samba4 kerberos process suddenly dies

Andreas Oster aoster at
Fri Dec 16 04:47:12 MST 2011


Hello Andrew, 

I have started with an old Windows 2000 Server
(novaw2k04). I've downloaded
the evaluation copy of Win2008R2 from MS,
did a forest and domain prep and 
added a new 2008R2 DC (novaw2k05).
After that I did a dcpromo on the old 2000 
server and demoted it.
this I have raised the domain/forest level to 2008R2. Next I 
configured a new samba4 server (novadc01), changed my bind9 setup 
little and joined the new server as an additional DC to the existing
domain. I've copied all sysvol stuff to the samba4 dc and after
setting the file/folder
rights demoted the windows 2008R2 server
(novaw2k05). This did not work like
expected and I had to remove it
manualy (do not remember what I did exactly,
but I think I used ADSIedit
to do it). After that I tested the new samba4 DC.
Everything seemd to
work, so I decided to add another samba4 DC (novadc02).

I do not use
kerberos stuff with bind9. I have changed nsupdate in smb.conf. 



Am 16.12.2011 12:31, schrieb Andrew Bartlett: 

> On
Fri, 2011-12-16 at 09:50 +1100, Andrew Bartlett wrote:
>> On Thu,
2011-12-08 at 10:55 +0100, Andreas Oster wrote: 
>>> Hello Andrew,
did you get a response from the Heimdal team regarding our issue with
the Kerberos process suddenly failing ? Do you need any additional debug
logs ? Is there anybody out there with the same issue ?
>> What I really
need, from you or anyone else seeing the same issue is a network trace
at the time of the crash and a copy of the exported keytab for the
domain. That way, I can try and understand why we get down this
particular path. If this is a testing or non-production network (the
keytab goes to the heart of your network's security), it would be great
to have these. To provide me with the keytab, run 'samba-tool domain
exportkeytab'. For the network trace, see [1]
> One more
question: Do you have any non-Samba DCs in the domain. You
> mentioned
you migrated from Win2000 - how did you do that (it cannot
> have been
directly, as bugs currently prevent that). If you had a
> Windows 2008
DC in the domain it might explain a little of how we got
> here...
Andrew Bartlett



More information about the samba-technical mailing list