samba_dnsupdate: Check your Kerberos ticket, it may have expired.

[Michael Wood]

Hi Björn

On 17 January 2013 18:11, Bjoern Baumbach <bb at sernet.de> wrote:
> Hi Michael,
>
> On 01/17/2013 04:38 PM, Michael Wood wrote:
>> I tried running samba_dnsupdate --all-names --verbose, but it spews out a
>> bunch of errors suggesting that the Kerberos ticket might have expired.
>
> I think i've seen the same messages before fixing bug 9517.
> https://bugzilla.samba.org/show_bug.cgi?id=9517
>
> A workaround could be a copy or sym-link of the Samba-generated
> krb5.conf (I think typically stored in /var/lib/samba/private/) to
> /etc/krb5.conf.

Thanks for the info.

My /etc/krb5.conf looks the same as the one from
/usr/local/samba/private except for extra stuff to do with Kerberos 4
and the default MIT etc. realms that I don't actually need, but were
there to begin with.

The krb5.conf in private looks like
source4/selftest/provisions/alpha13/private/krb5.conf except for the
dns_lookup_* values being set to false.  (And of course the
realm/domain names.)

I don't see anything in there that would tell nsupdate where to look
for the keytab.   Is there something missing from my krb5.conf?  I
don't know too much about Kerberos, so I'm not quite sure how the
keytab fits in.

Also, as I said in my first message, this is a database restored from
a machine with a different name.  I'm fine with pretending that this
machine has the same name as the live machine, but is Samba/Kerberos
OK with that?  Is something perhaps picking up the wrong name and
messing things up?  The samba_upgradedns script or something seems to
have created records for one of the IP addresses on this machine using
the live machine's name, so I think Samba would be OK, but maybe I'm
mistaken.

I tried the patch in the bug report to see if it would make a
difference, but it did not.

Thanks again for your help.  I would appreciate any more enlightenment
regarding this.

-- 
Michael Wood <esiotrot at gmail.com>