[Samba] Samba 4.1.6 and 4.1.7 Kerberos problem on Debian Linux

Rick Schauer rschauer at dualhelix.net
Wed Apr 23 13:00:25 MDT 2014 

Thanks Louis, but I found out a solution to my problem.  Yes it works on Debian, but you need to an additional step that is not mentioned in the Samba 4 wiki.  I started with the krb5.conf file that was generated by the samba-tool provision, as per the instructions.  However, I had to add this section to the /etc/krb5.conf file to help Kerberos find the KDC:

[realms]
        XXXXX.LOCAL = {
        kdc = rpisrv1.xxxxx.local:88
        default_domain = xxxxx.local 
}

I got this very handy tip from user igorino in a FreeBSD forum that was having the same issue: https://forums.freebsd.org/viewtopic.php?t=36137

Once I did that it worked.  No restart or reboot was necessary.  I owe that person many thanks.

I was able to duplicate the problem with the latest stable version of Debian and Samba 4.1.7.  

Apparently FreeBSD users encountered the problem as well.  Whether there is a better solution out there, I don't know.  I've spent way too much time trying to get Samba 3 or 4 to work.  

-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl] 
Sent: Tuesday, April 22, 2014 11:55 PM
To: Rick Schauer
Cc: samba at lists.samba.org
Subject: RE: [Samba] Samba 4.1.6 and 4.1.7 Kerberos problem on Debian Linux

Hai 

Debian works fine with samba4. 
if you want an easy setup look here.
https://secure.bazuin.nl/scripts/ 

for you problem check the following. 

For a DC config, 

Can you check whats in the /etc/nsswitch.conf should be something like : 

passwd:         compat 
group:          compat 
shadow:         compat
hosts:          files dns

make sure /etc/hosts looks like this. 
127.0.0.1      localhost
192.168.1.1    server.domain.tld server 
::1     	   ip6-localhost ip6-loopback

and the /etc/resolv.conf

search domain.tld
domain domain.tld
nameserver IP_AD_DC1
nameserver IP_AD_DC2


/etc/krb5.conf
[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_realm = DOMAIN.TLD


and do the checks here 
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS 

are you running samba DNS of BIND DNS ? 

and any of these installed. 
( dpkg --get-selections grep avahi ) 
avahi-autoipd
avahi-daemon
avahi-discover
avahi-dnsconfd

if so, remove them, check the configs above and reboot your server. 
and try again. 



Best regards, 

Louis


>-----Oorspronkelijk bericht-----
>Van: rschauer at dualhelix.net 
>[mailto:samba-bounces at lists.samba.org] Namens Rick Schauer
>Verzonden: maandag 21 april 2014 23:35
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba 4.1.6 and 4.1.7 Kerberos problem on 
>Debian Linux
>
>I am trying to setup an AD using a Linux server to get away 
>from Windows Server 2008.  So far I have tried the setup on 
>both a Debian 7.4 64 bit machine, and a Raspberry Pi (Debian 
>variant).  I've tried both Samba stable versions 4.1.6 and 
>4.1.7, and they both give me the same results.
>
>I followed the instructions to install the Samba 4 AD setup at 
>https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>I also went through the OS requirements on the Samba4 wiki.
>
>Everything works great except the Kerberos test on the Samba4 
>AD server.  I get the following error (XXXXX is substituted 
>here for my domain):
>
># kinit administrator at XXXXX.LOCAL<mailto:administrator at XXXXX.LOCAL>
>Kinit: Cannot contact any KDC for realm 'XXXXX.LOCAL' while 
>getting initial credentials.
>
>All the other tests work fine, and there are no errors in the 
>log files.  I do get one for cups not getting a list of 
>printers, but I don't have any setup yet.
>I want to get past this problem first.  I have tried it on two 
>separate machines running Debian.  Same results.
>
>My Kerberos 5 version is 1.10.1 and my krb5.conf file looks like this:
>
>[libdefaults]
>        default_realm = XXXXX.LOCAL
>        dns_lookup_realm = false
>        dns_lookup_kdc = true
>
>The DNS and smbclient tests on the AD all return good results. 
> I am using the Samba internal DNS.  The Python version is 
>2.7.4.  The acl and attr are working on my file system.  I can 
>run nslookup and get valid results for the AD server and 
>external DNS names (yahoo.com as an example).
>
>Could there a problem with the version of the krb5-user 
>package from the Debian distribution library not working with 
>Samba4?  Or some other dependent package?  Or have I done 
>something wrong?
>
>Rick Schauer
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list