John Clendenen
2019-Nov-22 17:18 UTC
[Samba] Testparm Creating Sock File? and Missing Service Records
Hi,
I?m experiencing an issue with selinux blocking Samba on Fedora when bind
interfaces only is set. Based on the selinux logs, it is attempting to
create a sock file in /var/lib/samba/private/msg.sock/.
We are wondering why testparm is using a sock file, or if this is
unexpected behavior.
Link to ticket below:
https://bugzilla.redhat.com/show_bug.cgi?id=1768656
------------------------------
Additionally, I have found that DNS (BIND DLZ in my case) is missing
kerberos udp service records, at least in Fedora?s Samba AD packages. I
assume it?s an upstream issue with Samba, but I can open a ticket with
Fedora if that?s more appropriate.
After adding the following records, I am able to bind clients more reliably
as well as establish trust with IPA.
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp.dc
SRV "$(hostname -f) 88 0 100"
samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)"
_kerberos._udp."${SITE}"._sites.dc SRV "$(hostname -f) 88 0
100"
Rowland penny
2019-Nov-22 17:39 UTC
[Samba] Testparm Creating Sock File? and Missing Service Records
On 22/11/2019 17:18, John Clendenen via samba wrote:> Hi, > > I?m experiencing an issue with selinux blocking Samba on Fedora when bind > interfaces only is set. Based on the selinux logs, it is attempting to > create a sock file in /var/lib/samba/private/msg.sock/. > > We are wondering why testparm is using a sock file, or if this is > unexpected behavior. > > Link to ticket below: > > https://bugzilla.redhat.com/show_bug.cgi?id=1768656 > ------------------------------ > > Additionally, I have found that DNS (BIND DLZ in my case) is missing > kerberos udp service records, at least in Fedora?s Samba AD packages. I > assume it?s an upstream issue with Samba, but I can open a ticket with > Fedora if that?s more appropriate. > > After adding the following records, I am able to bind clients more reliably > as well as establish trust with IPA. > > samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" _kerberos._udp.dc > SRV "$(hostname -f) 88 0 100" > samba-tool dns add 127.0.0.1 _msdcs."$(hostname -d)" > _kerberos._udp."${SITE}"._sites.dc SRV "$(hostname -f) 88 0 100"Two things wrong here, using the Fedora packages to provision a Samba AD DC results in the use of MIT for kerberos and using MIT is still experimental. The other thing is that Selinux has nothing to do with Samba and you will need to configure it to work with Samba. We have a couple of wikipages that refer to Selinux, but they may need updating, so, any help you can give us here, will be much appreciated. Rowland
Maybe Matching Threads
- dns_tkey_gssnegotiate: TKEY is unacceptable
- Changing the IP Address of a Samba AD DC doesn't work - samba_dnsupdate crashes
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Fresh ad installation - Win2022 can't join