Tranquil IT Forum

Hello,

just a quick message to point out a slight error in the documentation for installing a secondary Active Directory. In krb5.conf, you need to set "dns_lookup_kdc = true" and not "false", otherwise it causes some problems.

Regards

Good morning,

No, it's not a mistake

The KDC servers are defined below for the Kerberos realm of the domain:
Normally, kinit should work. Otherwise, there might be a problem with /etc/resolv.conf, depending on your error?

Good day,

Yohannes

Hi Vincent,

The nss library (which handles routing system DNS queries) isn't site-aware by default, so if we let it perform DC detection, we're not guaranteed it will find the one we want. There's a module to add (winbind_krb5_locator), but there were bugs in previous versions of the pre-packaged modules, so hardcoding it (especially on a DC) is the most robust solution.

Hello

, sorry, it's my fault. I went a bit too fast; I forgot to replace "MYDOMAIN.LAN" in the "realms" section with the correct domain, so of course it wasn't going to work.

Quick question: the official Samba documentation recommends putting the DC's IP address in resolv.conf after joining the domain, rather than 127.0.0.1. Do you know why?

Regards

Hello Vincent,

Vincent38 wrote: ↑Oct 9, 2025 - 12:42 Sorry, it's my fault, I went a bit too fast, I forgot to replace "MYDOMAIN.LAN" in the "realms" section with the correct domain, so of course it wasn't going to work.

Quick question: the official Samba documentation recommends putting the IP address of the DC in question in resolv.conf after joining the domain, rather than 127.0.0.1. Do you know why?

It's a convenient way to write the text. It ensures it's the correct IP address and it works very well

Sincerely,

Denis

That's what I thought,

thank you!

Regards