Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)

Rowland Penny repenny241155 at gmail.com
Thu Mar 19 03:22:47 MDT 2015


On 19/03/15 08:38, sambalist.1.olol13 at spamgourmet.com wrote:
> Good morning!
>
> First of all thanks Rowland for the fast answer yesterday! I realized 
> that samba-technical might have been the wrong mailing list and 
> switched it to the normal samba users list (hopefully it worked, as it 
> does get a bit confusing with spamgourmets addresses!). Unfortunately 
> the problem with samba_dnsupdate remains after the changes.
> I did changed the smb.conf, krb5.conf, and hosts as requested. I am 
> pretty new to both samba and linux and added most lines to the configs 
> that looked promising.
> Expected the DC itself to be able to join the domain (again), as I 
> remembered it to be possible after a classicupgrade with the samba 
> internal dns.
>
> Regarding BIND, I am using version 9.9 on Debian Jessie and read it is 
> not necessary to build it yourself and configure it with dlopen (see 
> here <https://lists.samba.org/archive/samba/2015-January/188049.html>).
> The driver is supposedly included and also seems to load alright:
>
> named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz
> 19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver
> 19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen'
> 19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen'
> 19-Mar-2015 08:05:26.405 Loading SDLZ driver.
> 19-Mar-2015 08:05:26.646 samba_dlz: started for DN 
> DC=intranet,DC=mayweg,DC=net
> 19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully.
> 19-Mar-2015 08:05:26.646 DLZ driver loaded successfully.
> 19-Mar-2015 08:05:26.646 samba_dlz: starting configure
> 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone 
> '11.168.192.in-addr.arpa'
> 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone 
> 'intranet.mayweg.net <http://intranet.mayweg.net>'
> 19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone 
> '_msdcs.intranet.mayweg.net <http://msdcs.intranet.mayweg.net>'
>
>
> The error for samba_dnsupdate --all-names remains (btw, without 
> --all-names it works):
> ldb: Destroying timer event 0x233f310 "ltdb_timeout"
> ldb: Ending timer event 0x1d2bb70 "ltdb_callback"
> Traceback (most recent call last):
>   File "/usr/sbin/samba_dnsupdate", line 612, in <module>
>     get_credentials(lp)
>   File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
>     raise e
> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET 
> <http://INTRANET.MAYWEG.NET> failed (Cannot contact any KDC for 
> requested realm)
>
>
> Again, I'm very grateful for any hints where the problem could 
> originate from.
> Greetings,
> Timo
>
>
> On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com 
> <mailto:repenny241155 at gmail.com> 
> <sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net 
> <mailto:sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net>> 
> wrote:
>
>     On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com
>     <mailto:sambalist.1.olol13 at spamgourmet.com> wrote:
>
>         Hello,
>
>         I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with
>         BIND9_DLZ
>         backend on Debian Jessie. Before I was using tinydns on a
>         different server
>         and want to replace it with BIND.
>         I'm trying this with copies of virtual machines in a different
>         subnet (The
>         debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
>         administration, a debian squeezy file server that is part of
>         the domain and
>         an xp client).
>         For the most part the new configuration is working, a lot
>         thanks to
>         exploration of the wiki and the mailing list archives, but I
>         cannot resolve
>         the hostnames of domain members and think it is because
>         dynamic DNS updates
>         through kerberos aren't working.
>
>         When I try "samba_dnsupdate --verbose --all-names", I get the
>         following
>         error:
>         ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
>         ldb: Ending timer event 0x1859f30 "ltdb_callback"
>         Traceback (most recent call last):
>            File "/usr/sbin/samba_dnsupdate", line 612, in <module>
>              get_credentials(lp)
>            File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
>              raise e
>         RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET
>         <http://INTRANET.MAYWEG.NET> failed (Cannot
>         contact any KDC for requested realm)
>
>         I can join the domain with windows & linux machines and
>         administer it and
>         the dns server with RSAT tools. Neither SELinux nor Apparmor
>         are present.
>
>         The dns tests from the samba ad dc howto
>         <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend>
>         were
>         all successful:
>         host -t SRV _ldap._tcp.intranet.mayweg.net
>         <http://tcp.intranet.mayweg.net>.
>         _ldap._tcp.intranet.mayweg.net
>         <http://tcp.intranet.mayweg.net> has SRV record 0 100 389
>         server06.intranet.mayweg.net
>         <http://server06.intranet.mayweg.net>.
>         host -t SRV _kerberos._udp.intranet.mayweg.net
>         <http://udp.intranet.mayweg.net>.
>         _kerberos._udp.intranet.mayweg.net
>         <http://udp.intranet.mayweg.net> has SRV record 0 100 88
>         server06.intranet.mayweg.net
>         <http://server06.intranet.mayweg.net>.
>         host -t A server06.intranet.mayweg.net
>         <http://server06.intranet.mayweg.net>.
>         server06.intranet.mayweg.net
>         <http://server06.intranet.mayweg.net> has address 192.168.11.250
>
>         I can resolve the server06.intranet.mayweg.net
>         <http://server06.intranet.mayweg.net> and intranet.mayweg.net
>         <http://intranet.mayweg.net> on
>         all machines, but hostnames of machines I joined to the domain
>         are not
>         resolvable from other domain members. A linux machine that
>         joined had the
>         output:
>         Joined 'SERVER13' to realm 'intranet.mayweg.net
>         <http://intranet.mayweg.net>'
>         DNS update failed!
>
>         I can get kerberos tickets on all machines, and join the
>         domain using net
>         ads join from all of them but the ad dc itself.
>         On server06 "net ads join -Uadministrator" returns
>         Failed to join domain: This operation is only allowed for the
>         PDC of the
>         domain. Maybe this has something to do with the dns updates
>         not working.
>
>
>     You do not run 'net ads join' on a DC, the provision does it for
>     you (or as in your case, the upgrade procedure)
>
>
>
>         I'll follow up with version info and configuration files
>         (interfaces,
>         resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
>         Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
>         implementations of krb5-admin-server and krb5-kdc installed
>         and configured
>         until I realized Samba4 brings the heimdal implementation of
>         kerberos with
>         it. I uninstalled the MIT parts afterwards. Configuration files:
>
>
>         /etc/network/interfaces:
>         auto lo
>         iface lo inet loopback
>
>         auto eth0
>         iface eth0 inet static
>                  address 192.168.11.250
>                  netmask 255.255.255.0
>                  network 192.168.11.0
>                  broadcast 192.168.11.255
>
>
>         /etc/resolv.conf:
>         nameserver 192.168.11.250 #had 127.0.0.1 before with the same
>         error
>         domain intranet.mayweg.net <http://intranet.mayweg.net>
>
>
>         /etc/hosts:
>         127.0.0.1       localhost localhost.localdomain
>         192.168.11.250 server06.intranet.mayweg.net
>         <http://server06.intranet.mayweg.net> server06
>         krb.intranet.mayweg.net <http://krb.intranet.mayweg.net>
>         kdc.intranet.mayweg.net <http://kdc.intranet.mayweg.net>
>         intranet.mayweg.net <http://intranet.mayweg.net>
>
>
>     Remove everything from the '192.168.11.250' line from 'krb'
>     onwards, they shouldn't be there.
>
>
>
>         # The following lines are desirable for IPv6 capable hosts
>         ::1     localhost ip6-localhost ip6-loopback
>         ff02::1 ip6-allnodes
>         ff02::2 ip6-allrouters
>
>
>         /etc/samba/smb.conf:
>         [global]
>         workgroup = MAYWEG.NET <http://MAYWEG.NET>
>         realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>         netbios name = SERVER06
>         interfaces = lo, eth0
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>         drepl, winbind,
>         ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         #added after classicupgrade
>         kerberos method = system keytab
>         client ldap sasl wrapping = sign
>         allow dns updates = nonsecure and secure
>         nsupdate command =  /usr/bin/nsupdate -g
>         domain logons = yes
>
>         [netlogon]
>         path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>         <http://intranet.mayweg.net/scripts>
>         read only = No
>
>         [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
>     remove everything you added to smb.conf
>
>         /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf):
>         [libdefaults]
>         default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>         dns_lookup_realm = true #changed to true
>         dns_lookup_kdc = true
>
>         #added after classicupgrade
>
>         [realms]
>         INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> = {
>                  kdc = krb.intranet.mayweg.net
>         <http://krb.intranet.mayweg.net>
>                  admin_server = krb.intranet.mayweg.net
>         <http://krb.intranet.mayweg.net>
>                  default_domain = intranet.mayweg.net
>         <http://intranet.mayweg.net>
>         }
>
>         [domain_realm]
>
>         .intranet.mayweg.net <http://intranet.mayweg.net> =
>         INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>         intranet.mayweg.net <http://intranet.mayweg.net> =
>         INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>
>         [logging]
>         kdc = FILE:/var/log/kerberos/krb5kdc.log
>         admin_server = FILE:/var/log/kerberos/kadmin.log
>         default = FILE:/var/log/kerberos/krb5lib.log
>
>
>     Change krb5.conf back to what it was.
>
>
>         /etc/bind/named.conf (copied together from the includes...):
>         zone "." {
>         type hint;
>         file "/etc/bind/db.root";
>         };
>         // be authoritative for the localhost forward and reverse
>         zones, and for
>         // broadcast zones as per RFC 1912
>
>         zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
>         };
>
>         zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
>         };
>
>         zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
>         };
>
>         zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
>         };
>         dlz "AD DNS Zone" {
>              # For BIND 9.8.x
>              # database "dlopen
>         /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
>
>              # For BIND 9.9.x
>              database "dlopen
>         /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>
>              # For BIND 9.10.x
>              # database "dlopen
>         /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
>         };
>         logging {
>                  channel update_debug {
>                          file "/var/log/update_debug.log" versions 3
>         size 100k;
>                          severity debug;
>                          print-severity  yes;
>                          print-time      yes;
>                  };
>                  channel security_info {
>                          file "/var/log/security_info.log" versions 1
>         size 100k;
>                          severity info;
>                          print-severity  yes;
>                          print-time      yes;
>                  };
>                  channel bind_log {
>                          file "/var/log/bind.log" versions 3 size 1m;
>                          severity info;
>                          print-category  yes;
>                          print-severity  yes;
>                          print-time      yes;
>                  };
>
>                  category default { bind_log; };
>                  category lame-servers { null; };
>                  category update { update_debug; };
>                  category update-security { update_debug; };
>                  category security { security_info; };
>         };
>         options {
>                  directory "/var/named";
>                  recursion yes;
>                  dnssec-validation auto;
>                tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         auth-nxdomain yes;
>              notify no;
>              empty-zones-enable no;
>              allow-query {
>                  127.0.0.1;
>         192.168.11.0/24 <http://192.168.11.0/24>;
>                  # add other networks you want to allow to query your DNS
>              };
>              allow-query-cache {
>                  127.0.0.1;
>         192.168.11.0/24 <http://192.168.11.0/24>;
>                  # add other networks you want to allow to query your DNS
>              };
>              allow-recursion {
>         192.168.11.0/24 <http://192.168.11.0/24>;
>         127.0.0.1;
>                  # add other networks you want to allow to do
>         recursive queries
>              };
>              forwarders {
>                  # Google public DNS server here - replace with your
>         own if necessary
>               };
>              allow-transfer {
>                  # this config is for a single master DNS server
>                  none;
>              };
>         };
>
>         I hope I provided all the necessary information and am
>         grateful for any
>         hints on where to look for a fix to this problem.
>
>         Greetings,
>         Timo
>
>
>     Finally, was the version of bind you are using configured with
>     dlopen ?
>
>     Rowland
>
>
>
>

Hi, after the classic upgrade you would have been using the internal dns 
server, but you have changed to bind, did you follow the procedure show 
here: https://wiki.samba.org/index.php/Changing_the_DNS_backend

Rowland



More information about the samba-technical mailing list