Public bug reported: While working on bug #1984073, I used the existing samba AD DEP8 test to provision an AD server, which was convenient. But I couldn't get ldapwhoami -Y GSSAPI to work, it was always trying to fetch the service ticket using an incorrect domain, sometimes it was even using an IP instead of a domain name.
Some troubleshooting later and it was caused by a missing reverse DNS zone for that domain. I thought setting "rdns = false"[2] in /etc/krb5.conf would have addressed that, but for some reason it didn't, and the fix I found was to actually create the reverse zone while provisioning that AD server. The change to the provisioning part of the script should be something like this[1]: # samba-tool dns zonecreate $(hostname -f) x.y.z.in-addr.arpa # samba-tool dns add $(hostname -f) x.y.z.in-addr.arpa $last-octect-of-my-ip PTR $(hostname -f) 1. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014829 ** Affects: samba (Ubuntu) Importance: Wishlist Status: New ** Tags: bitesize ** Description changed: While working on bug #1984073, I used the existing samba AD DEP8 test to provision an AD server, which was convenient. But I couldn't get ldapwhoami -Y GSSAPI to work, it was always trying to fetch the service ticket using an incorrect domain, sometimes it was even using an IP instead of a domain name. Some troubleshooting later and it was caused by a missing reverse DNS - zone for that domain. I thought setting "rdns = false" in /etc/krb5.conf - would have addressed that, but for some reason it didn't, and the fix I - found was to actually create the reverse zone while provisioning that AD - server. + zone for that domain. I thought setting "rdns = false"[2] in + /etc/krb5.conf would have addressed that, but for some reason it didn't, + and the fix I found was to actually create the reverse zone while + provisioning that AD server. The change to the provisioning part of the script should be something like this[1]: - # samba-tool dns zonecreate $(hostname -f) x.y.z.in-addr.arpa - # samba-tool dns add $(hostname -f) x.y.z.in-addr.arpa $last-octect-of-my-ip PTR $(hostname -f) + # samba-tool dns zonecreate $(hostname -f) x.y.z.in-addr.arpa + # samba-tool dns add $(hostname -f) x.y.z.in-addr.arpa $last-octect-of-my-ip PTR $(hostname -f) - 1. - https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone + 1. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone + 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014829 -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2019870 Title: AD provision DEP8 tests: should also create reverse DNS zone To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2019870/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
