Samba 4rc3 join to existing domain errors // Kerberos related ?

Joe Comeaux joe.comeaux at worleyco.com
Wed Oct 24 15:49:19 MDT 2012 

Hi List, I'm getting some errors when trying to join a new samba server to an existing samba server.

The setup :
	atlas = production samba server, 4.0beta8 ( ubuntu 10.10 32bit )
	jcomeaux = test server, samba 4.0.0rc3 ( ubuntu 10.04 32bit )
	dmz2dns2 = dns + dhcp server ( ubuntu 10.04 32bit )

I followed instructions at https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC - everything very straight forward and easy to understand.

(on new server)
1) set up kerberos , initialize

root at jcomeaux:~# kinit administrator
Password for administrator at WCRHAMMOND.WORLEYCO.SMB: 
root at jcomeaux:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at WCRHAMMOND.WORLEYCO.SMB

Valid starting     Expires            Service principal
10/24/12 16:27:38  10/25/12 02:27:38  krbtgt/WCRHAMMOND.WORLEYCO.SMB at WCRHAMMOND.WORLEYCO.SMB
	renew until 10/25/12 16:27:36

2) join the domain using samba scripts
root at jcomeaux:~# /usr/local/samba/bin/samba-tool domain join wcrhammond.worleyco.smb DC -Uadministrator --realm=wcrhammond.worleyco.smb
Finding a writeable DC for domain 'wcrhammond.worleyco.smb'
Found DC atlas.wcrhammond.worleyco.smb
Password for [WORKGROUP\administrator]:
NO DNS zone information found in source domain, not replicating DNS
workgroup is WCRHAMMOND
realm is wcrhammond.worleyco.smb
...
Joined domain WCRHAMMOND (SID S-1-5-21-911376681-2981003021-3117801655) as a DC

3) start samba
root at jcomeaux:~# /usr/local/samba/sbin/samba

4) check Knowledge Consistency Checker (KCC)
root at jcomeaux:~# /usr/local/samba/bin/samba-tool drs kcc -Uadministrator atlas.wcrhammond.worleyco.smb
Password for [WCRHAMMOND\administrator]:
Consistency check on atlas.wcrhammond.worleyco.smb successful.

5) check that replication is working
root at jcomeaux:~# /usr/local/samba/bin/samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to jcomeaux.wcrhammond.worleyco.smb failed - drsException: DRS connection to jcomeaux.wcrhammond.worleyco.smb failed: (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
  File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))



The errors :
On the new server, I get "Check your Kerberos ticket, it may have expired." and "RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]"

[2012/10/24 16:31:37,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: Check your Kerberos ticket, it may have expired.
[2012/10/24 16:31:53,  0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
  ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]

On the existing production server, I get "kinit ... failed (Clients credentials have been revoked)" and "tdb_mmap failed for size -39583744 (Cannot allocate memory)"

[2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: ltdb: tdb(/usr/local/samba/private/sam.ldb.d/DC=WCRHAMMOND,DC=WORLEYCO,DC=SMB.ldb): tdb_mmap failed for size -39583744 (Cannot allocate memory)
[2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: 
[2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate: ltdb: tdb(/usr/local/samba/private/sam.ldb.d/DC=WCRHAMMOND,DC=WORLEYCO,DC=SMB.ldb): tdb_mmap failed for size -39583744 (Cannot allocate memory)
[2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_spnupdate: 
[2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
[2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/sbin/samba_dnsupdate", line 485, in <module>
[2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:     get_credentials(lp)
[2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/sbin/samba_dnsupdate", line 120, in get_credentials
[2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate:     creds.get_named_ccache(lp, ccachename)
[2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for ATLAS$@WCRHAMMOND.WORLEYCO.SMB failed (Clients credentials have been revoked)
[2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)


The questions :
On the new server, I run kinit administrator and get a new ticket without any problems (from what I can tell). What is this expired Kerberos ticket it's referencing?
On the production server, it looks like it is looking for a kerberos ticket for servername$@domain. How do I generate THAT kerberos ticket?

Thanks
-Joe

More information about the samba-technical mailing list