Samba4 Internal Kerberos fails to start on FreeBSD 9.1-Prerelease
Dewayne
dewayne.geraghty at heuristicsystems.com.au
Wed Nov 28 00:33:25 MST 2012
Following the guidance at https://wiki.samba.org/index.php/Samba4/HOWTO and accepting all defaults met with partial success,
Kerberos failed to start.
The following resulted in a successful build and start of most samba4 processes:
# Create and enter a fresh guest system using IP 10.0.5.245
cd /packages/All
pkg_add perl-threaded-5.16.0.tbz python27-2.7.3_3.tbz bind99-base-9.9.1.3 heimdal-1.5.2_4
cd /data # where we'll build the software
fetch http://ftp.samba.org/pub/samba/rc/samba-4.0.0rc5.tar.gz
cd samba-4.0.0rc5
./configure --enable-debug --enable-selftest
make
make install
/usr/local/samba/bin/samba-tool domain provision --realm=hs.local \
--domain=HS --adminpass='AnAdmin1' --server-role=dc
/usr/local/samba/sbin/samba -d 2 --maximum-runtime=600
# The following commands worked correctly
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'AnAdmin1' -c 'ls'
/usr/local/samba/bin/wbinfo -t
/usr/local/samba/bin/wbinfo -u
/usr/local/samba/bin/wbinfo -g
nslookup -type=SRV _ldap._tcp.hs.local.
nslookup -type=SRV _kerberos._tcp.hs.local.
ldapsearch -x -H ldap://10.0.5.245:389/ -D "cn=Administrator,cn=Users,dc=HS,dc=local" -w "AnAdmin1" -b 'dc=hs,dc=local'
Unfortunately, the internal kerberos failed to start
kinit administrator at HS
kinit: krb5_get_init_creds: unable to reach any KDC in realm HS
Reviewing the logs revealed
...
[2012/11/28 17:30:39, 0] ../source4/kdc/kdc.c:690(kdc_add_socket)
Failed to bind to 10.0.5.245:88 UDP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
...
[2012/11/28 17:30:39, 0] ../source4/cldap_server/cldap_server.c:134(cldapd_add_socket)
Failed to bind to ipv4:10.0.5.245:389 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
Which is "interesting" because the ldap queries provide correct responses.
Prior to invoking /usr/local/samba/sbin/samba,
netstat -na | egrep "tcp|udp" # revealed
tcp4 0 52 10.0.5.240.22 10.0.5.2.1294 ESTABLISHED
tcp4 0 0 10.0.5.240.22 10.0.5.2.1182 ESTABLISHED
tcp4 0 0 *.22 *.* LISTEN
udp4 0 0 10.0.5.245.514 *.*
udp4 0 0 *.514 *.*
During samba running,
netstat -na | egrep "tcp|udp"
tcp4 0 0 10.0.5.245.53 *.* LISTEN
tcp4 0 0 10.0.5.245.3268 *.* LISTEN
tcp4 0 0 10.0.5.245.389 *.* LISTEN
tcp4 0 0 10.0.5.245.135 *.* LISTEN
tcp4 0 0 10.0.5.245.1024 *.* LISTEN
tcp4 0 0 10.0.5.245.139 *.* LISTEN
tcp4 0 0 10.0.5.245.445 *.* LISTEN
tcp4 0 52 10.0.5.240.22 10.0.5.2.1294 ESTABLISHED
tcp4 0 0 10.0.5.240.22 10.0.5.2.1182 ESTABLISHED
tcp4 0 0 *.22 *.* LISTEN
udp4 0 0 10.0.5.245.53 *.*
udp4 0 0 10.0.5.245.514 *.*
udp4 0 0 *.514 *.*
There are no firewall rules active, no routing pecularities. And for those familiar with jails, raw sockets are enabled and bpf
devices are visible.
Key auxilliary files:
/etc/resolv.conf
search hs.local
nameserver 10.0.5.245
/etc/krb5.conf
[libdefaults]
default_realm = HS
dns_lookup_realm = false
dns_lookup_kdc = true
Platform: FreeBSD built 17th Nov.
A fresh FreeBSD jail was created using IPv4 of 10.0.5.245, all services on the host system were stopped with the exception of ssh &
syslog.
The jails are custom and contain the only the core operating system and relying upon packages for their "character".
I'm really excited to have gotten this far, and the build was extremely convenient.
I welcome any advise or happy to act as someone's fingers in resolving the situation.
I was pleasantly surprised that the service ntp_signed started successfully, which I thought would be a blocker, because ntpd fails
within a jail due to the mlockall syscall.
Kind regards, Dewayne.
More information about the samba-technical
mailing list