You believe that SSSD is bypassing Samba entirely and going direct to Kerberos? That’s possible. At the moment, to the best of my understanding, Samba is only being used to join the domain. There are no file/printer/etc. shares happening; this is just basic domain join/membership and keytab generation and after that it’s done. The question was still specific to Samba itself: can I specify the DCs used rather than rely on dynamic lookup via DNS? On 8/23/16, 2:19 PM, "samba on behalf of Rowland Penny via samba" <samba-bounces at lists.samba.org on behalf of samba at lists.samba.org> wrote: On Tue, 23 Aug 2016 13:01:09 -0700 Sean via samba <samba at lists.samba.org> wrote: > Is it possible to specify a list of DCs for Samba to use, rather than > have it look them up dynamically via DNS? > > > > I have an issue with Kerberos, Samba, and SSSD where my machines stop > authenticating after a period of time – preAuthentication errors, > etc. I suspect it's because of a "DC mismatch" between the three. > Because we have numerous DCs all over the world, I specifically > configure krb5.conf and sssd.conf to point to local DCs rather than > allow them to be selected via DNS - examples below. This speeds up > the authentication process; I have local access should the local DCs > drop offline, so I'm not worried about cross-site/remote site > redundancies. > > > > Samba appears to use "realm =" to perform a DNS lookup which are > logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. > From the log, I can see Samba parsing numerous DCs, some local, some > remote. > > > > internal_resolve_name: looking up example.domain.com#dcdc (sitename > (null)) > > resolve_ads: Attempting to resolve KDCs for example.domain.com using > DNS > > ads_dns_lookup_srv: 13 records returned in the answer section. > > ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, > 100, 88] > > ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88] > > ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88] > > remove_duplicate_addrs2: looking for duplicate address/port pairs > > internal_resolve_name: returning 13 addresses: <bunch_of_ips> > > Adding 13 DC's from auto lookup > > > > We do not allow LDAP pings through our remote firewalls, so the > join/authentication process stalls while these timeout until it finds > a local DC in the list that responds. Once it hits a local DC, the > process picks back up. This presents a problem because the initial > DNS lookup doesn't always appear to resolve the entire list of DCs. > Sometimes I see five DCs returned, sometimes more than ten. It could > be possible for Samba to resolve five DCs that it cannot reach. > > > > I can't fix the DNS problem since it's outside of my scope and would > affect the larger corporate environment. I'm more or less forced to > work around any limitations or issues found there. I tried to use > "password server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com," but it did not affect Samba's behavior. > I've parsed the manual for smb.conf > (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and > haven't found another option to point to specific DCs, if it's even > possible. > > > > Is this the correct approach? Is it possible? Is there a work-around? > > > > What I suspect is that because Kerberos and sssd use dc01 thru dc03 > and samba uses whatever it finds via DNS, it may be possible for me > to have some kind of DC mismatch when my machine credentials are > refreshed. Does that sound crazy? > > > > I'm still getting used to working with Kerberos + Samba + SSSD, so > please excuse my ignorance. I've picked this apart for several days > and have reached a point where I'm stuck. I would be obscenely happy > if there was someone on the list with more experience in this area > than I have that could point me in the right direction on either > issue. > > > > /etc/krb5.conf > > > > [libdefaults] > > default_realm = EXAMPLE.DOMAIN.COM > > > > [realms] > > EXAMPLE.DOMAIN.COM = { > > default_domain = example.domain.com > > kdc = dc01.example.domain.com > > kdc = dc02.example.domain.com > > kdc = dc03.example.domain.com > > admin_server = dc01.example.domain.com > > } > > > > /etc/samba/smb.conf > > > > [global] > > workgroup = SHORT-NAME > > client signing = yes > > client use spnego = yes > > kerberos method = secrets and keytab > > realm = EXAMPLE.DOMAIN.COM > > security = ads > > > > /etc/sssd/sssd.conf > > > > [sssd] > > services = nss, pam > > config_file_version = 2 > > domains = EXAMPLE.DOMAIN.COM > > > > [nss] > > > > [pam] > > > > [domain/EXAMPLE.DOMAIN.COM] > > id_provider = ad > > access_provider = ad > > ad_domain = example.domain.com > > ad_server = dc01.example.domain.com, dc02.example.domain.com, > dc03.example.domain.com > > > > default_shell = /bin/bash > > override_homedir = /home/%u > Can I point out that because you are using sssd, that is what is doing your authentication and Samba isn't. So winbind will ignore anything you put in smb.conf, this is because you are not using winbind. sssd is not part of Samba. Have you tried asking the sssd users mailing list ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
This doesn't really answer your question, but it already looks like you're using SSSD for authentication, and specifying local DC's (instead of DNS lookups). Why not bind to AD directly with that? Using realmd/adcli makes it easy, and with a minimal samba installation (libs only) -Kris Kris Lou klou at themusiclink.net On Tue, Aug 23, 2016 at 2:47 PM, Sean via samba <samba at lists.samba.org> wrote:> You believe that SSSD is bypassing Samba entirely and going direct to > Kerberos? That’s possible. At the moment, to the best of my understanding, > Samba is only being used to join the domain. There are no file/printer/etc. > shares happening; this is just basic domain join/membership and keytab > generation and after that it’s done. > > The question was still specific to Samba itself: can I specify the DCs > used rather than rely on dynamic lookup via DNS? > > On 8/23/16, 2:19 PM, "samba on behalf of Rowland Penny via samba" < > samba-bounces at lists.samba.org on behalf of samba at lists.samba.org> wrote: > > On Tue, 23 Aug 2016 13:01:09 -0700 > Sean via samba <samba at lists.samba.org> wrote: > > > Is it possible to specify a list of DCs for Samba to use, rather than > > have it look them up dynamically via DNS? > > > > > > > > I have an issue with Kerberos, Samba, and SSSD where my machines stop > > authenticating after a period of time – preAuthentication errors, > > etc. I suspect it's because of a "DC mismatch" between the three. > > Because we have numerous DCs all over the world, I specifically > > configure krb5.conf and sssd.conf to point to local DCs rather than > > allow them to be selected via DNS - examples below. This speeds up > > the authentication process; I have local access should the local DCs > > drop offline, so I'm not worried about cross-site/remote site > > redundancies. > > > > > > > > Samba appears to use "realm =" to perform a DNS lookup which are > > logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. > > From the log, I can see Samba parsing numerous DCs, some local, some > > remote. > > > > > > > > internal_resolve_name: looking up example.domain.com#dcdc (sitename > > (null)) > > > > resolve_ads: Attempting to resolve KDCs for example.domain.com using > > DNS > > > > ads_dns_lookup_srv: 13 records returned in the answer section. > > > > ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88] > > > > ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88] > > > > remove_duplicate_addrs2: looking for duplicate address/port pairs > > > > internal_resolve_name: returning 13 addresses: <bunch_of_ips> > > > > Adding 13 DC's from auto lookup > > > > > > > > We do not allow LDAP pings through our remote firewalls, so the > > join/authentication process stalls while these timeout until it finds > > a local DC in the list that responds. Once it hits a local DC, the > > process picks back up. This presents a problem because the initial > > DNS lookup doesn't always appear to resolve the entire list of DCs. > > Sometimes I see five DCs returned, sometimes more than ten. It could > > be possible for Samba to resolve five DCs that it cannot reach. > > > > > > > > I can't fix the DNS problem since it's outside of my scope and would > > affect the larger corporate environment. I'm more or less forced to > > work around any limitations or issues found there. I tried to use > > "password server = dc01.example.domain.com, dc02.example.domain.com, > > dc03.example.domain.com," but it did not affect Samba's behavior. > > I've parsed the manual for smb.conf > > (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and > > haven't found another option to point to specific DCs, if it's even > > possible. > > > > > > > > Is this the correct approach? Is it possible? Is there a work-around? > > > > > > > > What I suspect is that because Kerberos and sssd use dc01 thru dc03 > > and samba uses whatever it finds via DNS, it may be possible for me > > to have some kind of DC mismatch when my machine credentials are > > refreshed. Does that sound crazy? > > > > > > > > I'm still getting used to working with Kerberos + Samba + SSSD, so > > please excuse my ignorance. I've picked this apart for several days > > and have reached a point where I'm stuck. I would be obscenely happy > > if there was someone on the list with more experience in this area > > than I have that could point me in the right direction on either > > issue. > > > > > > > > /etc/krb5.conf > > > > > > > > [libdefaults] > > > > default_realm = EXAMPLE.DOMAIN.COM > > > > > > > > [realms] > > > > EXAMPLE.DOMAIN.COM = { > > > > default_domain = example.domain.com > > > > kdc = dc01.example.domain.com > > > > kdc = dc02.example.domain.com > > > > kdc = dc03.example.domain.com > > > > admin_server = dc01.example.domain.com > > > > } > > > > > > > > /etc/samba/smb.conf > > > > > > > > [global] > > > > workgroup = SHORT-NAME > > > > client signing = yes > > > > client use spnego = yes > > > > kerberos method = secrets and keytab > > > > realm = EXAMPLE.DOMAIN.COM > > > > security = ads > > > > > > > > /etc/sssd/sssd.conf > > > > > > > > [sssd] > > > > services = nss, pam > > > > config_file_version = 2 > > > > domains = EXAMPLE.DOMAIN.COM > > > > > > > > [nss] > > > > > > > > [pam] > > > > > > > > [domain/EXAMPLE.DOMAIN.COM] > > > > id_provider = ad > > > > access_provider = ad > > > > ad_domain = example.domain.com > > > > ad_server = dc01.example.domain.com, dc02.example.domain.com, > > dc03.example.domain.com > > > > > > > > default_shell = /bin/bash > > > > override_homedir = /home/%u > > > > Can I point out that because you are using sssd, that is what is doing > your authentication and Samba isn't. So winbind will ignore anything > you put in smb.conf, this is because you are not using winbind. > > sssd is not part of Samba. > > Have you tried asking the sssd users mailing list ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I found adcli a little too late; I plan to use it in the future but for the time being I just deployed 16 VMs using Samba so we’re going to keep that for now! Also, the rest of what I wrote can be disregarded – I figured out exactly why my hosts were failing to authenticate after a period of time. It’s too stupid to admit publicly. On 8/23/16, 3:50 PM, "samba on behalf of Kris Lou via samba" <samba-bounces at lists.samba.org on behalf of samba at lists.samba.org> wrote: This doesn't really answer your question, but it already looks like you're using SSSD for authentication, and specifying local DC's (instead of DNS lookups). Why not bind to AD directly with that? Using realmd/adcli makes it easy, and with a minimal samba installation (libs only) -Kris Kris Lou klou at themusiclink.net On Tue, Aug 23, 2016 at 2:47 PM, Sean via samba <samba at lists.samba.org> wrote: > You believe that SSSD is bypassing Samba entirely and going direct to > Kerberos? That’s possible. At the moment, to the best of my understanding, > Samba is only being used to join the domain. There are no file/printer/etc. > shares happening; this is just basic domain join/membership and keytab > generation and after that it’s done. > > The question was still specific to Samba itself: can I specify the DCs > used rather than rely on dynamic lookup via DNS? > > On 8/23/16, 2:19 PM, "samba on behalf of Rowland Penny via samba" < > samba-bounces at lists.samba.org on behalf of samba at lists.samba.org> wrote: > > On Tue, 23 Aug 2016 13:01:09 -0700 > Sean via samba <samba at lists.samba.org> wrote: > > > Is it possible to specify a list of DCs for Samba to use, rather than > > have it look them up dynamically via DNS? > > > > > > > > I have an issue with Kerberos, Samba, and SSSD where my machines stop > > authenticating after a period of time – preAuthentication errors, > > etc. I suspect it's because of a "DC mismatch" between the three. > > Because we have numerous DCs all over the world, I specifically > > configure krb5.conf and sssd.conf to point to local DCs rather than > > allow them to be selected via DNS - examples below. This speeds up > > the authentication process; I have local access should the local DCs > > drop offline, so I'm not worried about cross-site/remote site > > redundancies. > > > > > > > > Samba appears to use "realm =" to perform a DNS lookup which are > > logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. > > From the log, I can see Samba parsing numerous DCs, some local, some > > remote. > > > > > > > > internal_resolve_name: looking up example.domain.com#dcdc (sitename > > (null)) > > > > resolve_ads: Attempting to resolve KDCs for example.domain.com using > > DNS > > > > ads_dns_lookup_srv: 13 records returned in the answer section. > > > > ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote02-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote02-dc03.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote03-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote03-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote04-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote04-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote05-dc01.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed remote05-dc02.example.domain.com [0, > > 100, 88] > > > > ads_dns_parse_rr_srv: Parsed dc01.example.domain.com [0, 100, 88] > > > > ads_dns_parse_rr_srv: Parsed dc03.example.domain.com [0, 100, 88] > > > > remove_duplicate_addrs2: looking for duplicate address/port pairs > > > > internal_resolve_name: returning 13 addresses: <bunch_of_ips> > > > > Adding 13 DC's from auto lookup > > > > > > > > We do not allow LDAP pings through our remote firewalls, so the > > join/authentication process stalls while these timeout until it finds > > a local DC in the list that responds. Once it hits a local DC, the > > process picks back up. This presents a problem because the initial > > DNS lookup doesn't always appear to resolve the entire list of DCs. > > Sometimes I see five DCs returned, sometimes more than ten. It could > > be possible for Samba to resolve five DCs that it cannot reach. > > > > > > > > I can't fix the DNS problem since it's outside of my scope and would > > affect the larger corporate environment. I'm more or less forced to > > work around any limitations or issues found there. I tried to use > > "password server = dc01.example.domain.com, dc02.example.domain.com, > > dc03.example.domain.com," but it did not affect Samba's behavior. > > I've parsed the manual for smb.conf > > (https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html) and > > haven't found another option to point to specific DCs, if it's even > > possible. > > > > > > > > Is this the correct approach? Is it possible? Is there a work-around? > > > > > > > > What I suspect is that because Kerberos and sssd use dc01 thru dc03 > > and samba uses whatever it finds via DNS, it may be possible for me > > to have some kind of DC mismatch when my machine credentials are > > refreshed. Does that sound crazy? > > > > > > > > I'm still getting used to working with Kerberos + Samba + SSSD, so > > please excuse my ignorance. I've picked this apart for several days > > and have reached a point where I'm stuck. I would be obscenely happy > > if there was someone on the list with more experience in this area > > than I have that could point me in the right direction on either > > issue. > > > > > > > > /etc/krb5.conf > > > > > > > > [libdefaults] > > > > default_realm = EXAMPLE.DOMAIN.COM > > > > > > > > [realms] > > > > EXAMPLE.DOMAIN.COM = { > > > > default_domain = example.domain.com > > > > kdc = dc01.example.domain.com > > > > kdc = dc02.example.domain.com > > > > kdc = dc03.example.domain.com > > > > admin_server = dc01.example.domain.com > > > > } > > > > > > > > /etc/samba/smb.conf > > > > > > > > [global] > > > > workgroup = SHORT-NAME > > > > client signing = yes > > > > client use spnego = yes > > > > kerberos method = secrets and keytab > > > > realm = EXAMPLE.DOMAIN.COM > > > > security = ads > > > > > > > > /etc/sssd/sssd.conf > > > > > > > > [sssd] > > > > services = nss, pam > > > > config_file_version = 2 > > > > domains = EXAMPLE.DOMAIN.COM > > > > > > > > [nss] > > > > > > > > [pam] > > > > > > > > [domain/EXAMPLE.DOMAIN.COM] > > > > id_provider = ad > > > > access_provider = ad > > > > ad_domain = example.domain.com > > > > ad_server = dc01.example.domain.com, dc02.example.domain.com, > > dc03.example.domain.com > > > > > > > > default_shell = /bin/bash > > > > override_homedir = /home/%u > > > > Can I point out that because you are using sssd, that is what is doing > your authentication and Samba isn't. So winbind will ignore anything > you put in smb.conf, this is because you are not using winbind. > > sssd is not part of Samba. > > Have you tried asking the sssd users mailing list ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba