Be grateful if anyone has any ideas on a stable fix or workaround for this.
I have come across a problem with an active directory domain built with a Samba 4 AD controller. The test system consists of: -
- 2 DCs, Leap 15.2, samba 4.11, krb5 1.16
- 1 File Server member, Leap 15.2, samba 4.11, krb5 1.16
- 1 windows 7 PC member
- 1 windows 10 PC member
Most of the samba is configured with bare minimum as provisioned config.
What works: -
- Domain logons on PCs
- Access to samba shares from PCs to server
- Roaming profiles
- Home directories
What does NOT work: -
- Shares between windows PCs by netbios name (you’re thinking DNS, read on please!): access denied
- Shares between windows PCs by FDN: access denied
- Even trying to browsing shares on windows PCs gives : access denied
However, shares between windows PCs can be accessed by IP address (\x.x.x.x\share) or by creating a CNAME dns entry so that the pc is accessed by an alias. So, if I try to access a pcs shares by the machine’s own name it fails.
Ihave been through the DNSs with a fine tooth comb, all of that is correct. The basic conclusion I have come to is that this is likely a krb5 ticket problem. So, just to check that my DCs are not messed up, I provisioned a new AD, on a fresh load, totally separate, totally basic config, again with Leap 15.2. The config was as follows: -
/etc/samba/smb.conf
[global]
dns forwarder = 192.168.1.3
netbios name = DC5
realm = CFAD2.COLOURFOIL.UK
server role = active directory domain controller
workgroup = CFAD2
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/cfad2.colourfoil.uk/scripts
read only = No
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
/etc/krb5.conf
[libdefaults]
default_realm = CFAD2.COLOURFOIL.UK
dns_lookup_realm = false
dns_lookup_kdc = true
The result is exactly the same, everything works except for access between windows members. An upgrade of samba from 4.11 to 4.13 also made no difference.
Next try was to see if other distros have the same problem, so I tried Ubuntu, Debian and Fedora provisioned as ADC and all three of those worked with the same config, and member windows pcs can access each others shares. The main difference in the samba is that those distros are using the internal Heimdall krb5kdc but Leap is using the MIT kerberos.
Some experimenting with trying to update the MIT kerberos on Leap 15.2 from 1.16 to 1.19 was not successful as the samba-ad-dc package build will just not work with it.
Now, Tumbleweed is up to MIT kr5b 1.19, so I updated the Leap 15.2 ADC to Tumbleweed and the whole thing works perfectly. So I have a workaround of sorts.
So, here’s the real question…
Does anyone know a way that the samba/mit krb5 builds on Leap 15.2 (or 15.3 which looks like it has the same mit krb5 v1.16) can be made to work around this problem. I don’t really want to run my DCs as Tumbleweed unless I really have to.
Any ideas appreciated!