I recently did a "classis conversion" of our small NT4 Samba domain to an AD one on my Debian 10 "Buster" system. I got everything working as far as I can tell, but I don't understand one issue I came across: Kerberos does not work unless the resolv.conf points to 127.0.0.1 instead of the external DNS server.
Per the instructions here I set up SRV records for LDAP and Kerberos in my DNS. The tests for them show the correct response I believe:
root@sambabox:~# host -t SRV _kerberos._udp.mydomain.duckdns.org
_kerberos._udp.mydomain.duckdns.org has SRV record 0 0 88 sambabox.mydomain.duckdns.org.
root@sambabox:~# host -t SRV _kerberos._udp.mydomain.duckdns.org 192.168.1.1
Using domain server:
Name: 192.168.1.1
Address: 192.168.1.1#53
Aliases:
_kerberos._udp.mydomain.duckdns.org has SRV record 0 0 88 sambabox.mydomain.duckdns.org.
root@sambabox:~#
The hostname returned is the AD DC host. It can ping itself by name:
# ping sambabox.mydomain.duckdns.org
PING sambabox.mydomain.duckdns.org (192.168.1.5) 56(84) bytes of data.
64 bytes from sambabox.mydomain.duckdns.org (192.168.1.5): icmp_seq=1 ttl=64 time=0.060 ms
64 bytes from sambabox.mydomain.duckdns.org (192.168.1.5): icmp_seq=2 ttl=64 time=0.044 ms
However when the resolve.conf points to 192.168.1.1 (the default GW and DNS server/forwarder) rather than 127.0.0.1, "kinit" fails and the GW firewall logs dropped packets to port 88:
# kinit
[email protected]'s Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm MYDOMAIN.DUCKDNS.ORG
My Kerberos config is the default from the Samba conversion wizard:
# cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.DUCKDNS.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
Now I realize that Samba is also providing a domain DNS function here that resolves the Kerberos SRV as well:
# host -t SRV _kerberos._udp.mydomain.duckdns.org localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
_kerberos._udp.mydomain.duckdns.org has SRV record 0 100 88 sambabox.mydomain.duckdns.org.
But since the network DNS SRV record points to this same AD DC host, and Samba is listening on both the local and external interface, should it not also work when not using the Samba internal DNS?
# netstat -etulpn | grep :88
tcp 0 0 192.168.1.5:88 0.0.0.0:* LISTEN 0 1557276 13233/samba: conn[k
tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 0 1557272 13233/samba: conn[k
udp 0 0 192.168.1.5:88 0.0.0.0:* 0 1557277 13233/samba: conn[k
udp 0 0 127.0.0.1:88 0.0.0.0:* 0 1557273 13233/samba: conn[k
Why doesn't external DNS SRV seem to work? What makes the port 88 traffic be sent to the GW? Is the hostname that the kerberos SRV returned somehow being mangled?
Is there going to be issues with other hosts besides the AD DC trying to use Kerberos and not going through the Samba DNS?
ps: There was no Firewall active on the AD DC during these tests. No packets were harmed in this testing (except the ones sent to the GW port 88 incorrectly).