[Samba] problems with Samba 4.7 in existing (Samba 4.2 based) domain
Chris
chris.ace at web.de
Thu Dec 7 11:05:27 UTC 2017
I'd like to get rid of our old Samba 4.2 servers (based on SerNet packages on CentOS6) acting as DC and installed a third server with new Samba 4.7.0 on Fedora 4.7.
Initially I had problems joining with problems described here https://bugzilla.samba.org/show_bug.cgi?id=12398
Using the quick hack from https://forge.univention.org/bugzilla/attachment.cgi?id=8448&action=diff allowed me to join though (I don't think it's related to my problem, but I thought I better mention it anyway, I had several isCriticalSystemObject=TRUE entries in parent OUs without the flag)
After a successful join using samba-tool I get error message like that on both ends and replication is not successful:
Last attempt @ Thu Dec 7 11:59:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
newly joined DC7:
[2017/12/07 11:50:49.982738, 0] ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.1.13[1024,seal,krb5,target_hostname=552f9859-59d5-41e8-bbd4-77c70ad391ee._msdcs.my.internal.domain,target_principal=GC/dc3.my.internal.domain/my.internal.domain,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.25] NT_STATUS_UNSUCCESSFUL
old DC3:
[2017/12/07 11:53:19.630671, 0] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.1.25[49152,seal,krb5,target_hostname=16588a00-78c4-4e9a-bfdc-eb488bec38a4._msdcs.my.internal.domain,target_principal=GC/dc7.my.internal.domain/my.internal.domain,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.13] NT_STATUS_UNSUCCESSFUL
This looks like an auth (Kerberos) error, maybe related to:
Dec 07 11:55:49 dc7.my.internal.domain krb5kdc[22191](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.11.25: NEEDED_PREAUTH: DC7$@MY.INTERNAL.DOMAIN for krbtgt/MY.INTERNAL.DOMAIN at MY.INTERNAL.DOMAIN, Additional pre-authentication required
Any ideas what's going wrong here?
(I already went through the usual first steps, time is in sync, dns entries were created and can be resolved properly)
Thanks!
Chris
More information about the samba
mailing list