samba3upgrade and the DNS account

Andrew Bartlett abartlet at samba.org
Thu Nov 10 15:01:35 MST 2011 

On Thu, 2011-11-10 at 11:23 -0500, Adam Tauno Williams wrote:
> On Thu, 2011-11-10 at 10:26 -0500, Adam Tauno Williams wrote:
> > On Thu, 2011-11-10 at 08:31 -0500, Adam Tauno Williams wrote:
> > > Once the above files are installed, your Samba4 server will be ready to
> > > use
> > > Server Role:           domain controller
> > > Hostname:              BARBEL
> > > NetBIOS Domain:        BACKBONE
> > > DNS Domain:            micore.us
> > > DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
> > > Admin password:        None
> > > Importing WINS database
> > > Importing Account policy
> > > Importing idmap database
> > > Cannot open idmap database, Ignoring: [Errno 2] No such file or
> > > directory
> > > Ignoring unknown parameter "server role"
> > > Importing groups
> > > Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-514,
> > > groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> > > Group already exists sid=S-1-5-32-544, groupname=Administrators
> > > existing_groupname=Administrators, Ignoring.
> > > Group already exists sid=S-1-5-32-550, groupname=Print Operators
> > > existing_groupname=Print Operators, Ignoring.
> > > Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-512,
> > > groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> > > Importing users
> > 
> > Version 4.0.0alpha18-GIT-22ddbb5
> > 
> > Up till now, if I got to this point, I've always been able to "kinit
> > administrator at MICORE.US", but after this provisioning it is failing with
> > a preauthenticate error.
> > 
> > barbel:~/samba-master #  host -t SRV _kerberos._udp.micore.us.
> > _kerberos._udp.micore.us has SRV record 0 100 88 BARBEL.micore.us.
> > barbel:~/samba-master # host -t A barbel.micore.us.
> > barbel.micore.us has address 10.66.77.1
> > barbel:~/samba-master # kinit administrator at MICORE.US
> > Password for administrator at MICORE.US: 
> > kinit: Preauthentication failed while getting initial credentials
> 
> In general something seems to be going wrong with Kerberos now.  Not
> only can I not authenticate as a user but I can't configure Bind to use
> TKEY's or it fails with a -
> 
> Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
> A.E.F.IP6.ARPA
> Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
> B.E.F.IP6.ARPA
> Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
> 8.B.D.0.1.0.0.2.IP6.ARPA
> Nov 10 10:46:53 barbel named[26621]: configuring TKEY: failure
> Nov 10 10:46:53 barbel named[26621]: loading configuration: failure
> Nov 10 10:46:53 barbel named[26621]: exiting (due to fatal error)
> 
> That is if I have
> options {
>        ....
>         tkey-gssapi-credential "DNS/micore.us";
>         tkey-domain "MICORE.US";
> } in /etc/named.conf
> 
> In /etc/sysconfig/named I have -
> 
> KEYTAB_FILE="/opt/s4/private/dns.keytab"
> KRB5_KTNAME="/opt/s4/private/dns.keytab"
> export KEYTAB_FILE
> export KRB5_KTNAME
> 
> - and dns.keytab is owned by named:named as I have always have had.

First, you should try and run Bind 9.8, as it is much, much easier to
configure.  The he named.conf snippit for bind 9.7 you have is also old,
but if you use the newer bind, the smaller snippit it uses is also much
simpler.

Finally, a known issue with upgrades from Samba3 and imports from
windows via 'net domain join' is that the dns-machine account is not
created.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list