Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD
Aubrey Ekstrom
aekstrom at proclivitysystems.com
Tue Dec 6 08:24:33 MST 2011
Hi Andrew,
I upgraded to Bind 9.8.1 on the original PDC, and followed the instructions
to set up DDNS for that version of bind. It seems to have broken kerberos.
When I restart Bind I get this:
Reloading domain name service...: bind9rndc: connection to remote host
closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
failed!
If I remove the key entry in /etc/bind/named.conf.options that error goes
away, but either way I get this error when testing DDNS:
psadmin at opdc0:~/bind-9.8.1-P1$ sudo /usr/local/samba/sbin/samba_dnsupdate
--verbose
IPs: ['10.0.96.44']
Looking for DNS entry A corp.core 10.0.96.44 as corp.core.
Looking for DNS entry A opdc0.corp.core 10.0.96.44 as opdc0.corp.core.
Looking for DNS entry CNAME
b36cf7ca-5d1f-4720-9cc1-3034b87312c4._msdcs.corp.core opdc0.corp.core as
b36cf7ca-5d1f-4720-9cc1-3034b87312c4._msdcs.corp.core.
Looking for DNS entry SRV
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.corp.core
opdc0.corp.core 88 as
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.corp.core.
Looking for DNS entry SRV
_ldap._tcp.default-first-site-name._sites.dc._msdcs.corp.core
opdc0.corp.core 389 as
_ldap._tcp.default-first-site-name._sites.dc._msdcs.corp.core.
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.corp.core
opdc0.corp.core 88 as _kerberos._tcp.dc._msdcs.corp.core.
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.corp.core opdc0.corp.core
389 as _ldap._tcp.dc._msdcs.corp.core.
Looking for DNS entry SRV
_ldap._tcp.a3d53761-ad10-49af-9c68-9f08ebf3fb88.domains._msdcs.corp.core
opdc0.corp.core 389 as
_ldap._tcp.a3d53761-ad10-49af-9c68-9f08ebf3fb88.domains._msdcs.corp.core.
Looking for DNS entry SRV
_ldap._tcp.default-first-site-name._sites.gc._msdcs.corp.core
opdc0.corp.core 3268 as
_ldap._tcp.default-first-site-name._sites.gc._msdcs.corp.core.
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.corp.core opdc0.corp.core
3268 as _ldap._tcp.gc._msdcs.corp.core.
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.corp.core opdc0.corp.core
389 as _ldap._tcp.pdc._msdcs.corp.core.
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.corp.core
opdc0.corp.core 3268 as _gc._tcp.default-first-site-name._sites.corp.core.
Looking for DNS entry SRV
_kerberos._tcp.default-first-site-name._sites.corp.core opdc0.corp.core 88
as _kerberos._tcp.default-first-site-name._sites.corp.core.
Looking for DNS entry SRV
_ldap._tcp.default-first-site-name._sites.corp.core opdc0.corp.core 389 as
_ldap._tcp.default-first-site-name._sites.corp.core.
Looking for DNS entry SRV _gc._tcp.corp.core opdc0.corp.core 3268 as
_gc._tcp.corp.core.
Looking for DNS entry SRV _kerberos._tcp.corp.core opdc0.corp.core 88 as
_kerberos._tcp.corp.core.
Looking for DNS entry SRV _kpasswd._tcp.corp.core opdc0.corp.core 464 as
_kpasswd._tcp.corp.core.
Looking for DNS entry SRV _ldap._tcp.corp.core opdc0.corp.core 389 as
_ldap._tcp.corp.core.
Looking for DNS entry SRV _kerberos._udp.corp.core opdc0.corp.core 88 as
_kerberos._udp.corp.core.
Looking for DNS entry SRV _kpasswd._udp.corp.core opdc0.corp.core 464 as
_kpasswd._udp.corp.core.
Traceback (most recent call last):
File "/usr/local/samba/sbin/samba_dnsupdate", line 397, in <module>
get_credentials(lp)
File "/usr/local/samba/sbin/samba_dnsupdate", line 106, in get_credentials
creds.get_named_ccache(lp, ccachename)
*RuntimeError: kinit for OPDC0$@CORP.CORE failed (Cannot contact any KDC
for requested realm: unable to reach any KDC in realm CORP.CORE)*
But the errors on the new DC look like they are related to that server not
seeing itself... maybe because of DDNS, as you said, or maybe something
else?
Cheers,*
Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at proclivitysystems.com
www.proclivitysystems.com
*Proclivity® | We Value Your Customers™*
This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient. If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.
On Thu, Dec 1, 2011 at 5:02 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2011-12-01 at 16:49 -0500, Aubrey Ekstrom wrote:
> > Hi Andrew,
> >
> > Thanks for the fast reply!
> >
> > Unfortunately my previous boss told me specifically not to set up dynamic
> > DNS on the Samba 4 PDC, despite my objections. He had some strange ideas
> > about security, that being one of them... but he is gone now. That was
> why
> > I suspected that maybe DNS & Kerberos was the issue here. I think I need
> to
> > update Bind9 on the PDC to get DDNS working though. I don't mind working
> on
> > that and then building another DC, but either way it would be nice if I
> > could delete the bad DC(s) from A/D. Any ideas on that? (see the thread
> for
> > what we tried to do deleting the orphaned DC server from A/D).
> >
> > Pretty soon my new boss is going to tell me not to spend any more time on
> > this and just use Windows A/D :^(. I really don't mind doing that, but I
> do
> > enjoy running an alpha Samba 4 on Debian Linux for our Active Directory,
> > and having it be 1000X more stable than any Windows Server I have ever
> > worked with, even if it doesn't have 100% functionality... yet :).
>
> Once you have DDNS working on your first DC, the new DC should 'just
> work' - it will again try and update DNS, and then behave normally.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
More information about the samba-technical
mailing list