Joining a Windows 2008 R2 error
David Gonzalez
info at dghvoip.com
Thu Sep 16 15:17:45 MDT 2010
Thanks Andrew for your answer,
On Thu, Sep 16, 2010 at 3:48 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2010-09-14 at 16:58 -0500, David Gonzalez wrote:
> > Hi,
> >
> > UPDATE: Dynamic DNS updates work now, just change the update-policy {};
> to
> > allow-update { any; };
> > and donot add or comment out these lines on smb.conf.
> >
> > // tkey-gssapi-credential "DNS/samba.dghvoip.com";
> > // tkey-domain "SAMBA.DGHVOIP.COM";
>
> That's rather an insecure configuration. Did you try and ensure that BIND
> had access to the keytab as instructed? We do know that this is a difficult
> area to get right however, and are working to try and make it more automate,
> and less prone to failure.
>
How do I guarantee that BIND has access to keytab?, I added these lines to
/etc/init.d/named
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME
As instructed, but I wouldn't know how to tell you if it has access to it.
Well, insecure, might be, but I have BIND listening just on my local
interface so no external access is allowed
And I appreciate as many other testers around the effor you're putting into
this, so as my signature says walk slow and you'll get further. So while
that easiness your talk about is ready we'll use whatever resource is at
hand to try and provide feedback.
>
> > Now, I've "sucesfully" joined a W2k8 server machine to my domain, the
> dcpromo it but these errors show on my logs:
> >
> > Failed to modify SPNs on
> CN=VMW2K8,CN=Computers,DC=samba,DC=dghvoip,DC=com:
> > error in module acl: insufficient access rights (50)
> > [Tue Sep 14 16:49:45 2010 COT, 0
> > ../rpc_server/drsuapi/writespn.c:103:dcesrv_drsuapi_DsWriteAccountSpn()]
> > Failed to modify SPNs on
> CN=VMW2K8,CN=Computers,DC=samba,DC=dghvoip,DC=com:
> > error in module acl: insufficient access rights (50)
> > [Tue Sep 14 16:49:45 2010 COT, 0
> > ../rpc_server/drsuapi/writespn.c:103:dcesrv_drsuapi_DsWriteAccountSpn()]
> > Failed to modify SPNs on
> cn=vmw2k8,cn=computers,dc=samba,dc=dghvoip,dc=com:
> > error in module acl: insufficient access rights (50)
>
> Exactly which version is this?
>
Version of...?
BIND 9.7.2
Samba 4.0.0alpha12-GIT-a593952
>
> > And after the w2k8 start this shows up on samba.log
> >
> > /usr/local/samba/sbin/samba_dnsupdate: import samba
> > [Tue Sep 14 16:52:10 2010 COT, 0
> > ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> > /usr/local/samba/sbin/samba_dnsupdate: ImportError: No module named samba
> > [Tue Sep 14 16:52:10 2010 COT, 0
> > ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> > /usr/local/samba/sbin/samba_spnupdate: Traceback (most recent call last):
> > [Tue Sep 14 16:52:10 2010 COT, 0
> > ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> > /usr/local/samba/sbin/samba_spnupdate: File
> > "/usr/local/samba/sbin/samba_spnupdate", line 30, in ?
> > [Tue Sep 14 16:52:10 2010 COT, 0
> > ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
>
> It seems that something is wrong with the pythonpath - the script isn't
> finding the installed python libraries.
>
> In any case, you would do well to run the code we just updated yesterday,
> as we fixed an issue with that script and kerberos-enabled nsupdate -g.
>
Good I'll pull that and let you know hwat comes out of this by putting back
the -g parameter on smb.conf
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
>
Thanks.
---
... Chi va piano va sano e va lontano.
David Gonzalez H.
DGHVoIP - OPEN SOURCE TELEPHONY SOLUTIONS
Phone Bogotá: +(57-1)289-1168
Phone Medellin: +(57-4)247-0985
Mobile: +(57)315-838-8326
MSN: david at planetaradio.net
Skype: davidgonzalezh
WEB: http://www.dghvoip.com/
Linux User #294661
More information about the samba-technical
mailing list