Samba 4rc3 join to existing domain errors // Kerberos related ?

Wed Oct 24 22:45:34 MDT 2012

On 10/24/2012 02:49 PM, Joe Comeaux wrote:
> Hi List, I'm getting some errors when trying to join a new samba server to an existing samba server.
>
> The setup :
> 	atlas = production samba server, 4.0beta8 ( ubuntu 10.10 32bit )
> 	jcomeaux = test server, samba 4.0.0rc3 ( ubuntu 10.04 32bit )
> 	dmz2dns2 = dns + dhcp server ( ubuntu 10.04 32bit )
>
> I followed instructions at https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC - everything very straight forward and easy to understand.
>
> (on new server)
> 1) set up kerberos , initialize
>
> root at jcomeaux:~# kinit administrator
> Password for administrator at WCRHAMMOND.WORLEYCO.SMB:
> root at jcomeaux:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at WCRHAMMOND.WORLEYCO.SMB
>
> Valid starting     Expires            Service principal
> 10/24/12 16:27:38  10/25/12 02:27:38  krbtgt/WCRHAMMOND.WORLEYCO.SMB at WCRHAMMOND.WORLEYCO.SMB
> 	renew until 10/25/12 16:27:36
>
> 2) join the domain using samba scripts
> root at jcomeaux:~# /usr/local/samba/bin/samba-tool domain join wcrhammond.worleyco.smb DC -Uadministrator --realm=wcrhammond.worleyco.smb
> Finding a writeable DC for domain 'wcrhammond.worleyco.smb'
> Found DC atlas.wcrhammond.worleyco.smb
> Password for [WORKGROUP\administrator]:
> NO DNS zone information found in source domain, not replicating DNS
> workgroup is WCRHAMMOND
> realm is wcrhammond.worleyco.smb
> ...
> Joined domain WCRHAMMOND (SID S-1-5-21-911376681-2981003021-3117801655) as a DC
>
> 3) start samba
> root at jcomeaux:~# /usr/local/samba/sbin/samba
>
> 4) check Knowledge Consistency Checker (KCC)
> root at jcomeaux:~# /usr/local/samba/bin/samba-tool drs kcc -Uadministrator atlas.wcrhammond.worleyco.smb
> Password for [WCRHAMMOND\administrator]:
> Consistency check on atlas.wcrhammond.worleyco.smb successful.
>
> 5) check that replication is working
> root at jcomeaux:~# /usr/local/samba/bin/samba-tool drs showrepl
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to jcomeaux.wcrhammond.worleyco.smb failed - drsException: DRS connection to jcomeaux.wcrhammond.worleyco.smb failed: (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
>    File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
>      (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>    File "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
>      raise drsException("DRS connection to %s failed: %s" % (server, e))
>
>
>
> The errors :
> On the new server, I get "Check your Kerberos ticket, it may have expired." and "RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]"
>
> [2012/10/24 16:31:37,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate: Check your Kerberos ticket, it may have expired.
> [2012/10/24 16:31:53,  0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
>    ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]
>
> On the existing production server, I get "kinit ... failed (Clients credentials have been revoked)" and "tdb_mmap failed for size -39583744 (Cannot allocate memory)"
>
> [2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate: ltdb: tdb(/usr/local/samba/private/sam.ldb.d/DC=WCRHAMMOND,DC=WORLEYCO,DC=SMB.ldb): tdb_mmap failed for size -39583744 (Cannot allocate memory)
> [2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate:
> [2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_spnupdate: ltdb: tdb(/usr/local/samba/private/sam.ldb.d/DC=WCRHAMMOND,DC=WORLEYCO,DC=SMB.ldb): tdb_mmap failed for size -39583744 (Cannot allocate memory)
> [2012/10/24 15:01:46,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_spnupdate:
> [2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
> [2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/sbin/samba_dnsupdate", line 485, in <module>
> [2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate:     get_credentials(lp)
> [2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate:   File "/usr/local/samba/sbin/samba_dnsupdate", line 120, in get_credentials
> [2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate:     creds.get_named_ccache(lp, ccachename)
> [2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for ATLAS$@WCRHAMMOND.WORLEYCO.SMB failed (Clients credentials have been revoked)
> [2012/10/24 15:01:47,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>
>
> The questions :
> On the new server, I run kinit administrator and get a new ticket without any problems (from what I can tell). What is this expired Kerberos ticket it's referencing?
> On the production server, it looks like it is looking for a kerberos ticket for servername$@domain. How do I generate THAT kerberos ticket?
Some part of samba (ie dns updates) request get tickets on the behalf of 
the dc's account in order to perform their job.
What worries me much with your provision is the

tdb_mmap failed for size -39583744 (Cannot allocate memory)

You should run a samba-tool dbcheck on it and tell us what's going on.
Also what kinit administrator at REALM returns on the atlas host ?

Matthieu

-- 
Matthieu Patou
Samba Team
http://samba.org