thr3ads.net - samba - [Samba] Samba DNS Accounts [Feb 2021]

If this information is useful, please help other people find it:
Share via:

Rowland penny

2021-Feb-04 17:14 UTC

[Samba] Samba DNS Accounts

On 04/02/2021 16:30, Bo Kersey wrote:> Actually, based on some of my working servers, the dns record should be:
>
DC=ad01,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
> However, this is what I'm seeing:
> dn:
DC=ad01.,DC=example.info,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM
> dn:
DC=ad01.samdom,DC=EXAMPLE.COM,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM

Not good, what is updating the records in AD ?
>
> I'm thinking the problem is that the workgroup is set to EXAMPLE
instead of SAMDOM - smb.conf below

Whilst it is common practise to name the workgroup after the lefthand 
part of the realm, it isn't mandatory, in fact you can call it anything, 
as long as it isn't more than 15 characters long, so EXAMPLE is ok.

>
> [global]
> 	ldap server require strong auth = allow_sasl_over_tls
> 	passdb backend = samba_dsdb
> 	realm = SAMDOM.EXAMPLE.COM
> 	server role = active directory domain controller
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
> 	template shell = /bin/bash
> 	tls verify peer = no_check
> 	usershare path > 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind nss info = rfc2307
> 	winbind offline logon = Yes
> 	winbind use default domain = Yes
> 	workgroup = EXAMPLE
> 	rpc_daemon:spoolssd = embedded
> 	rpc_server:spoolss = embedded
> 	idmap_ldb:use rfc2307 = yes
> 	winbindd:use external pipes = true
> 	rpc_server:default = external
> 	rpc_server:svcctl = embedded
> 	rpc_server:srvsvc = embedded
> 	rpc_server:eventlog = embedded
> 	rpc_server:ntsvcs = embedded
> 	rpc_server:winreg = embedded
> 	rpc_server:tcpip = no
> 	idmap config * : backend = tdb
> 	map archive = No
> 	vfs objects = dfs_samba4 acl_xatt

Can I suggest you remove the 'winbind lines, they do nothing on a Samba DC.

Rowland

Bo Kersey

2021-Feb-04 17:19 UTC

head link

[Samba] Samba DNS Accounts

Nothing is updating samba DNS....

dns_tkey_gssnegotiate: TKEY is unacceptable

the SPN name in the dns-dc01 record does not match any of the entries in klist
-k /var/lib/samba/bind-dns/dns.keytab


Bo Kersey 
VirCIO - managed network solutions 
4314 Avenue C 
Austin, TX 78751 
phone: (512)374-0500 

In theory there is no difference between theory and practice.  In practice,
there is.

----- Original Message -----> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Thursday, February 4, 2021 11:14:04 AM
> Subject: Re: [Samba] Samba DNS Accounts
> On 04/02/2021 16:30, Bo Kersey wrote:
>> Actually, based on some of my working servers, the dns record should
be:
>>
DC=ad01,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> However, this is what I'm seeing:
>> dn:
>>
DC=ad01.,DC=example.info,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM
>> dn:
>>
DC=ad01.samdom,DC=EXAMPLE.COM,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SAMDOM,DC=EXAMPLE,DC=COM
> 
> 
> Not good, what is updating the records in AD ?
> 
>>
>> I'm thinking the problem is that the workgroup is set to EXAMPLE
instead of
>> SAMDOM - smb.conf below
> 
> 
> Whilst it is common practise to name the workgroup after the lefthand
> part of the realm, it isn't mandatory, in fact you can call it
anything,
> as long as it isn't more than 15 characters long, so EXAMPLE is ok.
> 
> 
>>
>> [global]
>> 	ldap server require strong auth = allow_sasl_over_tls
>> 	passdb backend = samba_dsdb
>> 	realm = SAMDOM.EXAMPLE.COM
>> 	server role = active directory domain controller
>> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd,
>> 	ntp_signd, kcc, dnsupdate
>> 	template shell = /bin/bash
>> 	tls verify peer = no_check
>> 	usershare path >> 	winbind enum groups = Yes
>> 	winbind enum users = Yes
>> 	winbind nss info = rfc2307
>> 	winbind offline logon = Yes
>> 	winbind use default domain = Yes
>> 	workgroup = EXAMPLE
>> 	rpc_daemon:spoolssd = embedded
>> 	rpc_server:spoolss = embedded
>> 	idmap_ldb:use rfc2307 = yes
>> 	winbindd:use external pipes = true
>> 	rpc_server:default = external
>> 	rpc_server:svcctl = embedded
>> 	rpc_server:srvsvc = embedded
>> 	rpc_server:eventlog = embedded
>> 	rpc_server:ntsvcs = embedded
>> 	rpc_server:winreg = embedded
>> 	rpc_server:tcpip = no
>> 	idmap config * : backend = tdb
>> 	map archive = No
>> 	vfs objects = dfs_samba4 acl_xatt
> 
> 
> Can I suggest you remove the 'winbind lines, they do nothing on a Samba
DC.
> 
> Rowland
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

samba - Feb 2021 - Samba DNS Accounts

[Samba] Samba DNS Accounts

[Samba] Samba DNS Accounts