[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)

L.P.H. van Belle belle at bazuin.nl
Fri Mar 20 01:42:51 MDT 2015 

Try change your resolv.conf from :
>nameserver 127.0.0.1
>domain intranet.mayweg.net

to 
nameserver 192.168.11.250
search intranet.mayweg.net 

>The only thing I was unsure about, was which hostname to enter 
>for Kerberos
>Server and Kerberos admin server when asked during the 
>installation of the
>packages..

Try these defealt settings for kerberos..
You didnt have to enter the hostname, Only the default kerberos Domain name is needed. 

a copy past for you. 

    echo "krb5-config     krb5-config/add_servers_realm     string INTRANET.MAYWEG.NET" | debconf-set-selections
    echo "krb5-config     krb5-config/read_conf   boolean true" | debconf-set-selections
    echo "krb5-config     krb5-config/kerberos_servers string " | debconf-set-selections
    echo "krb5-config     krb5-config/default_realm string INTRANET.MAYWEG.NET" | debconf-set-selections
    echo "krb5-config     krb5-config/add_servers boolean false" | debconf-set-selections
    echo "krb5-config     krb5-config/admin_server string " | debconf-set-selections
    echo "krb5-config     krb5-config/dns_for_default boolean true" | debconf-set-selections
    dpkg-reconfigure plow krb5-config

and if you want to point to a kerberos server. 
    echo "krb5-config     krb5-config/kerberos_servers string server06.intranet.mayweg.net" | debconf-set-selections

but its not needed, man krb5.conf tells you enough. 

after the changes, type: 
host -t SRV _kerberos._udp.intranet.mayweg.net 
if you get not found, then we need to analize more. 



If you want to start with a "Clean server" 
just have a look here. 

https://secure.bazuin.nl/scripts/  

I added 2 simple scripts. a debian wheezy backported and debian jessie script.
The Jessie script is basicly the wheezy backported version, but without the backports repo. 
Its a set with minimal changes to the system, and use the defaults there where possible. 

If you look in the script, 
these settings MUST be set.
Settings you must change are :  

NTPD_SERVER1_EXTERNAL
NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 ) 
BIND9_NETWORKS
SAMBA_DC1_IP
SAMBA_NT_DOMAIN
SAMBA_SITE_NAME

optional: 
SAMBA_PASS_POLICY_CHANGE
SAMBA_TEMPLATE_HOMEDIR
SAMBA_TEMPLATE_SHELL


and as last : 
CONFIGURED   

All other options are optional. 
If you have a different dns domain name and kerberos domain. 
you must change that.. etc.. 

Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: olol13.samba at the-1337.org 
>[mailto:samba-bounces at lists.samba.org] Namens Timo Altun
>Verzonden: vrijdag 20 maart 2015 0:04
>Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny - 
>repenny241155 at gmail.com
>Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working. 
>samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: 
>(sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot 
>contact any KDC for requested realm)
>
>Ok, I setup a new machine with Debian Jessie and checked and installed
>everything from OS requirements in the wiki (
>https://wiki.samba.org/index.php/OS_Requirements ).
>The only thing I was unsure about, was which hostname to enter 
>for Kerberos
>Server and Kerberos admin server when asked during the 
>installation of the
>packages...I used krb.intranet.mayweg.net.
>Now, after the classicupgrade kinit isn't working anymore...I 
>get the same
>error I get when trying samba_dnsupdate:
>kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET' 
>while getting
>initial credentials.
>
>One step I did not do as stated in the wiki is configuring bind with
>--with-gssapi=/usr/include/gssapi
>--with-dlopen=yes.
>Once again the dlopen driver seems to work in this version, 
>but I have no
>idea about the first part. Should I build bind myself with the 
>first option?
>@Rowland, did you have a working bind installation before you
>upgraded/provisioned your domain?
>
>@Peter There is no file called namedb in /etc/bind, but the 
>whole folder is
>writeable for user bind.
>
>My configs, now mostly adapted from Rowland's woking configuration are:
>
>/etc/network/interfaces:
>auto lo
>iface lo inet loopback
>
>auto eth0
>iface eth0 inet static
>        address         192.168.11.250
>        network         192.168.11.0
>        netmask         255.255.255.0
>        broadcast       192.168.11.255
>
>/etc/hosts:
>127.0.0.1       localhost
>192.168.11.250  server06.intranet.mayweg.net    server06  krb
>
># The following lines are desirable for IPv6 capable hosts
>::1     localhost ip6-localhost ip6-loopback
>ff02::1 ip6-allnodes
>ff02::2 ip6-allrouters
>
>/etc/resolv.conf:
>nameserver 127.0.0.1
>domain intranet.mayweg.net
>
>/etc/bind/named.conf:
>include "/etc/bind/named.conf.options";
>include "/etc/bind/named.conf.local";
>include "/etc/bind/named.conf.default-zones";
>include "/var/lib/samba/private/named.conf";
>
>/etc/bin/named.conf.options:
>options {
>directory "/var/cache/bind";
>dnssec-validation no;
>auth-nxdomain no;    # conform to RFC1035
>listen-on-v6 { any; };
>tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>};
>
>/var/lib/samba/private/named.conf:
>    database "dlopen 
>/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>
>/etc/krb5.conf:
>[libdefaults]
>default_realm = INTRANET.MAYWEG.NET
>dns_lookup_realm = false
>dns_lookup_kdc = true
>
>/etc/samba/smb.conf:
># Global parameters
>[global]
>workgroup = MAYWEG.NET
>realm = INTRANET.MAYWEG.NET
>netbios name = SERVER06
>interfaces = lo, eth0
>bind interfaces only = Yes
>server role = active directory domain controller
>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>drepl, winbind,
>ntp_signd, kcc, dnsupdate
>idmap_ldb:use rfc2307 = yes
>
>[netlogon]
>path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>read only = No
>
>[sysvol]
>path = /var/lib/samba/sysvol
>read only = No
>
>
>On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>
>>
>>
>> Timo Altun schrieb am 19.03.2015 10:30:
>>
>> > As I wrote in my first mail, Kerberos does work. I can successfully
>> request
>> > and list a ticket on the AC DC.
>>
>> OK, then next things, which come to my mind are:
>> is the keytab, you set in named.conf.options readable
>> for the user, under which bind is run.
>>
>> Then, is the /etc/bind/namedb writable for bind.
>>
>> And in the end, it might be a screwed up installation.
>> I had troubles with dynamic updates a long time ago,
>> when it turned out, that I screwed something up during
>> the installation.
>>
>> HTH
>> - Peter
>>
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list