samba - Jul 2022 - name resolve order parameter for security=ads

On Mon, 2022-07-11 at 08:23 +0200, Jonathan Neuhauser via samba
wrote:
> Dear Samba list,
> 
> I noticed that the recommendation for the "name resolve order"
> parameter 
> for security = ads, namely "wins bcast", breaks everything on my
> test 
> domain client (Rowland Penny asked me to post this issue on the
> mailing 
> list to exclude misconfiguration on my part).
> 
> samba --version: Version 4.13.17-Ubuntu, Ubuntu 20.04 LTS, uname -r: 
> 5.13.0-52-generic
> 
> Here's my smb.conf as shown by testparm (realm replaced by
> EXAMPLE.ORG):
> 
> [global]
>      kerberos method = system keytab
>      log file = /var/log/samba/log.%m
>      logging = file
>      log level = 3
>      map to guest = Bad User
>      max log size = 1000
>      ntlm auth = ntlmv2-only
>      panic action = /usr/share/samba/panic-action %d
>      realm = EXAMPLE.ORG
>      security = ADS
>      template shell = /bin/bash
>      winbind enum groups = Yes
>      winbind enum users = Yes
>      winbind nss info = rfc2307
>      winbind offline logon = Yes
>      winbind refresh tickets = Yes
>      winbind use default domain = Yes
>      workgroup = EXAMPLE
>      idmap config example : unix_primary_group = yes
>      idmap config example : schema_mode = rfc2307
>      idmap config example : unix_nss_info = yes
>      idmap config example : range = 8000 - 9999999
>      idmap config example : backend = ad
>      idmap config * : range = 3000 - 7999
>      idmap config * : backend = tdb
> 
> and krb5.conf:
> 
> [libdefaults]
>    default_realm = EXAMPLE.ORG
>    kdc_timesync = 1
>    ccache_type = 4
>    forward = true
>    forwardable = true
>    proxiable = true
>    dns_lookup_realm = true
>    dns_lookup_kdc = true
> 
> With this setting, wbinfo -i username as well as wbinfo -i 
> "EXAMPLE\username" works fine and shows correct uid/gid and home 
> directory, and domain integration works mostly fine - including PAM
> & 
> NSS integration and graphical login, as well as Kerberos access to 
> shares hosted by this machine. So thanks to the samba team for
> providing 
> a great tool!
> 
> If I additionally set
> 
>     name resolve order = wins bcast
> 
> wbinfo -P shows
> 
> checking the NETLOGON for domain[EXAMPLE] dc connection to ""
failed
> failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
> 
> wbinfo -i username or wbinfo -i "EXAMPLE\username"
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user username
> 
> I can resolve the SRV records: host -t SRV _ldap._tcp.example.org
> still 
> shows the available domain controllers.
> 
> It is from these observations that I filed bug 
> https://bugzilla.samba.org/show_bug.cgi?id=15117, but maybe there's
> an 
> issue with my configuration as shown above. I'll also provide
> further 
> logs on request.
> 
> Thanks in advance,
> 
> Jonathan
Hi Jonathan, thanks for posting your smb.conf, which doesn't really
have anything wrong with it.

I have tried 'wbinfo -P' & 'wbinfo -i' on two machines, one
running
4.15.7 with the 'ad' backend and 4.13.3 with the 'rid' backend.
Both
succeed.

What is different between your set up and mine is krb5.conf, so can you
try this one:

[libdefaults]
   default_realm = EXAMPLE.ORG
   dns_lookup_realm = false
   dns_lookup_kdc = true

Rowland

Dear Rowland,

thanks for your response! I've tried your krb5.conf without better 
results. However I noticed that that this time after enabling "name 
resolve order = wins bcast" and restarting winbind, the error doesn't 
occur immediately, but requires a restart of the machine (however 
afterwards, the errors are the same as in my original email). Does this 
make a difference for you?

Jonathan


On 11.07.22 09:30, Rowland Penny via samba wrote:
> On Mon, 2022-07-11 at 08:23 +0200, Jonathan Neuhauser via samba wrote:
>> Dear Samba list,
>>
>> I noticed that the recommendation for the "name resolve
order"
>> parameter
>> for security = ads, namely "wins bcast", breaks everything on
my
>> test
>> domain client. [...]
>>
>> samba --version: Version 4.13.17-Ubuntu, Ubuntu 20.04 LTS, uname -r:
>> 5.13.0-52-generic
>>
>> What is different between your set up and mine is krb5.conf, so can you
>> try this one:
>>
>> [libdefaults]
>>     default_realm = EXAMPLE.ORG
>>     dns_lookup_realm = false
>>     dns_lookup_kdc = true
>>
>> Rowland