samba - Jan 2023 - Question about KDC Resolution with Samba

> nslookup -type=SRV _kerberos._tcp.mycorp.com
>
> ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN
>


As 'hostname -d' is returning 'mycorp.com' it would seem that is
the dns

domain your computer is in. 'mycorp.com' !=
'wgname.ad.mycorp.com'

(which appears to be the dns domain of your DC) and Samba does not do

subdomains or to put it it another way, your clients have to be in the

same dns domain as your DC's.



I'm pursuing this with our Windows AD administrators.


>
> kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator at
WGNAME.AD.MYCORP.COM>
> returns:
> Authenticated to Kerberos v5


More proof that you have it wrong



What should kinit -V return?


>
> And klist commands show tickets with today's date.  We are running
CentOS 7, samba-4.10.16-20.el7_9.x86_64


That is a very old version of Smba.



Agreed!  Downloading and making a newer version is on my to-do list.  Need to
thoroughly test all dependencies.


>
> wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP


That does surprise me.



Me too, but I don't argue with success.



(BTW those wbinfo commands start to fail along with Samba a few days after
joining AD on our CentOS 6 servers.  Not going to trouble you with that here,
other than to ask what version of Samba 4 would you recommend we try using on
Linux 6?)


>
> No problems so far other than "net ads join" fails, have to use
"realm join" instead which messes up smb.conf


You shouldn't use 'realm' with Samba.



I've gathered as much but why?


>
> smb.conf
> [global]
> kerberos method = system keytab
> log level = 3
> max log size = 5000
> log file = /var/log/samba/log.%h.%m
> template homedir = /home/%U@%D
> template shell = /bin/bash
> security = ads
> realm = WGNAME.AD.MYCORP.COM


As the realm is the dns domain in uppercase, your realm should be

'MYCORP.COM' which would fail because it doesn't exist.


> idmap config MYCORP : range = 1000-2999999
> idmap config MYCORP : backend = ad
> idmap config MYCORP : schema_mode = rfc2307
> idmap config MYCORP : unix_primary_group = yes
> idmap config MYCORP : unix_nss_info = yes
> idmap config * : range = 3000000-39999999


Why such high numbers ?



My understanding is that "idmap config WGNAME" should be the range of
all possible UIDs assigned by our enterprise [in AD].  That was the range given
to me.

And "idmap config *" is a catch all for any users that don't fit
under the above specified range.


> idmap config * : backend = tdb
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> workgroup = WGNAME


Another problem there, the 'idmap config' lines should be using the

workgroup 'WGNAME', but they seem to be using 'MYCORP', why?



My error when I sanitized the file. Those 'idmap config' entries are
using 'WGNAME' instead of 'MYCORP'.


> kpasswd port = 0


I have never changed that port, why have you ?



This was done to mitigate
https://www.samba.org/samba/security/CVE-2022-32744.html

Later found not necessary since our KDC's are on Windows, not Linux.

Just never removed it but will do so.


>
> krb5.conf
> # Configuration snippets may be placed in this directory as well
> includedir /etc/krb5.conf.d/
>
> includedir /etc/krb5.conf.d


Samba does not like the 'includedir' line, I would remove it.



Will remove 'includedir'.


> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_ccache_name = KEYRING:persistent:%{uid}
> default_realm = WGNAME.AD.MYCORP.COM


It might be set as the default realm, but on this machine (at present)

it is wrong.


> dns_lookup_kdc = true
>
> [realms]
> WGNAME.AD.MYCORP.COM = {
> }
> [domain_realm]
> wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
> .wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
>


Rowland


Thanks,
Jim Brand



This email and any attachments may contain information that is confidential
and/or privileged for the sole use of the intended recipient. Any use, review,
disclosure, copying, distribution or reliance by others, and any forwarding of
this email or its contents, without the express permission of the sender is
strictly prohibited by law. If you are not the intended recipient, please
contact the sender immediately, delete the e-mail and destroy all copies.

On 08/01/2023 14:39, Jim Brand via samba wrote:
>> nslookup -type=SRV _kerberos._tcp.mycorp.com
> 
>>
> 
>> ** server can't find _kerberos._tcp.mycorp.com: NXDOMAIN
> 
>>
> 
> 
> 
> As 'hostname -d' is returning 'mycorp.com' it would seem
that is the dns
> 
> domain your computer is in. 'mycorp.com' !=
'wgname.ad.mycorp.com'
> 
> (which appears to be the dns domain of your DC) and Samba does not do
> 
> subdomains or to put it it another way, your clients have to be in the
> 
> same dns domain as your DC's.
> 
> 
> 
> I'm pursuing this with our Windows AD administrators.
I wouldn't bother, just understand that when using Samba, your kerberos 
realm must be your dns domain in uppercase.
> 
> 
> 
>>
> 
>> kinit -V Administrator at WGNAME.AD.MYCORP.COM<mailto:Administrator
at WGNAME.AD.MYCORP.COM>
> 
>> returns:
> 
>> Authenticated to Kerberos v5
> 
> 
> 
> More proof that you have it wrong
> 
> 
> 
> What should kinit -V return?
Well, '-V' is for 'verbose' so a bit meaningless, what I meant
was that
your kerberos realm is @WGNAME.AD.MYCORP.COM' and not 'MYCORP.COM'
as
you have it.
> 
> 
> 
>>
> 
>> And klist commands show tickets with today's date.  We are running
CentOS 7, samba-4.10.16-20.el7_9.x86_64
> 
> 
> 
> That is a very old version of Smba.
> 
> 
> 
> Agreed!  Downloading and making a newer version is on my to-do list.  Need
to thoroughly test all dependencies.
Can I suggest you use a different OS, Centos is stable because it is old.
> 
> 
> 
>>
> 
>> wbinfo -t/-u/-g runs successfully as does wbinfo --getdcname MYCORP
> 
> 
> 
> That does surprise me.
> 
> 
> 
> Me too, but I don't argue with success.
There is definitely something going on here, are you sure that you are 
not getting ID's (not names) in the default '*' range ?
> 
> 
> 
> (BTW those wbinfo commands start to fail along with Samba a few days after
joining AD on our CentOS 6 servers.  Not going to trouble you with that here,
other than to ask what version of Samba 4 would you recommend we try using on
Linux 6?)
This is getting worse, Centos 6 is dead, it had a very nice funeral.
> 
> 
> 
>>
> 
>> No problems so far other than "net ads join" fails, have to
use "realm join" instead which messes up smb.conf
> 
> 
> 
> You shouldn't use 'realm' with Samba.
> 
> 
> 
> I've gathered as much but why?
The 'realm' command has nothing to do with Samba, whilst it works in a 
similar way to 'net ads join', it doesn't work exactly the same.
Stick
to using 'realm' with sssd and freeipa.
> 
> 
> 
>>
> 
>> smb.conf
> 
>> [global]
> 
>> kerberos method = system keytab
> 
>> log level = 3
> 
>> max log size = 5000
> 
>> log file = /var/log/samba/log.%h.%m
> 
>> template homedir = /home/%U@%D
> 
>> template shell = /bin/bash
> 
>> security = ads
> 
>> realm = WGNAME.AD.MYCORP.COM
> 
> 
> 
> As the realm is the dns domain in uppercase, your realm should be
> 
> 'MYCORP.COM' which would fail because it doesn't exist.
> 
> 
> 
>> idmap config MYCORP : range = 1000-2999999
> 
>> idmap config MYCORP : backend = ad
> 
>> idmap config MYCORP : schema_mode = rfc2307
> 
>> idmap config MYCORP : unix_primary_group = yes
> 
>> idmap config MYCORP : unix_nss_info = yes
> 
>> idmap config * : range = 3000000-39999999
> 
> 
> 
> Why such high numbers ?
The '3000000' numbers that are only used on a Samba AD DC.
> 
> 
> 
> My understanding is that "idmap config WGNAME" should be the
range of all possible UIDs assigned by our enterprise [in AD].  That was the
range given to me.
Well yes, but you are not using 'idmap config WGNAME' are you ?
Also, even if you were, it would only apply to computers that are in the 
workgroup/NetBIOS domain 'WGNAME' and that have a uidNumber (for a user)
and a gidNumber (for a group) inside that range AND the Domain Users 
group MUST have a gidNumber.
> 
> And "idmap config *" is a catch all for any users that don't
fit under the above specified range.
Not quite, the default domain '*' is meant for the Well Known SIDs and 
anything that is outside the 'WGNAME' domain or any other trusted domain
that is listed in smb.conf and has a trust setup.
> 
> 
> 
>> idmap config * : backend = tdb
> 
>> winbind use default domain = yes
> 
>> winbind refresh tickets = yes
> 
>> winbind offline logon = yes
> 
>> winbind enum groups = no
> 
>> winbind enum users = no
> 
>> workgroup = WGNAME
> 
> 
> 
> Another problem there, the 'idmap config' lines should be using the
> 
> workgroup 'WGNAME', but they seem to be using 'MYCORP',
why?
> 
> 
> 
> My error when I sanitized the file. Those 'idmap config' entries
are using 'WGNAME' instead of 'MYCORP'.
Now you tell me ;-).

Rowland