[WHATSNEW] Samba AD with MIT Kerberos + Version change
L.P.H. van Belle
belle at bazuin.nl
Thu May 4 14:41:56 UTC 2017
Yes, just tried that.
I removing the kdc.conf
reprovisioned samba ( cleared old data from kerberos and samba first. )
/etc/krb5kdc/kdc.conf was not created.
No errors at provisioning.
:-(
I'll look further if i can find something.
Gr..
Louis
> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org]
> Verzonden: donderdag 4 mei 2017 16:39
> Aan: L.P.H. van Belle
> CC: samba-technical at lists.samba.org
> Onderwerp: Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change
>
> On Thu, 4 May 2017 16:29:59 +0200
> L.P.H. van Belle <belle at bazuin.nl> wrote:
>
> > ok, below is the result of my setup.
> > I see the following as only error in my samba logs.
> >
> > ------------------
> > The MIT KDC daemon died with exit status 1
> > task_server_terminate: [mitkdc child process exited]
> > ------------------
> >
> > Which packages are exact needed for a debian MIT krb5 samba setup?
> > I could not find that.
> >
> > I started with first with create the MIT database with :
> > kdb5_util create -s -r TEST.DOMAIN.TLD Is this needed or
> should samba
> > do that?
> >
> >
> > root at debian8:~# samba-tool domain provision --use-rfc2307
> > --server-role=dc --domain=NTTEST --realm=TEST.DOMAIN.TLD
> Administrator
> > password will be set randomly! Looking up IPv4 addresses Looking up
> > IPv6 addresses No IPv6 address will be assigned Setting up
> secrets.ldb
> > Setting up the registry Setting up the privileges database
> Setting up
> > idmap db Setting up SAM db Setting up sam.ldb partitions
> and settings
> > Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema
> > Adding DomainDN: DC=test,DC=domain,DC=tld Adding configuration
> > container Setting up sam.ldb schema Setting up sam.ldb
> configuration
> > data Setting up display specifiers Modifying display
> specifiers Adding
> > users container Modifying users container Adding computers
> container
> > Modifying computers container Setting up sam.ldb data
> Setting up well
> > known security principals Setting up sam.ldb users and
> groups Setting
> > up self join Adding DNS accounts Creating
> > CN=MicrosoftDNS,CN=System,DC=test,DC=domain,DC=tld
> > Creating DomainDnsZones and ForestDnsZones partitions Populating
> > DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb
> > rootDSE marking as synchronized Fixing provision GUIDs A Kerberos
> > configuration suitable for Samba AD has been generated at
> > /usr/local/samba/private/krb5.conf Setting up fake yp
> server settings
> > Once the above files are installed, your Samba4 server will
> > be ready to use Admin password: Zp%qwBd;%L4dd].BLUD<yD
> > Server Role: active directory domain controller
> > Hostname: debian8
> > NetBIOS Domain: NTTEST
> > DNS Domain: test.domain.tld
> > DOMAIN SID: S-1-5-21-3802658322-1749683864-505682010
> >
> >
> > samba -i
> > Copyright Andrew Tridgell and the Samba Team 1992-2017
> > samba: using 'standard' process model
> > samba: setproctitle not initialized, please either call
> > setproctitle_init() or link against libbsd-ctor. samba:
> setproctitle
> > not initialized, please either call setproctitle_init() or link
> > against libbsd-ctor. samba: setproctitle not initialized, please
> > either call setproctitle_init() or link against libbsd-ctor. samba:
> > setproctitle not initialized, please either call
> setproctitle_init()
> > or link against libbsd-ctor. samba: setproctitle not initialized,
> > please either call setproctitle_init() or link against libbsd-ctor.
> > samba: setproctitle not initialized, please either call
> > setproctitle_init() or link against libbsd-ctor. samba:
> setproctitle
> > not initialized, please either call setproctitle_init() or link
> > against libbsd-ctor. samba: setproctitle not initialized, please
> > either call setproctitle_init() or link against libbsd-ctor. samba:
> > setproctitle not initialized, please either call
> setproctitle_init()
> > or link against libbsd-ctor. samba: setproctitle not initialized,
> > please either call setproctitle_init() or link against libbsd-ctor.
> > samba: setproctitle not initialized, please either call
> > setproctitle_init() or link against libbsd-ctor. samba:
> setproctitle
> > not initialized, please either call setproctitle_init() or link
> > against libbsd-ctor. The MIT KDC daemon died with exit status 1
> > task_server_terminate: [mitkdc child process exited] samba:
> > setproctitle not initialized, please either call
> setproctitle_init()
> > or link against libbsd-ctor. ../source4/dsdb/dns/dns_update.c:290:
> > Failed DNS update - with error code 110
> >
> >
> > 19653 ? Ss 0:00 samba -D
> > 19654 ? S 0:00 \_ samba -D
> > 19656 ? Ss 0:00 | \_ /usr/local/samba/sbin/smbd -D
> > --option=server role check:inhibit=yes --foreground 19672 ?
> > S 0:00 | \_ /usr/local/samba/sbin/smbd -D
> --option=server
> > role check:inhibit=yes --foreground 19673 ? S 0:00
> > | \_ /usr/local/samba/sbin/smbd -D --option=server role
> > check:inhibit=yes --foreground 19675 ? S 0:00 |
> > \_ /usr/local/samba/sbin/smbd -D --option=server role
> > check:inhibit=yes --foreground 19655 ? S 0:00 \_ samba
> > -D 19657 ? S 0:00 \_ samba -D 19658 ? S
> > 0:00 \_ samba -D 19659 ? S 0:00 \_ samba -D
> > 19660 ? S 0:00 \_ samba -D 19662 ? S 0:00
> > \_ samba -D 19664 ? S 0:00 \_ samba -D 19666 ?
> > Ss 0:00 | \_ /usr/local/samba/sbin/winbindd -D
> --option=server
> > role check:inhibit=yes --foreground 19677 ? S 0:00
> > | \_ /usr/local/samba/sbin/winbindd -D --option=server role
> > check:inhibit=yes --foreground 19665 ? S 0:00 \_ samba
> > -D 19667 ? S 0:00 \_ samba -D 19668 ? S
> > 0:00 \_ samba -D 19669 ? S 0:00 \_ samba -D
> >
> > systemctl status krb5-kdc.service
> > ?? krb5-kdc.service - Kerberos 5 Key Distribution Center
> > Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled)
> > Active: active (running) since Thu 2017-05-04 16:09:16
> CEST; 8min
> > ago Process: 16736 ExecStart=/usr/sbin/krb5kdc -P
> > /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=0/SUCCESS)
> > Main PID: 16737 (krb5kdc) CGroup: /system.slice/krb5-kdc.service
> > ????16737 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
> >
> > May 04 16:09:16 debian8 krb5kdc[16736]: setting up network...
> > May 04 16:09:16 debian8 krb5kdc[16736]: Setting up UDP socket for
> > address 0.0.0.0.750 May 04 16:09:16 debian8 krb5kdc[16736]: Setting
> > pktinfo on socket 0.0.0.0.750 May 04 16:09:16 debian8
> krb5kdc[16736]:
> > Setting up UDP socket for address ::.750 May 04 16:09:16 debian8
> > krb5kdc[16737]: commencing operation May 04 16:09:16 debian8
> > systemd[1]: Started Kerberos 5 Key Distribution Center.
> > root at debian8:~#
> >
> >
> > dpkg -l | grep krb5
> > ii krb5-config
> > 2.3 all Configuration files
> > for Kerberos Version 5 ii krb5-kdc
> > 1.15.1-1+mnu1 amd64 MIT Kerberos key
> > server (KDC) ii krb5-locales
> > 1.15.1-1+mnu1 all internationalization
> > support for MIT Kerberos ii krb5-user
> > 1.15.1-1+mnu1 amd64 basic programs to
> > authenticate using MIT Kerberos ii libgssapi-krb5-2:amd64
> > 1.15.1-1+mnu1 amd64 MIT Kerberos runtime
> > libraries - krb5 GSS-API Mechanism ii
> > libkrb5-3:amd64 1.15.1-1+mnu1
> > amd64 MIT Kerberos runtime libraries ii
> > libkrb5support0:amd64 1.15.1-1+mnu1
> > amd64 MIT Kerberos runtime libraries - Support library
> >
> > samba -b
> > Samba version: 4.7.0pre1-GIT-1e7bec4-Debian Build environment:
> > Paths:
> > BINDIR: /usr/local/samba/bin
> > SBINDIR: /usr/local/samba/sbin
> > CONFIGFILE: /usr/local/samba/etc/smb.conf
> > NCALRPCDIR: /usr/local/samba/var/run/ncalrpc
> > LOGFILEBASE: /usr/local/samba/var
> > LMHOSTSFILE: /usr/local/samba/etc/lmhosts
> > DATADIR: /usr/local/samba/share
> > MODULESDIR: /usr/local/samba/lib
> > LOCKDIR: /usr/local/samba/var/lock
> > STATEDIR: /usr/local/samba/var/locks
> > CACHEDIR: /usr/local/samba/var/cache
> > PIDDIR: /usr/local/samba/var/run
> > PRIVATE_DIR: /usr/local/samba/private
> > CODEPAGEDIR: /usr/local/samba/share/codepages
> > SETUPDIR: /usr/local/samba/share/setup
> > WINBINDD_SOCKET_DIR: /usr/local/samba/var/run/winbindd
> > NTP_SIGND_SOCKET_DIR: /usr/local/samba/var/lib/ntp_signd
> >
> >
> > Clean jessie install + ssh + standard utils
> >
> > Created debs for these packages and installed them.
> > cmocka_1.1.1.orig.tar.gz
> > libidn_1.33.orig.tar.gz
> > libtasn1-6_4.10.orig.tar.gz
> > nettle_3.3.orig.tar.gz
> > openssl1.0_1.0.2k.orig.tar.gz
> > p11-kit_0.23.3.orig.tar.gz
> > pam-wrapper_1.0.3.orig.tar.gz
> > tdb_1.3.13.orig.tar.gz
> >
> > libxslt_1.1.29.orig.tar.gz created but not tested yet for to avoid
> > that man smb.conf.5 bug.
> >
> > Debian build is not yet ready, i need to fix the dh_install rules
> > first, but its a long list so, maybe that one tomorrow. Im at :
> > dh_install --sourcedir=/home/samba-mit/samba-4.7.0/debian/tmp
> > --list-missing --fail-missing When thats ok, then is easy
> to recreate
> > a debian packages.
> >
> > Im testing a bit around also but small changes, keep you
> guys posted.
> >
> >
> >
> > Greetz,
> >
> > Louis
> >
>
> You do not start the MIT kdc (or so I was told by Andreas)
> Did you check if the Samba provision created a new
> /etc/kb5kdc/kdc.conf ?
> This is where it starts to fail for me.
>
> Rowland
>
>
More information about the samba-technical
mailing list