Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD

Aubrey Ekstrom aekstrom at proclivitysystems.com
Fri Dec 9 10:20:28 MST 2011 

Hi Andrew,

I find the below error this in both /var/log/daemon.log & var/log/syslog
for process named:

*invalid command from 127.0.0.1#40623: bad auth*

To recap the error bind9 reload displays:

$ sudo /etc/init.d/bind9 reload
Reloading domain name service...: bind9rndc: connection to remote host
closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* *the key is invalid.*
 failed!

There is currently no remote server set up for Bind on this box, so I
assume the key is the issue. I thought this was the Samba 4 key used for
DDNS, but it may be the rndc key that is the issue.

Both the above log entry and the above output is generated whenever I try
to reload Bind. Based on researching that error, I am looking at rndc
documentation and files to determine if that may be a root cause. I tried
running rndc-confgen -a to generate a new key/key file, but that did not
help. So if you or anyone else has any insight it would be greatly
appreciated :).

The only recently changed log in /var/log/samba/ was log.nmbd, where I see
this at the end:

[2011/12/09 11:53:34,  4] nmbd/nmbd_workgroupdb.c:dump_workgroups(281)
  dump_workgroups()
   dump workgroup on subnet      XX.XX.XX.44: netmask=  255.255.254.0:
        WORKGROUP(5) current master browser = *WDRABICKI*
        PROCLIVITYNYC0(4) current master browser = *FILES*
        CORP(3) current master browser = *D-DPOLLACK-U*
        CORE(1) current master browser = OPDC0
                OPDC0 40849a03 (Samba 3.2.5)

Not sure it actually applies to what appears to be a bind issue introduced
by the upgrade to 9.8.1. I know in past MS A/D environments desktops
becoming master browser can be an issue too though (the netbios names in
bold are all either desktop machines or non-A/D non-DNS servers).

I don't see anything else in /var/log/samba/log.nmbd, but I am examining it
further.

Cheers,*

Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at proclivitysystems.com
www.proclivitysystems.com

*Proclivity® | We Value Your Customers™*


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.







On Wed, Dec 7, 2011 at 10:20 AM, Aubrey Ekstrom <
aekstrom at proclivitysystems.com> wrote:

> Hi Andrew,
>
> Good morning! Thank you for the help.
>
> Yes Bind 9.8.1 was built with GSSAPI. I followed the instructions word for
> word.
>
> $ ps -Af | grep named
> bind      4481     1  0 Dec05 ?        00:00:02 /usr/local/sbin/named -u
> bind
> bind      9136     1  0 Dec06 ?        00:00:26 /usr/local/sbin/named -u
> bind
>
> $ /usr/local/sbin/named -V
> BIND 9.8.1-P1 built with '--with-gssapi=/usr/include/gssapi'
> using OpenSSL version: OpenSSL 0.9.8g 19 Oct 2007
> using libxml2 version: 2.6.32
>
> $ /usr/local/samba/sbin/samba --version
> Version 4.0.0alpha14-GIT-800a76d
>
> Kerberos and DNS were working fine prior to upgrading from Bind 9.7.2 to
> 9.8.1. In fact both new DCs had no problem joining the domain, it was after
> the join that they had replication issues, which I agree with you, is most
> likely a DDNS issue since my previous boss refused to let me set it up back
> when I first built the current PDC (when I could have played with it until
> it worked before it was live and populated and being used).
>
> The one error that is the same between when I 1st set this up on the
> current PDC and ran into trouble with DDNS using Bind 9.7.2, and the
> current error reported by standard out, was it not liking the key. Adding
> and removing the key reference needed for DDNS got rid of that error both
> then and now. The big difference now is that it still says it can't find
> the KDC, even with the key reference removed from named.conf.options. Is it
> possible to regenerate that key without re-provisioning the live PDC to see
> if maybe the key tab file is corrupted?
>
> I will also look at the logs again for Bind and Samba 4 for any more
> specific errors and send you those. Thanks again!
>
> Cheers,*
>
> Aubrey Ekstrom | *Systems Administrator
> Proclivity Systems
> 22 West 19th St., Ninth Floor
> New York, NY 10011
> p 646.380.2416
> aekstrom at proclivitysystems.com
> www.proclivitysystems.com
>
> *Proclivity® | We Value Your Customers™*
>
>
> This message is the property of Proclivity Systems, Inc. and is intended
> only for the use of the addressee(s), and may contain material that is
> confidential and privileged for the sole use of the intended recipient.  If
> you are not the intended recipient, reliance or forwarding without express
> permission is strictly prohibited; please contact the sender and delete all
> copies.
>
>
>
>
>
>
>
> On Tue, Dec 6, 2011 at 8:19 PM, Andrew Bartlett <abartlet at samba.org>wrote:
>
>> On Tue, 2011-12-06 at 10:24 -0500, Aubrey Ekstrom wrote:
>> > Hi Andrew,
>> >
>> > I upgraded to Bind 9.8.1 on the original PDC, and followed the
>> instructions
>> > to set up DDNS for that version of bind. It seems to have broken
>> kerberos.
>> > When I restart Bind I get this:
>> >
>> > Reloading domain name service...: bind9rndc: connection to remote host
>> > closed
>> > This may indicate that
>> > * the remote server is using an older version of the command protocol,
>> > * this host is not authorized to connect,
>> > * the clocks are not synchronized, or
>> > * the key is invalid.
>> >  failed!
>> >
>> > If I remove the key entry in /etc/bind/named.conf.options that error
>> goes
>> > away, but either way I get this error when testing DDNS:
>>
>> What error did you get in the logs after the restart?  Did you compile
>> the Bind 9.8.1 with GSSAPI?
>>
>> > psadmin at opdc0:~/bind-9.8.1-P1$ sudo
>> /usr/local/samba/sbin/samba_dnsupdate
>> > --verbose
>>
>> > Traceback (most recent call last):
>> >   File "/usr/local/samba/sbin/samba_dnsupdate", line 397, in <module>
>> >     get_credentials(lp)
>> >   File "/usr/local/samba/sbin/samba_dnsupdate", line 106, in
>> get_credentials
>> >     creds.get_named_ccache(lp, ccachename)
>> > *RuntimeError: kinit for OPDC0$@CORP.CORE failed (Cannot contact any KDC
>> > for requested realm: unable to reach any KDC in realm CORP.CORE)*
>> >
>> > But the errors on the new DC look like they are related to that server
>> not
>> > seeing itself... maybe because of DDNS, as you said, or maybe something
>> > else?
>>
>> This certainly appears to be a DNS issue.  You do not seem to have
>> enough information in your DNS for Samba to add new DNS entries, because
>> it cannot find the KDC (using DNS).
>>
>> On the first server, what is in the corp.core zone?  In particular, does
>> SRV _kerberos._tcp.corp.core point to a running Samba DC?
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org
>>
>>
>

More information about the samba-technical mailing list