Mandi! Robert Marcano via samba In chel di` si favelave...> Yes, check the documentation of krb5.conf.Ahem, 'apt-get install krb5-doc' misses. ;-)> In summary you will need to > disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and set > you admin and kdc hostnames there, something like:How can i determine kdc and master_kdc values? All DC server are KDC and the FSMO role are master_kdc? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 05/30/2018 11:02 AM, Marco Gaiarin via samba wrote:> Mandi! Robert Marcano via samba > In chel di` si favelave... > >> Yes, check the documentation of krb5.conf. > > Ahem, 'apt-get install krb5-doc' misses. ;-) > >> In summary you will need to >> disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and set >> you admin and kdc hostnames there, something like: > > How can i determine kdc and master_kdc values? All DC server are KDC > and the FSMO role are master_kdc? >I wonder if you can choose the master as the more robust (HW and SW) of your DCs, no idea. On a non AD Kerberos realm you can get from DNS, For example: dig +short _kerberos._udp.example.com srv dig +short _kerberos-master._udp.example.com srv both values, but the last one doesn't show on my Samba AD domain (single server) My installations of Samba as a AD DC are containerized and single server (for now), so I don't know if _kerberos-master._udp doesn't show because there is only one DC or if Samba doesn't setup that record.
Mandi! Robert Marcano via samba In chel di` si favelave... Sorry for the late answer.> I wonder if you can choose the master as the more robust (HW and SW) of your > DCs, no idea.Seems that also the krb5.conf manpage suggest that, eg 'master' is only a fallback KDC.> On a non AD Kerberos realm you can get from DNS, For example: > dig +short _kerberos._udp.example.com srv > dig +short _kerberos-master._udp.example.com srv > both values, but the last one doesn't show on my Samba AD domain (single > server) > My installations of Samba as a AD DC are containerized and single server > (for now), so I don't know if _kerberos-master._udp doesn't show because > there is only one DC or if Samba doesn't setup that record.I confirm, samba does not setup that record, also on a multi-DC setup: root at vdcsv1:~# dig +short _kerberos._udp.ad.fvg.lnf.it srv 0 100 88 vdcsv1.ad.fvg.lnf.it. 0 100 88 vdcpp2.ad.fvg.lnf.it. 0 100 88 vdcpp1.ad.fvg.lnf.it. 0 100 88 vdcsv2.ad.fvg.lnf.it. 0 100 88 vdctms1.ad.fvg.lnf.it. 0 100 88 vdcud1.ad.fvg.lnf.it. root at vdcsv1:~# dig +short _kerberos-master._udp.ad.fvg.lnf.it srv thanks! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)