Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD
abartlet at samba.org
Tue Dec 6 18:19:39 MST 2011
On Tue, 2011-12-06 at 10:24 -0500, Aubrey Ekstrom wrote:
> Hi Andrew,
> I upgraded to Bind 9.8.1 on the original PDC, and followed the instructions
> to set up DDNS for that version of bind. It seems to have broken kerberos.
> When I restart Bind I get this:
> Reloading domain name service...: bind9rndc: connection to remote host
> This may indicate that
> * the remote server is using an older version of the command protocol,
> * this host is not authorized to connect,
> * the clocks are not synchronized, or
> * the key is invalid.
> If I remove the key entry in /etc/bind/named.conf.options that error goes
> away, but either way I get this error when testing DDNS:
What error did you get in the logs after the restart? Did you compile
the Bind 9.8.1 with GSSAPI?
> psadmin at opdc0:~/bind-9.8.1-P1$ sudo /usr/local/samba/sbin/samba_dnsupdate
> Traceback (most recent call last):
> File "/usr/local/samba/sbin/samba_dnsupdate", line 397, in <module>
> File "/usr/local/samba/sbin/samba_dnsupdate", line 106, in get_credentials
> creds.get_named_ccache(lp, ccachename)
> *RuntimeError: kinit for OPDC0$@CORP.CORE failed (Cannot contact any KDC
> for requested realm: unable to reach any KDC in realm CORP.CORE)*
> But the errors on the new DC look like they are related to that server not
> seeing itself... maybe because of DDNS, as you said, or maybe something
This certainly appears to be a DNS issue. You do not seem to have
enough information in your DNS for Samba to add new DNS entries, because
it cannot find the KDC (using DNS).
On the first server, what is in the corp.core zone? In particular, does
SRV _kerberos._tcp.corp.core point to a running Samba DC?
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical