerberos._udp.windows.corp.XXX.com > <http://udp.windows.corp.XXX.com> > _kerberos._udp.windows.corp.XXX.com <http://udp.windows.corp.XXX.com> > has SRV record 0 100 88 whiskey.windows.corp.XXX.com > <http://whiskey.windows.corp.XXX.com>. > _kerberos._udp.windows.corp.XXX.com <http://udp.windows.corp.XXX.com> > has SRV record 0 100 88 wine.windows.corp.XXX.com > <http://wine.windows.corp.XXX.com>. > > > host -t A freeradius.windows.corp.XXX.com > <http://freeradius.windows.corp.XXX.com>. > freeradius.windows.corp.XXX.com > <http://freeradius.windows.corp.XXX.com> has address 192.168.127.134 > > > host -t SRV 192.168.127.134 > 134.127.168.192.in-addr.arpa domain name pointer > freeradius.windows.corp.XXX.com <http://freeradius.windows.corp.XXX.com>. > > I tried the same thing with ".WINDOWS" and it doesn't work of course... > > >Your DNS appears to be working :-) Lets move on from there: Quick recap: 'hostname' should return 'freeradius' 'hostname -d' should return 'windows.corp.xxx.com' 'hostname -f' should return 'freeradius.windows.corp.xxx.com' 'hostname -i' should return '192.168.127.134' /etc/resolv.conf should contain this: search windows.corp.xxx.com nameserver 'ip of first DC' nameserver 'ip of second DC' /etc/krb5.conf should contain this: [libdefaults] default_realm = WINDOWS.CORP.XXX.COM smb.conf is setup as per the samba wiki If you run 'net ads testjoin' it should return 'Join is OK' If all the above is complied with, running 'sudo net rpc info -UAdministrator' should return something like this: Domain Name: SAMDOM Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx Sequence number: 1 Num users: XXX Num domain groups: XX Num local groups: XX If it doesn't, add this line to smb.conf: log level = 10 Restart samba and try again Rowland
Jonathan S. Fisher
2015-Dec-03 17:52 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator Enter administrator's password: Using short domain name -- WINDOWS Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com' jonathan.fisher at freeradius:~$ hostname freeradius jonathan.fisher at freeradius:~$ hostname -d windows.corp.XXX.com jonathan.fisher at freeradius:~$ hostname -f freeradius.windows.corp.XXX.com jonathan.fisher at freeradius:~$ hostname -i 192.168.127.134 jonathan.fisher at freeradius:~$ cat /etc/krb5.conf [libdefaults] default_realm = WINDOWS.CORP.XXX.COM jonathan.fisher at freeradius:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.127.129 search windows.corp.XXX.com jonathan.fisher at freeradius:~$ sudo net ads testjoin Join is OK jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd restart Shutting down SAMBA winbindd : * Starting SAMBA winbindd : * Shutting down SAMBA nmbd : * Starting SAMBA nmbd : * Shutting down SAMBA smbd : * Starting SAMBA smbd : * jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator Unable to find a suitable server for domain WINDOWS Sigh. I really appreciate your guy's help. I know this thread is starting to drone on. On Thu, Dec 3, 2015 at 10:26 AM, Rowland penny <rpenny at samba.org> wrote:> On 03/12/15 16:06, Jonathan S. Fisher wrote: > >> > host -t SRV _ldap._tcp.windows.corp.XXX.com < >> http://tcp.windows.corp.XXX.com> >> _ldap._tcp.windows.corp.XXX.com <http://tcp.windows.corp.XXX.com> has >> SRV record 0 100 389 whiskey.windows.corp.XXX.com < >> http://whiskey.windows.corp.XXX.com>. >> _ldap._tcp.windows.corp.XXX.com <http://tcp.windows.corp.XXX.com> has >> SRV record 0 100 389 wine.windows.corp.XXX.com < >> http://wine.windows.corp.XXX.com>. >> >> > host -t SRV _kerberos._udp.windows.corp.XXX.com < >> http://udp.windows.corp.XXX.com> >> _kerberos._udp.windows.corp.XXX.com <http://udp.windows.corp.XXX.com> >> has SRV record 0 100 88 whiskey.windows.corp.XXX.com < >> http://whiskey.windows.corp.XXX.com>. >> _kerberos._udp.windows.corp.XXX.com <http://udp.windows.corp.XXX.com> >> has SRV record 0 100 88 wine.windows.corp.XXX.com < >> http://wine.windows.corp.XXX.com>. >> >> > host -t A freeradius.windows.corp.XXX.com < >> http://freeradius.windows.corp.XXX.com>. >> freeradius.windows.corp.XXX.com <http://freeradius.windows.corp.XXX.com> >> has address 192.168.127.134 >> >> > host -t SRV 192.168.127.134 >> 134.127.168.192.in-addr.arpa domain name pointer >> freeradius.windows.corp.XXX.com <http://freeradius.windows.corp.XXX.com>. >> >> I tried the same thing with ".WINDOWS" and it doesn't work of course... >> >> >> >> > Your DNS appears to be working :-) > > Lets move on from there: > > Quick recap: > 'hostname' should return 'freeradius' > 'hostname -d' should return 'windows.corp.xxx.com' > 'hostname -f' should return 'freeradius.windows.corp.xxx.com' > 'hostname -i' should return '192.168.127.134' > > /etc/resolv.conf should contain this: > > search windows.corp.xxx.com > nameserver 'ip of first DC' > nameserver 'ip of second DC' > > /etc/krb5.conf should contain this: > > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > > > smb.conf is setup as per the samba wiki > > If you run 'net ads testjoin' it should return 'Join is OK' > > If all the above is complied with, running 'sudo net rpc info > -UAdministrator' should return something like this: > > Domain Name: SAMDOM > Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > Sequence number: 1 > Num users: XXX > Num domain groups: XX > Num local groups: XX > > If it doesn't, add this line to smb.conf: log level = 10 > Restart samba and try again > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Apparently Analagous Threads
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command