Samba 4rc3 join to existing domain errors // Kerberos related ?
Joe Comeaux
joe.comeaux at worleyco.com
Wed Oct 24 15:49:19 MDT 2012
Hi List, I'm getting some errors when trying to join a new samba server to an existing samba server.
The setup :
atlas = production samba server, 4.0beta8 ( ubuntu 10.10 32bit )
jcomeaux = test server, samba 4.0.0rc3 ( ubuntu 10.04 32bit )
dmz2dns2 = dns + dhcp server ( ubuntu 10.04 32bit )
I followed instructions at https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC - everything very straight forward and easy to understand.
(on new server)
1) set up kerberos , initialize
root at jcomeaux:~# kinit administrator
Password for administrator at WCRHAMMOND.WORLEYCO.SMB:
root at jcomeaux:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at WCRHAMMOND.WORLEYCO.SMB
Valid starting Expires Service principal
10/24/12 16:27:38 10/25/12 02:27:38 krbtgt/WCRHAMMOND.WORLEYCO.SMB at WCRHAMMOND.WORLEYCO.SMB
renew until 10/25/12 16:27:36
2) join the domain using samba scripts
root at jcomeaux:~# /usr/local/samba/bin/samba-tool domain join wcrhammond.worleyco.smb DC -Uadministrator --realm=wcrhammond.worleyco.smb
Finding a writeable DC for domain 'wcrhammond.worleyco.smb'
Found DC atlas.wcrhammond.worleyco.smb
Password for [WORKGROUP\administrator]:
NO DNS zone information found in source domain, not replicating DNS
workgroup is WCRHAMMOND
realm is wcrhammond.worleyco.smb
...
Joined domain WCRHAMMOND (SID S-1-5-21-911376681-2981003021-3117801655) as a DC
3) start samba
root at jcomeaux:~# /usr/local/samba/sbin/samba
4) check Knowledge Consistency Checker (KCC)
root at jcomeaux:~# /usr/local/samba/bin/samba-tool drs kcc -Uadministrator atlas.wcrhammond.worleyco.smb
Password for [WCRHAMMOND\administrator]:
Consistency check on atlas.wcrhammond.worleyco.smb successful.
5) check that replication is working
root at jcomeaux:~# /usr/local/samba/bin/samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to jcomeaux.wcrhammond.worleyco.smb failed - drsException: DRS connection to jcomeaux.wcrhammond.worleyco.smb failed: (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
The errors :
On the new server, I get "Check your Kerberos ticket, it may have expired." and "RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]"
[2012/10/24 16:31:37, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: Check your Kerberos ticket, it may have expired.
[2012/10/24 16:31:53, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]
On the existing production server, I get "kinit ... failed (Clients credentials have been revoked)" and "tdb_mmap failed for size -39583744 (Cannot allocate memory)"
[2012/10/24 15:01:46, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: ltdb: tdb(/usr/local/samba/private/sam.ldb.d/DC=WCRHAMMOND,DC=WORLEYCO,DC=SMB.ldb): tdb_mmap failed for size -39583744 (Cannot allocate memory)
[2012/10/24 15:01:46, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate:
[2012/10/24 15:01:46, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_spnupdate: ltdb: tdb(/usr/local/samba/private/sam.ldb.d/DC=WCRHAMMOND,DC=WORLEYCO,DC=SMB.ldb): tdb_mmap failed for size -39583744 (Cannot allocate memory)
[2012/10/24 15:01:46, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_spnupdate:
[2012/10/24 15:01:47, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[2012/10/24 15:01:47, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 485, in <module>
[2012/10/24 15:01:47, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp)
[2012/10/24 15:01:47, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 120, in get_credentials
[2012/10/24 15:01:47, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename)
[2012/10/24 15:01:47, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for ATLAS$@WCRHAMMOND.WORLEYCO.SMB failed (Clients credentials have been revoked)
[2012/10/24 15:01:47, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
The questions :
On the new server, I run kinit administrator and get a new ticket without any problems (from what I can tell). What is this expired Kerberos ticket it's referencing?
On the production server, it looks like it is looking for a kerberos ticket for servername$@domain. How do I generate THAT kerberos ticket?
Thanks
-Joe
More information about the samba-technical
mailing list