[WHATSNEW] Samba AD with MIT Kerberos + Version change

Rowland Penny rpenny at samba.org
Thu May 4 14:38:32 UTC 2017


On Thu, 4 May 2017 16:29:59 +0200
L.P.H. van Belle <belle at bazuin.nl> wrote:

> ok, below is the result of my setup. 
> I see the following as only error in my samba logs. 
> 
> ------------------
> The MIT KDC daemon died with exit status 1
> task_server_terminate: [mitkdc child process exited]
> ------------------
> 
> Which packages are exact needed for a debian MIT krb5 samba setup? 
> I could not find that.
> 
> I started with first with create the MIT database with : 
> kdb5_util create -s -r TEST.DOMAIN.TLD 
> Is this needed or should samba do that? 
> 
> 
> root at debian8:~# samba-tool domain provision  --use-rfc2307
> --server-role=dc --domain=NTTEST --realm=TEST.DOMAIN.TLD
> Administrator password will be set randomly! Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=test,DC=domain,DC=tld
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=test,DC=domain,DC=tld
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba AD has been generated
> at /usr/local/samba/private/krb5.conf Setting up fake yp server
> settings Once the above files are installed, your Samba4 server will
> be ready to use Admin password:        Zp%qwBd;%L4dd].BLUD<yD
> Server Role:           active directory domain controller
> Hostname:              debian8
> NetBIOS Domain:        NTTEST
> DNS Domain:            test.domain.tld
> DOMAIN SID:            S-1-5-21-3802658322-1749683864-505682010
> 
> 
> samba -i
> Copyright Andrew Tridgell and the Samba Team 1992-2017
> samba: using 'standard' process model
> samba: setproctitle not initialized, please either call
> setproctitle_init() or link against libbsd-ctor. samba: setproctitle
> not initialized, please either call setproctitle_init() or link
> against libbsd-ctor. samba: setproctitle not initialized, please
> either call setproctitle_init() or link against libbsd-ctor. samba:
> setproctitle not initialized, please either call setproctitle_init()
> or link against libbsd-ctor. samba: setproctitle not initialized,
> please either call setproctitle_init() or link against libbsd-ctor.
> samba: setproctitle not initialized, please either call
> setproctitle_init() or link against libbsd-ctor. samba: setproctitle
> not initialized, please either call setproctitle_init() or link
> against libbsd-ctor. samba: setproctitle not initialized, please
> either call setproctitle_init() or link against libbsd-ctor. samba:
> setproctitle not initialized, please either call setproctitle_init()
> or link against libbsd-ctor. samba: setproctitle not initialized,
> please either call setproctitle_init() or link against libbsd-ctor.
> samba: setproctitle not initialized, please either call
> setproctitle_init() or link against libbsd-ctor. samba: setproctitle
> not initialized, please either call setproctitle_init() or link
> against libbsd-ctor. The MIT KDC daemon died with exit status 1
> task_server_terminate: [mitkdc child process exited] samba:
> setproctitle not initialized, please either call setproctitle_init()
> or link against libbsd-ctor. ../source4/dsdb/dns/dns_update.c:290:
> Failed DNS update - with error code 110
> 
> 
> 19653 ?        Ss     0:00 samba -D
> 19654 ?        S      0:00  \_ samba -D
> 19656 ?        Ss     0:00  |   \_ /usr/local/samba/sbin/smbd -D
> --option=server role check:inhibit=yes --foreground 19672 ?
> S      0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server
> role check:inhibit=yes --foreground 19673 ?        S      0:00
> |       \_ /usr/local/samba/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground 19675 ?        S      0:00  |
> \_ /usr/local/samba/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground 19655 ?        S      0:00  \_ samba
> -D 19657 ?        S      0:00  \_ samba -D 19658 ?        S
> 0:00  \_ samba -D 19659 ?        S      0:00  \_ samba -D
> 19660 ?        S      0:00  \_ samba -D 19662 ?        S      0:00
> \_ samba -D 19664 ?        S      0:00  \_ samba -D 19666 ?
> Ss     0:00  |   \_ /usr/local/samba/sbin/winbindd -D --option=server
> role check:inhibit=yes --foreground 19677 ?        S      0:00
> |       \_ /usr/local/samba/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground 19665 ?        S      0:00  \_ samba
> -D 19667 ?        S      0:00  \_ samba -D 19668 ?        S
> 0:00  \_ samba -D 19669 ?        S      0:00  \_ samba -D
> 
>  systemctl status krb5-kdc.service
> ?? krb5-kdc.service - Kerberos 5 Key Distribution Center
>    Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled)
>    Active: active (running) since Thu 2017-05-04 16:09:16 CEST; 8min
> ago Process: 16736 ExecStart=/usr/sbin/krb5kdc
> -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=0/SUCCESS)
> Main PID: 16737 (krb5kdc) CGroup: /system.slice/krb5-kdc.service
>            ????16737 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
> 
> May 04 16:09:16 debian8 krb5kdc[16736]: setting up network...
> May 04 16:09:16 debian8 krb5kdc[16736]: Setting up UDP socket for
> address 0.0.0.0.750 May 04 16:09:16 debian8 krb5kdc[16736]: Setting
> pktinfo on socket 0.0.0.0.750 May 04 16:09:16 debian8 krb5kdc[16736]:
> Setting up UDP socket for address ::.750 May 04 16:09:16 debian8
> krb5kdc[16737]: commencing operation May 04 16:09:16 debian8
> systemd[1]: Started Kerberos 5 Key Distribution Center.
> root at debian8:~#
> 
> 
> dpkg -l | grep krb5
> ii  krb5-config
> 2.3                                all          Configuration files
> for Kerberos Version 5 ii  krb5-kdc
> 1.15.1-1+mnu1                      amd64        MIT Kerberos key
> server (KDC) ii  krb5-locales
> 1.15.1-1+mnu1                      all          internationalization
> support for MIT Kerberos ii  krb5-user
> 1.15.1-1+mnu1                      amd64        basic programs to
> authenticate using MIT Kerberos ii  libgssapi-krb5-2:amd64
> 1.15.1-1+mnu1                      amd64        MIT Kerberos runtime
> libraries - krb5 GSS-API Mechanism ii
> libkrb5-3:amd64                  1.15.1-1+mnu1
> amd64        MIT Kerberos runtime libraries ii
> libkrb5support0:amd64            1.15.1-1+mnu1
> amd64        MIT Kerberos runtime libraries - Support library
> 
> samba -b
> Samba version: 4.7.0pre1-GIT-1e7bec4-Debian
> Build environment:
> Paths:
>    BINDIR: /usr/local/samba/bin
>    SBINDIR: /usr/local/samba/sbin
>    CONFIGFILE: /usr/local/samba/etc/smb.conf
>    NCALRPCDIR: /usr/local/samba/var/run/ncalrpc
>    LOGFILEBASE: /usr/local/samba/var
>    LMHOSTSFILE: /usr/local/samba/etc/lmhosts
>    DATADIR: /usr/local/samba/share
>    MODULESDIR: /usr/local/samba/lib
>    LOCKDIR: /usr/local/samba/var/lock
>    STATEDIR: /usr/local/samba/var/locks
>    CACHEDIR: /usr/local/samba/var/cache
>    PIDDIR: /usr/local/samba/var/run
>    PRIVATE_DIR: /usr/local/samba/private
>    CODEPAGEDIR: /usr/local/samba/share/codepages
>    SETUPDIR: /usr/local/samba/share/setup
>    WINBINDD_SOCKET_DIR: /usr/local/samba/var/run/winbindd
>    NTP_SIGND_SOCKET_DIR: /usr/local/samba/var/lib/ntp_signd
>  
> 
> Clean jessie install + ssh + standard utils
> 
> Created debs for these packages and installed them.
> cmocka_1.1.1.orig.tar.gz
> libidn_1.33.orig.tar.gz
> libtasn1-6_4.10.orig.tar.gz
> nettle_3.3.orig.tar.gz
> openssl1.0_1.0.2k.orig.tar.gz
> p11-kit_0.23.3.orig.tar.gz
> pam-wrapper_1.0.3.orig.tar.gz
> tdb_1.3.13.orig.tar.gz
> 
> libxslt_1.1.29.orig.tar.gz created but not tested yet for to avoid
> that man smb.conf.5 bug. 
> 
> Debian build is not yet ready, i need to fix the dh_install rules
> first, but its a long list so, maybe that one tomorrow. Im at :
> dh_install --sourcedir=/home/samba-mit/samba-4.7.0/debian/tmp
> --list-missing --fail-missing When thats ok, then is easy to recreate
> a debian packages. 
> 
> Im testing a bit around also but small changes, keep you guys posted. 
> 
> 
> 
> Greetz, 
> 
> Louis
> 

You do not start the MIT kdc (or so I was told by Andreas)
Did you check if the Samba provision created a
new /etc/kb5kdc/kdc.conf ?
This is where it starts to fail for me.

Rowland



More information about the samba-technical mailing list