I'm running a debug script from this site (Dated 16 Aug 2019, created and
maintained by Rowland Penny and Louis van Belle). The script obtains the Linux
server DOMAIN by running "hostname -d" which returns
"mycorp.com". Next the script runs
nslookup -type=SRV _kerberos._tcp.mycorp.com
which fails
** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN
and the script exits. However, this is command does return the Windows KDC
servers -
nslookup -type=SRV _kerberos._tcp.wgname.ad.mycorp.com
We only have one domain and I have no idea why it was set up this way. (I did
modify the script to find the KDC's). Begs the question: Since the script
fails, how can I verify Kerberos is working properly with Samba? Running
kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at
WGNAME.AD.MYCORP.COM>
returns:
Authenticated to Kerberos v5
And klist commands show tickets with today's date. We are running CentOS 7,
samba-4.10.16-20.el7_9.x86_64
wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP
No problems so far other than "net ads join" fails, have to use
"realm join" instead which messes up smb.conf
smb.conf
[global]
kerberos method = system keytab
log level = 3
max log size = 5000
log file = /var/log/samba/log.%h.%m
template homedir = /home/%U@%D
template shell = /bin/bash
security = ads
realm = WGNAME.AD.MYCORP.COM
idmap config MYCORP : range = 1000-2999999
idmap config MYCORP : backend = ad
idmap config MYCORP : schema_mode = rfc2307
idmap config MYCORP : unix_primary_group = yes
idmap config MYCORP : unix_nss_info = yes
idmap config * : range = 3000000-39999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
workgroup = WGNAME
kpasswd port = 0
krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /etc/krb5.conf.d
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = WGNAME.AD.MYCORP.COM
dns_lookup_kdc = true
[realms]
WGNAME.AD.MYCORP.COM = {
}
[domain_realm]
wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
.wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
Thanks,
Jim Brand
This email and any attachments may contain information that is confidential
and/or privileged for the sole use of the intended recipient. Any use, review,
disclosure, copying, distribution or reliance by others, and any forwarding of
this email or its contents, without the express permission of the sender is
strictly prohibited by law. If you are not the intended recipient, please
contact the sender immediately, delete the e-mail and destroy all copies.
On 05/01/2023 22:45, Jim Brand via samba wrote:> I'm running a debug script from this site (Dated 16 Aug 2019, created and maintained by Rowland Penny and Louis van Belle). The script obtains the Linux server DOMAIN by running "hostname -d" which returns "mycorp.com". Next the script runs > > nslookup -type=SRV _kerberos._tcp.mycorp.com > > which fails > > ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN > > and the script exits. However, this is command does return the Windows KDC servers - > > nslookup -type=SRV _kerberos._tcp.wgname.ad.mycorp.com > > We only have one domain and I have no idea why it was set up this way. (I did modify the script to find the KDC's). Begs the question: Since the script fails, how can I verify Kerberos is working properly with Samba? RunningAs 'hostname -d' is returning 'mycorp.com' it would seem that is the dns domain your computer is in. 'mycorp.com' != 'wgname.ad.mycorp.com' (which appears to be the dns domain of your DC) and Samba does not do subdomains or to put it it another way, your clients have to be in the same dns domain as your DC's.> > kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at WGNAME.AD.MYCORP.COM> > returns: > Authenticated to Kerberos v5More proff that you have it wrong> > And klist commands show tickets with today's date. We are running CentOS 7, samba-4.10.16-20.el7_9.x86_64That is a very old version of Smba.> > wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORPThat does surprise me.> > No problems so far other than "net ads join" fails, have to use "realm join" instead which messes up smb.confYou shouldn't use 'realm' with Samba.> > smb.conf > [global] > kerberos method = system keytab > log level = 3 > max log size = 5000 > log file = /var/log/samba/log.%h.%m > template homedir = /home/%U@%D > template shell = /bin/bash > security = ads > realm = WGNAME.AD.MYCORP.COMAs the realm is the dns domain in uppercase, your realm should be 'MYCORP.COM' which would fail because it doesn't exist.> idmap config MYCORP : range = 1000-2999999 > idmap config MYCORP : backend = ad > idmap config MYCORP : schema_mode = rfc2307 > idmap config MYCORP : unix_primary_group = yes > idmap config MYCORP : unix_nss_info = yes > idmap config * : range = 3000000-39999999Why such high numbers ?> idmap config * : backend = tdb > winbind use default domain = yes > winbind refresh tickets = yes > winbind offline logon = yes > winbind enum groups = no > winbind enum users = no > workgroup = WGNAMEAnother problem there, the 'idmap config' lines should be using the workgroup 'WGNAME', but they seem to be using 'MYCORP', why ?> kpasswd port = 0I have never changed that port, why have you ?> > krb5.conf > # Configuration snippets may be placed in this directory as well > includedir /etc/krb5.conf.d/ > > includedir /etc/krb5.conf.dSamba does not like the 'includedir' line, I would remove it.> [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt > default_ccache_name = KEYRING:persistent:%{uid} > default_realm = WGNAME.AD.MYCORP.COMIt might be set as the default realm, but on this machine (at present) it is wrong.> dns_lookup_kdc = true > > [realms] > WGNAME.AD.MYCORP.COM = { > } > [domain_realm] > wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM > .wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM >Rowland