[WHATSNEW] Samba AD with MIT Kerberos + Version change

L.P.H. van Belle belle at bazuin.nl
Thu May 4 14:29:59 UTC 2017


ok, below is the result of my setup. 
I see the following as only error in my samba logs. 

------------------
The MIT KDC daemon died with exit status 1
task_server_terminate: [mitkdc child process exited]
------------------

Which packages are exact needed for a debian MIT krb5 samba setup? 
I could not find that.

I started with first with create the MIT database with : 
kdb5_util create -s -r TEST.DOMAIN.TLD 
Is this needed or should samba do that? 


root at debian8:~# samba-tool domain provision  --use-rfc2307 --server-role=dc --domain=NTTEST --realm=TEST.DOMAIN.TLD
Administrator password will be set randomly!
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=test,DC=domain,DC=tld
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=test,DC=domain,DC=tld
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password:        Zp%qwBd;%L4dd].BLUD<yD
Server Role:           active directory domain controller
Hostname:              debian8
NetBIOS Domain:        NTTEST
DNS Domain:            test.domain.tld
DOMAIN SID:            S-1-5-21-3802658322-1749683864-505682010


samba -i
Copyright Andrew Tridgell and the Samba Team 1992-2017
samba: using 'standard' process model
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
The MIT KDC daemon died with exit status 1
task_server_terminate: [mitkdc child process exited]
samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110


19653 ?        Ss     0:00 samba -D
19654 ?        S      0:00  \_ samba -D
19656 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19672 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19673 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19675 ?        S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
19655 ?        S      0:00  \_ samba -D
19657 ?        S      0:00  \_ samba -D
19658 ?        S      0:00  \_ samba -D
19659 ?        S      0:00  \_ samba -D
19660 ?        S      0:00  \_ samba -D
19662 ?        S      0:00  \_ samba -D
19664 ?        S      0:00  \_ samba -D
19666 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
19677 ?        S      0:00  |       \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
19665 ?        S      0:00  \_ samba -D
19667 ?        S      0:00  \_ samba -D
19668 ?        S      0:00  \_ samba -D
19669 ?        S      0:00  \_ samba -D

 systemctl status krb5-kdc.service
?? krb5-kdc.service - Kerberos 5 Key Distribution Center
   Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled)
   Active: active (running) since Thu 2017-05-04 16:09:16 CEST; 8min ago
  Process: 16736 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 16737 (krb5kdc)
   CGroup: /system.slice/krb5-kdc.service
           ????16737 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid

May 04 16:09:16 debian8 krb5kdc[16736]: setting up network...
May 04 16:09:16 debian8 krb5kdc[16736]: Setting up UDP socket for address 0.0.0.0.750
May 04 16:09:16 debian8 krb5kdc[16736]: Setting pktinfo on socket 0.0.0.0.750
May 04 16:09:16 debian8 krb5kdc[16736]: Setting up UDP socket for address ::.750
May 04 16:09:16 debian8 krb5kdc[16737]: commencing operation
May 04 16:09:16 debian8 systemd[1]: Started Kerberos 5 Key Distribution Center.
root at debian8:~#


dpkg -l | grep krb5
ii  krb5-config                      2.3                                all          Configuration files for Kerberos Version 5
ii  krb5-kdc                         1.15.1-1+mnu1                      amd64        MIT Kerberos key server (KDC)
ii  krb5-locales                     1.15.1-1+mnu1                      all          internationalization support for MIT Kerberos
ii  krb5-user                        1.15.1-1+mnu1                      amd64        basic programs to authenticate using MIT Kerberos
ii  libgssapi-krb5-2:amd64           1.15.1-1+mnu1                      amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                  1.15.1-1+mnu1                      amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64            1.15.1-1+mnu1                      amd64        MIT Kerberos runtime libraries - Support library

samba -b
Samba version: 4.7.0pre1-GIT-1e7bec4-Debian
Build environment:
Paths:
   BINDIR: /usr/local/samba/bin
   SBINDIR: /usr/local/samba/sbin
   CONFIGFILE: /usr/local/samba/etc/smb.conf
   NCALRPCDIR: /usr/local/samba/var/run/ncalrpc
   LOGFILEBASE: /usr/local/samba/var
   LMHOSTSFILE: /usr/local/samba/etc/lmhosts
   DATADIR: /usr/local/samba/share
   MODULESDIR: /usr/local/samba/lib
   LOCKDIR: /usr/local/samba/var/lock
   STATEDIR: /usr/local/samba/var/locks
   CACHEDIR: /usr/local/samba/var/cache
   PIDDIR: /usr/local/samba/var/run
   PRIVATE_DIR: /usr/local/samba/private
   CODEPAGEDIR: /usr/local/samba/share/codepages
   SETUPDIR: /usr/local/samba/share/setup
   WINBINDD_SOCKET_DIR: /usr/local/samba/var/run/winbindd
   NTP_SIGND_SOCKET_DIR: /usr/local/samba/var/lib/ntp_signd
 

Clean jessie install + ssh + standard utils

Created debs for these packages and installed them.
cmocka_1.1.1.orig.tar.gz
libidn_1.33.orig.tar.gz
libtasn1-6_4.10.orig.tar.gz
nettle_3.3.orig.tar.gz
openssl1.0_1.0.2k.orig.tar.gz
p11-kit_0.23.3.orig.tar.gz
pam-wrapper_1.0.3.orig.tar.gz
tdb_1.3.13.orig.tar.gz

libxslt_1.1.29.orig.tar.gz created but not tested yet for to avoid that man smb.conf.5 bug. 

Debian build is not yet ready, i need to fix the dh_install rules first, but its a long list so, maybe that one tomorrow. 
Im at : dh_install --sourcedir=/home/samba-mit/samba-4.7.0/debian/tmp --list-missing --fail-missing 
When thats ok, then is easy to recreate a debian packages. 

Im testing a bit around also but small changes, keep you guys posted. 



Greetz, 

Louis




More information about the samba-technical mailing list