[WHATSNEW] Samba AD with MIT Kerberos + Version change
L.P.H. van Belle
belle at bazuin.nl
Thu May 4 14:29:59 UTC 2017
ok, below is the result of my setup.
I see the following as only error in my samba logs.
------------------
The MIT KDC daemon died with exit status 1
task_server_terminate: [mitkdc child process exited]
------------------
Which packages are exact needed for a debian MIT krb5 samba setup?
I could not find that.
I started with first with create the MIT database with :
kdb5_util create -s -r TEST.DOMAIN.TLD
Is this needed or should samba do that?
root at debian8:~# samba-tool domain provision --use-rfc2307 --server-role=dc --domain=NTTEST --realm=TEST.DOMAIN.TLD
Administrator password will be set randomly!
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=test,DC=domain,DC=tld
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=test,DC=domain,DC=tld
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password: Zp%qwBd;%L4dd].BLUD<yD
Server Role: active directory domain controller
Hostname: debian8
NetBIOS Domain: NTTEST
DNS Domain: test.domain.tld
DOMAIN SID: S-1-5-21-3802658322-1749683864-505682010
samba -i
Copyright Andrew Tridgell and the Samba Team 1992-2017
samba: using 'standard' process model
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
The MIT KDC daemon died with exit status 1
task_server_terminate: [mitkdc child process exited]
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110
19653 ? Ss 0:00 samba -D
19654 ? S 0:00 \_ samba -D
19656 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19672 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19673 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19675 ? S 0:00 | \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19655 ? S 0:00 \_ samba -D
19657 ? S 0:00 \_ samba -D
19658 ? S 0:00 \_ samba -D
19659 ? S 0:00 \_ samba -D
19660 ? S 0:00 \_ samba -D
19662 ? S 0:00 \_ samba -D
19664 ? S 0:00 \_ samba -D
19666 ? Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
19677 ? S 0:00 | \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
19665 ? S 0:00 \_ samba -D
19667 ? S 0:00 \_ samba -D
19668 ? S 0:00 \_ samba -D
19669 ? S 0:00 \_ samba -D
systemctl status krb5-kdc.service
?? krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled)
Active: active (running) since Thu 2017-05-04 16:09:16 CEST; 8min ago
Process: 16736 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=0/SUCCESS)
Main PID: 16737 (krb5kdc)
CGroup: /system.slice/krb5-kdc.service
????16737 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
May 04 16:09:16 debian8 krb5kdc[16736]: setting up network...
May 04 16:09:16 debian8 krb5kdc[16736]: Setting up UDP socket for address 0.0.0.0.750
May 04 16:09:16 debian8 krb5kdc[16736]: Setting pktinfo on socket 0.0.0.0.750
May 04 16:09:16 debian8 krb5kdc[16736]: Setting up UDP socket for address ::.750
May 04 16:09:16 debian8 krb5kdc[16737]: commencing operation
May 04 16:09:16 debian8 systemd[1]: Started Kerberos 5 Key Distribution Center.
root at debian8:~#
dpkg -l | grep krb5
ii krb5-config 2.3 all Configuration files for Kerberos Version 5
ii krb5-kdc 1.15.1-1+mnu1 amd64 MIT Kerberos key server (KDC)
ii krb5-locales 1.15.1-1+mnu1 all internationalization support for MIT Kerberos
ii krb5-user 1.15.1-1+mnu1 amd64 basic programs to authenticate using MIT Kerberos
ii libgssapi-krb5-2:amd64 1.15.1-1+mnu1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15.1-1+mnu1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15.1-1+mnu1 amd64 MIT Kerberos runtime libraries - Support library
samba -b
Samba version: 4.7.0pre1-GIT-1e7bec4-Debian
Build environment:
Paths:
BINDIR: /usr/local/samba/bin
SBINDIR: /usr/local/samba/sbin
CONFIGFILE: /usr/local/samba/etc/smb.conf
NCALRPCDIR: /usr/local/samba/var/run/ncalrpc
LOGFILEBASE: /usr/local/samba/var
LMHOSTSFILE: /usr/local/samba/etc/lmhosts
DATADIR: /usr/local/samba/share
MODULESDIR: /usr/local/samba/lib
LOCKDIR: /usr/local/samba/var/lock
STATEDIR: /usr/local/samba/var/locks
CACHEDIR: /usr/local/samba/var/cache
PIDDIR: /usr/local/samba/var/run
PRIVATE_DIR: /usr/local/samba/private
CODEPAGEDIR: /usr/local/samba/share/codepages
SETUPDIR: /usr/local/samba/share/setup
WINBINDD_SOCKET_DIR: /usr/local/samba/var/run/winbindd
NTP_SIGND_SOCKET_DIR: /usr/local/samba/var/lib/ntp_signd
Clean jessie install + ssh + standard utils
Created debs for these packages and installed them.
cmocka_1.1.1.orig.tar.gz
libidn_1.33.orig.tar.gz
libtasn1-6_4.10.orig.tar.gz
nettle_3.3.orig.tar.gz
openssl1.0_1.0.2k.orig.tar.gz
p11-kit_0.23.3.orig.tar.gz
pam-wrapper_1.0.3.orig.tar.gz
tdb_1.3.13.orig.tar.gz
libxslt_1.1.29.orig.tar.gz created but not tested yet for to avoid that man smb.conf.5 bug.
Debian build is not yet ready, i need to fix the dh_install rules first, but its a long list so, maybe that one tomorrow.
Im at : dh_install --sourcedir=/home/samba-mit/samba-4.7.0/debian/tmp --list-missing --fail-missing
When thats ok, then is easy to recreate a debian packages.
Im testing a bit around also but small changes, keep you guys posted.
Greetz,
Louis
More information about the samba-technical
mailing list