Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)
Rowland Penny
repenny241155 at gmail.com
Wed Mar 18 12:57:43 MDT 2015
On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote:
> Hello,
>
> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ
> backend on Debian Jessie. Before I was using tinydns on a different server
> and want to replace it with BIND.
> I'm trying this with copies of virtual machines in a different subnet (The
> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
> administration, a debian squeezy file server that is part of the domain and
> an xp client).
> For the most part the new configuration is working, a lot thanks to
> exploration of the wiki and the mailing list archives, but I cannot resolve
> the hostnames of domain members and think it is because dynamic DNS updates
> through kerberos aren't working.
>
> When I try "samba_dnsupdate --verbose --all-names", I get the following
> error:
> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
> ldb: Ending timer event 0x1859f30 "ltdb_callback"
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 612, in <module>
> get_credentials(lp)
> File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
> raise e
> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
> contact any KDC for requested realm)
>
> I can join the domain with windows & linux machines and administer it and
> the dns server with RSAT tools. Neither SELinux nor Apparmor are present.
>
> The dns tests from the samba ad dc howto
> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend> were
> all successful:
> host -t SRV _ldap._tcp.intranet.mayweg.net.
> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389
> server06.intranet.mayweg.net.
> host -t SRV _kerberos._udp.intranet.mayweg.net.
> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88
> server06.intranet.mayweg.net.
> host -t A server06.intranet.mayweg.net.
> server06.intranet.mayweg.net has address 192.168.11.250
>
> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net on
> all machines, but hostnames of machines I joined to the domain are not
> resolvable from other domain members. A linux machine that joined had the
> output:
> Joined 'SERVER13' to realm 'intranet.mayweg.net'
> DNS update failed!
>
> I can get kerberos tickets on all machines, and join the domain using net
> ads join from all of them but the ad dc itself.
> On server06 "net ads join -Uadministrator" returns
> Failed to join domain: This operation is only allowed for the PDC of the
> domain. Maybe this has something to do with the dns updates not working.
You do not run 'net ads join' on a DC, the provision does it for you (or
as in your case, the upgrade procedure)
>
>
> I'll follow up with version info and configuration files (interfaces,
> resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
> implementations of krb5-admin-server and krb5-kdc installed and configured
> until I realized Samba4 brings the heimdal implementation of kerberos with
> it. I uninstalled the MIT parts afterwards. Configuration files:
>
>
> /etc/network/interfaces:
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet static
> address 192.168.11.250
> netmask 255.255.255.0
> network 192.168.11.0
> broadcast 192.168.11.255
>
>
> /etc/resolv.conf:
> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error
> domain intranet.mayweg.net
>
>
> /etc/hosts:
> 127.0.0.1 localhost localhost.localdomain
> 192.168.11.250 server06.intranet.mayweg.net server06
> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net
Remove everything from the '192.168.11.250' line from 'krb' onwards,
they shouldn't be there.
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> /etc/samba/smb.conf:
> [global]
> workgroup = MAYWEG.NET
> realm = INTRANET.MAYWEG.NET
> netbios name = SERVER06
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
> ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> #added after classicupgrade
> kerberos method = system keytab
> client ldap sasl wrapping = sign
> allow dns updates = nonsecure and secure
> nsupdate command = /usr/bin/nsupdate -g
> domain logons = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
remove everything you added to smb.conf
> /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf):
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET
> dns_lookup_realm = true #changed to true
> dns_lookup_kdc = true
>
> #added after classicupgrade
>
> [realms]
> INTRANET.MAYWEG.NET = {
> kdc = krb.intranet.mayweg.net
> admin_server = krb.intranet.mayweg.net
> default_domain = intranet.mayweg.net
> }
>
> [domain_realm]
>
> .intranet.mayweg.net = INTRANET.MAYWEG.NET
> intranet.mayweg.net = INTRANET.MAYWEG.NET
>
> [logging]
> kdc = FILE:/var/log/kerberos/krb5kdc.log
> admin_server = FILE:/var/log/kerberos/kadmin.log
> default = FILE:/var/log/kerberos/krb5lib.log
>
Change krb5.conf back to what it was.
> /etc/bind/named.conf (copied together from the includes...):
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
> dlz "AD DNS Zone" {
> # For BIND 9.8.x
> # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
>
> # For BIND 9.9.x
> database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>
> # For BIND 9.10.x
> # database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
> };
> logging {
> channel update_debug {
> file "/var/log/update_debug.log" versions 3 size 100k;
> severity debug;
> print-severity yes;
> print-time yes;
> };
> channel security_info {
> file "/var/log/security_info.log" versions 1 size 100k;
> severity info;
> print-severity yes;
> print-time yes;
> };
> channel bind_log {
> file "/var/log/bind.log" versions 3 size 1m;
> severity info;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
>
> category default { bind_log; };
> category lame-servers { null; };
> category update { update_debug; };
> category update-security { update_debug; };
> category security { security_info; };
> };
> options {
> directory "/var/named";
> recursion yes;
> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain yes;
> notify no;
> empty-zones-enable no;
> allow-query {
> 127.0.0.1;
> 192.168.11.0/24;
> # add other networks you want to allow to query your DNS
> };
> allow-query-cache {
> 127.0.0.1;
> 192.168.11.0/24;
> # add other networks you want to allow to query your DNS
> };
> allow-recursion {
> 192.168.11.0/24;
> 127.0.0.1;
> # add other networks you want to allow to do recursive queries
> };
> forwarders {
> # Google public DNS server here - replace with your own if necessary
> };
> allow-transfer {
> # this config is for a single master DNS server
> none;
> };
> };
>
> I hope I provided all the necessary information and am grateful for any
> hints on where to look for a fix to this problem.
>
> Greetings,
> Timo
Finally, was the version of bind you are using configured with dlopen ?
Rowland
More information about the samba-technical
mailing list