Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)

sambalist.1.olol13 at spamgourmet.com sambalist.1.olol13 at spamgourmet.com
Wed Mar 18 11:05:23 MDT 2015 

Hello,

I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ
backend on Debian Jessie. Before I was using tinydns on a different server
and want to replace it with BIND.
I'm trying this with copies of virtual machines in a different subnet (The
debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
administration, a debian squeezy file server that is part of the domain and
an xp client).
For the most part the new configuration is working, a lot thanks to
exploration of the wiki and the mailing list archives, but I cannot resolve
the hostnames of domain members and think it is because dynamic DNS updates
through kerberos aren't working.

When I try "samba_dnsupdate --verbose --all-names", I get the following
error:
ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
ldb: Ending timer event 0x1859f30 "ltdb_callback"
Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 612, in <module>
    get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
    raise e
RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
contact any KDC for requested realm)

I can join the domain with windows & linux machines and administer it and
the dns server with RSAT tools. Neither SELinux nor Apparmor are present.

The dns tests from the samba ad dc howto
<https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend> were
all successful:
host -t SRV _ldap._tcp.intranet.mayweg.net.
_ldap._tcp.intranet.mayweg.net has SRV record 0 100 389
server06.intranet.mayweg.net.
host -t SRV _kerberos._udp.intranet.mayweg.net.
_kerberos._udp.intranet.mayweg.net has SRV record 0 100 88
server06.intranet.mayweg.net.
host -t A server06.intranet.mayweg.net.
server06.intranet.mayweg.net has address 192.168.11.250

I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net on
all machines, but hostnames of machines I joined to the domain are not
resolvable from other domain members. A linux machine that joined had the
output:
Joined 'SERVER13' to realm 'intranet.mayweg.net'
DNS update failed!

I can get kerberos tickets on all machines, and join the domain using net
ads join from all of them but the ad dc itself.
On server06 "net ads join -Uadministrator" returns
Failed to join domain: This operation is only allowed for the PDC of the
domain. Maybe this has something to do with the dns updates not working.


I'll follow up with version info and configuration files (interfaces,
resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
implementations of krb5-admin-server and krb5-kdc installed and configured
until I realized Samba4 brings the heimdal implementation of kerberos with
it. I uninstalled the MIT parts afterwards. Configuration files:


/etc/network/interfaces:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.11.250
        netmask 255.255.255.0
        network 192.168.11.0
        broadcast 192.168.11.255


/etc/resolv.conf:
nameserver 192.168.11.250 #had 127.0.0.1 before with the same error
domain intranet.mayweg.net


/etc/hosts:
127.0.0.1       localhost localhost.localdomain
192.168.11.250  server06.intranet.mayweg.net server06
krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


/etc/samba/smb.conf:
[global]
workgroup = MAYWEG.NET
realm = INTRANET.MAYWEG.NET
netbios name = SERVER06
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
#added after classicupgrade
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command =  /usr/bin/nsupdate -g
domain logons = yes

[netlogon]
path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


/etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf):
[libdefaults]
default_realm = INTRANET.MAYWEG.NET
dns_lookup_realm = true #changed to true
dns_lookup_kdc = true

#added after classicupgrade

[realms]
INTRANET.MAYWEG.NET = {
        kdc = krb.intranet.mayweg.net
        admin_server = krb.intranet.mayweg.net
        default_domain = intranet.mayweg.net
}

[domain_realm]

.intranet.mayweg.net = INTRANET.MAYWEG.NET
intranet.mayweg.net = INTRANET.MAYWEG.NET

[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log


/etc/bind/named.conf (copied together from the includes...):
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};
logging {
        channel update_debug {
                file "/var/log/update_debug.log" versions 3 size 100k;
                severity debug;
                print-severity  yes;
                print-time      yes;
        };
        channel security_info {
                file "/var/log/security_info.log" versions 1 size 100k;
                severity info;
                print-severity  yes;
                print-time      yes;
        };
        channel bind_log {
                file "/var/log/bind.log" versions 3 size 1m;
                severity info;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
        };

        category default { bind_log; };
        category lame-servers { null; };
        category update { update_debug; };
        category update-security { update_debug; };
        category security { security_info; };
};
options {
        directory "/var/named";
        recursion yes;
        dnssec-validation auto;
      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain yes;
    notify no;
    empty-zones-enable no;
    allow-query {
        127.0.0.1;
        192.168.11.0/24;
        # add other networks you want to allow to query your DNS
    };
    allow-query-cache {
        127.0.0.1;
        192.168.11.0/24;
        # add other networks you want to allow to query your DNS
    };
    allow-recursion {
        192.168.11.0/24;
127.0.0.1;
        # add other networks you want to allow to do recursive queries
    };
    forwarders {
        # Google public DNS server here - replace with your own if necessary
     };
    allow-transfer {
        # this config is for a single master DNS server
        none;
    };
};

I hope I provided all the necessary information and am grateful for any
hints on where to look for a fix to this problem.

Greetings,
Timo

More information about the samba-technical mailing list