2 Samba4-DCs with OpenLDAP 2.4.8 in Multi-Master-Replication

Oliver Liebel oliver at itc.li
Mon Apr 7 10:51:24 GMT 2008 

Andrew Bartlett schrieb:
> On Sat, 2008-04-05 at 15:50 +0200, Oliver Liebel wrote:
>   
>> Used Versions:
>> OpenLDAP 2.4.8
>> Samba4 from git  (Fri Apr 4 16:03:54 2008 +0200)
>> Rev-Info
>> 7fccd85
>> 1207317834
>> 7fccd85cc673c139bc1d57915e0fccd22316998c
>>
>>
>> Setup First DC1 (hostname samba4) with OL as Backend.
>> Backend-Provisioning with:
>> #> bin/smbpython setup/provision-backend --realm=LDAP.LOCAL.SITE 
>> --domain=LDAP --ldap-manager-pass=linux --ldap-backend-type=openldap 
>> --simple-bind-dn="cn=Manager,dc=ldap,dc=local,dc=site"
>>
>> - slapd.conf creation only works correct if an smb.conf with the wanted 
>> settings exist, otherwise the hostname [cn=samba4]  is used as Base-DN, 
>> tested it several times
>>     
>
> You need to include the --server-role parameter.  We provision as a
> standalone server by default (because even while everyone wants Samba4
> as a DC at this point, I don't want to ever get back to 'samba4 broke my
> network' because someone didn't actually want a DC). 
>
>   
Works fine now with the additional parameter, thanks for the Tip.
> I'm adding some output to make clear how it has been configured.
>
>   
>> after that, same procedure on DC2 (samba4dc2),
>> using the domain-sid from DC1 for provision,
>> with second slapd listening on DC2 on port 9000, everything ok.
>> after that, stopped smbd an slapd on DC2, then tried to join DC1, where 
>> the following error occurs:
>>
>> /#> net join LDAP BDC -U administrator -d 4
>>     
I took a look over the debug-output again, and found some additional 
messages. Looks like
DC2 cant find the KDC of DC1 (samba4.ldap.local.site) during the join 
operation:

/Server claims it's principal name is SAMBA4$@LDAP.LOCAL.SITE
Starting GENSEC submechanism gssapi_krb5
kinit for Administrator at LDAP.LOCAL.SITE failed (Cannot contact any KDC 
for requested realm: unable to reach any KDC in realm LDAP.LOCAL.SITE)
Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for 
requested realm
Cannot reach a KDC we require to contact cifs at SAMBA4
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
/
although KDC on DC1 is up and running ( nmap on DC1 shows that Ports 88 
and 464 are open).
I left the krb-related settings in smb.conf on both DCs unchanged, so 
they should point to the correct ports.
Then  i tried to point DC2 (the DC on which i start the join operation) 
explicit to the KDC of DC1:

/password server = samba4.ldap.local.site/

but seems to make no difference (i guess the default  value "*" looks 
for all existing KDCs).

After creating a small krb5.conf  on DC2 pointing to the KDC of DC1, the
KDC is found and the above listed errors disappear, but the error 
messages from update_keytab.so
still remains (as you already mentioned below) and  the host- and 
service-principals for DC2 are not created.
smbd-debug ouput from DC1 during the join:

/Kerberos: AS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for 
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
Administrator at LDAP.LOCAL.SITE
Kerberos: AS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for 
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- Administrator at LDAP.LOCAL.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at LDAP.LOCAL.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- 
Administrator at LDAP.LOCAL.SITE using arcfour-hmac-md5
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc
Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2008-04-07T12:41:09 starttime: unset endtime: 
2008-04-07T22:41:08 renew till: unset
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for 
cifs/samba4 at LDAP.LOCAL.SITE
Kerberos: TGS-REQ authtime: 2008-04-07T12:41:09 starttime: 
2008-04-07T12:41:09 endtime: 2008-04-07T22:41:08 renew till: unset
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for 
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE [forwarded, forwardable]
Kerberos: Bad request for forwardable ticket
Kerberos: Failed building TGS-REP to 192.168.198.134
Found account name from PAC: Administrator []
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for 
ldap/samba4 at LDAP.LOCAL.SITE
Kerberos: TGS-REQ authtime: 2008-04-07T12:41:09 starttime: 
2008-04-07T12:41:09 endtime: 2008-04-07T22:41:08 renew till: unset
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for 
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE [forwarded, forwardable]
Kerberos: Bad request for forwardable ticket
Kerberos: Failed building TGS-REP to 192.168.198.134
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Found account name from PAC: Administrator []
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for 
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE [forwarded, forwardable]
Kerberos: Bad request for forwardable ticket
Kerberos: Failed building TGS-REP to 192.168.198.134
/

> Once the segfault in the keytab module is resolved, this should work. 
>
> Thankyou very much for your patience with this.  
>
> Andrew Bartlett
>   
Greetings,

Oliver

____________
Virus checked by G DATA AntiVirusKit
Version: AVK 18.3342 from 07.04.2008
Virus news: www.antiviruslab.com

More information about the samba-technical mailing list