Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD

Aubrey Ekstrom aekstrom at
Wed Dec 7 08:20:39 MST 2011

Hi Andrew,

Good morning! Thank you for the help.

Yes Bind 9.8.1 was built with GSSAPI. I followed the instructions word for

$ ps -Af | grep named
bind      4481     1  0 Dec05 ?        00:00:02 /usr/local/sbin/named -u
bind      9136     1  0 Dec06 ?        00:00:26 /usr/local/sbin/named -u

$ /usr/local/sbin/named -V
BIND 9.8.1-P1 built with '--with-gssapi=/usr/include/gssapi'
using OpenSSL version: OpenSSL 0.9.8g 19 Oct 2007
using libxml2 version: 2.6.32

$ /usr/local/samba/sbin/samba --version
Version 4.0.0alpha14-GIT-800a76d

Kerberos and DNS were working fine prior to upgrading from Bind 9.7.2 to
9.8.1. In fact both new DCs had no problem joining the domain, it was after
the join that they had replication issues, which I agree with you, is most
likely a DDNS issue since my previous boss refused to let me set it up back
when I first built the current PDC (when I could have played with it until
it worked before it was live and populated and being used).

The one error that is the same between when I 1st set this up on the
current PDC and ran into trouble with DDNS using Bind 9.7.2, and the
current error reported by standard out, was it not liking the key. Adding
and removing the key reference needed for DDNS got rid of that error both
then and now. The big difference now is that it still says it can't find
the KDC, even with the key reference removed from named.conf.options. Is it
possible to regenerate that key without re-provisioning the live PDC to see
if maybe the key tab file is corrupted?

I will also look at the logs again for Bind and Samba 4 for any more
specific errors and send you those. Thanks again!


Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at

*Proclivity® | We Value Your Customers™*

This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all

On Tue, Dec 6, 2011 at 8:19 PM, Andrew Bartlett <abartlet at> wrote:

> On Tue, 2011-12-06 at 10:24 -0500, Aubrey Ekstrom wrote:
> > Hi Andrew,
> >
> > I upgraded to Bind 9.8.1 on the original PDC, and followed the
> instructions
> > to set up DDNS for that version of bind. It seems to have broken
> kerberos.
> > When I restart Bind I get this:
> >
> > Reloading domain name service...: bind9rndc: connection to remote host
> > closed
> > This may indicate that
> > * the remote server is using an older version of the command protocol,
> > * this host is not authorized to connect,
> > * the clocks are not synchronized, or
> > * the key is invalid.
> >  failed!
> >
> > If I remove the key entry in /etc/bind/named.conf.options that error goes
> > away, but either way I get this error when testing DDNS:
> What error did you get in the logs after the restart?  Did you compile
> the Bind 9.8.1 with GSSAPI?
> > psadmin at opdc0:~/bind-9.8.1-P1$ sudo
> /usr/local/samba/sbin/samba_dnsupdate
> > --verbose
> > Traceback (most recent call last):
> >   File "/usr/local/samba/sbin/samba_dnsupdate", line 397, in <module>
> >     get_credentials(lp)
> >   File "/usr/local/samba/sbin/samba_dnsupdate", line 106, in
> get_credentials
> >     creds.get_named_ccache(lp, ccachename)
> > *RuntimeError: kinit for OPDC0$@CORP.CORE failed (Cannot contact any KDC
> > for requested realm: unable to reach any KDC in realm CORP.CORE)*
> >
> > But the errors on the new DC look like they are related to that server
> not
> > seeing itself... maybe because of DDNS, as you said, or maybe something
> > else?
> This certainly appears to be a DNS issue.  You do not seem to have
> enough information in your DNS for Samba to add new DNS entries, because
> it cannot find the KDC (using DNS).
> On the first server, what is in the corp.core zone?  In particular, does
> SRV _kerberos._tcp.corp.core point to a running Samba DC?
> Andrew Bartlett
> --
> Andrew Bartlett                      
> Authentication Developer, Samba Team 

More information about the samba-technical mailing list