[Samba] Samba4 in FreeBSD 9 i386 for Domain controller not working. Samba version 4.1.0 pre1-GIT cf15406
Rowland Penny
rpenny at f2s.com
Tue Nov 20 15:15:18 MST 2012
On 20/11/12 02:08, pccom frank wrote:
> Hi, I have deinstalled bind99 and re-made Samba4
> But still, Samba4 not working.
> The following are what I did.
> Looks like it is the dnsupdate problem. This time, it is the samba4's
> dnsupdate problem.
>
> Do I have to initialize kdc server?
>
> Those are copied from FreeBSD handbook for Kerberos 5.
>
> .....
> Note that this /etc/krb5.conf file implies that your KDC will have the
> fully-qualified hostname of kerberos.example.org. You will need to add
> a CNAME (alias) entry to your zone file to accomplish this if your
> KDC has a different hostname.
>
> *Note:* For large networks with a properly configured BIND
> DNS server, the above example could be trimmed to:
>
> [libdefaults]
> default_realm = EXAMPLE.ORG
>
> With the following lines being appended to the example.org zonefile:
>
> _kerberos._udp IN SRV 01 00 88 kerberos.example.org.
> _kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
> _kpasswd._udp IN SRV 01 00 464 kerberos.example.org.
> _kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.
> _kerberos IN TXT EXAMPLE.ORG
>
> *Note:* For clients to be able to find the *Kerberos* services,
> you /must/ have either a fully configured /etc/krb5.conf or a
> minimally configured /etc/krb5.conf /and/ a properly configured
> DNS server.
>
> Next we will create the *Kerberos* database. This database contains
> the keys of all principals encrypted with a master password. You are
> not required to remember this password, it will be stored in a file
> (/var/heimdal/m-key). To create the master key, run kstash and enter a
> password.
> Once the master key has been created, you can initialize the database
> using the kadmin program with the -l option (standing for “local”).
> This option instructs kadmin to modify the database files directly
> rather than going through the kadmind network service. This handles
> the chicken-and-egg problem of trying to connect to the database
> before it is created. Once you have the kadmin prompt, use the
> init command to create your realms initial database.
> Lastly, while still in kadmin, create your first principal using the
> add command. Stick to the defaults options for the principal for now,
> you can always change them later with the modify command. Note that
> you can use the ? command at any prompt to see the available options.
> A sample database creation session is shown below:
> # kstash
> Master key:xxxxxxxx
> Verifying password - Master key:xxxxxxxx
>
> # kadmin -l
> kadmin>init EXAMPLE.ORG
> Realm max ticket life [unlimited]:
> kadmin>add tillman
> Max ticket life [unlimited]:
> Max renewable life [unlimited]:
> Attributes []:
> Password:xxxxxxxx
> Verifying password - Password:xxxxxxxx
> Now it is time to start up the KDC services. Run /etc/rc.d/kerberos
> start and /etc/rc.d/kadmind start to bring up the services. Note that
> you will not have any kerberized daemons running at this point but you
> should be able to confirm that the KDC is functioning by obtaining and
> listing a ticket for the principal (user) that you just created from
> the command-line of the KDC itself:
> % kinit/tillman/
> tillman at EXAMPLE.ORG's Password:
>
> % klist
> Credentials cache: FILE:/tmp/krb5cc_500
> Principal: tillman at EXAMPLE.ORG
>
> Issued Expires Principal
> Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
> The ticket can then be revoked when you have finished:
> % kdestroy
> ================================
> ......
> I did not do anything about Kerberos5. I am assuming Samba4 taking
> care about it.
>
> root at f10:/etc # cd /usr/ports/dns/bind99
> root at f10:/usr/ports/dns/bind99 # make deinstall
> ===> Deinstalling for dns/bind99
> ===> Deinstalling bind99-9.9.2
> The following packages will be deinstalled:
>
> bind99-9.9.2
>
> The deinstallation will free 33 MB
> Deleting bind99-9.9.2... done
> root at f10:/usr/ports/dns/bind99 # make clean
> ===> Cleaning for bind99-9.9.2
> root at f10:/etc # cd /usr/local/samba-master
> root at f10:/usr/local/samba-master # git pull
> Already up-to-date.
> root at f10:/usr/local/samba-master # make clean
> WAF_MAKE=1 python ./buildtools/bin/waf clean
> Selected embedded Heimdal build
> 'clean' finished successfully (8.929s)
> root at f10:/usr/local/samba-master # make && make install
> WAF_MAKE=1 python ./buildtools/bin/waf build
> Waf: Entering directory `/usr/local/samba-master/bin'
> Selected embedded Heimdal build
> [ 1/3814] Generating replace.vscript
> ......
> [3814/3814] Parse::Pidl::Wireshark::NDR.3:
> pidl/lib/Parse/Pidl/Wireshark/NDR.pm ->
> bin/default/pidl/Parse::Pidl::Wireshark::NDR.3
> Waf: Leaving directory `/usr/local/samba-master/bin'
> 'build' finished successfully (1h5m44.673s)
> WAF_MAKE=1 python ./buildtools/bin/waf install
> Waf: Entering directory `/usr/local/samba-master/bin'
> * creating /usr/local/samba/etc
> * creating /usr/local/samba/private
> * creating /usr/local/samba/var
> * creating /usr/local/samba/private
> * creating /usr/local/samba/var/lib
> * creating /usr/local/samba/var/locks
> * creating /usr/local/samba/var/cache
> * creating /usr/local/samba/var/lock
> * creating /usr/local/samba/var/run
> * creating /usr/local/samba/var/run
> Selected embedded Heimdal build
> Checking project rules ...
> Project rules pass
> [ 1/4121] Generating replace.vscript
> ......
> * installing bin/default/pidl/Parse::Pidl::Wireshark::NDR.3 as
> /usr/local/samba/share/man/man3/Parse::Pidl::Wireshark::NDR.3
> Waf: Leaving directory `/usr/local/samba-master/bin'
> 'install' finished successfully (13m48.405s)
> root at f10:/usr/local/samba-master # rehash
> root at f10:/usr/local/samba-master # cd ..
> root at f10:/usr/local # rm /usr/local/samba/etc/smb.conf
> root at f10:/usr/local # cd samba
>
> root at f10:/usr/local/samba/bin # ./samba-tool domain provision
> --realm=f10.pccom.ca --domain=dcf10 --adminpass='small at 1' --server-role=dc
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> More than one IPv6 address found. Using fe80:1::92e6:baff:fe88:db31
>
> ....
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=f10,DC=pccom,DC=ca
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
> Once the above files are installed, your Samba4 server will be ready
> to use
> Server Role: active directory domain controller
> Hostname: f10
> NetBIOS Domain: DCF10
> DNS Domain: f10.pccom.ca
> DOMAIN SID: S-1-5-21-2143356390-769797765-818328211
> root at f10:/usr/local/samba/bin # cp /usr/local/samba/private/krb5.conf /etc
>
>
> root at f10:/usr/local/samba/sbin # ./samba -i -M single
> samba version 4.1.0pre1-GIT-e6a100e started.
> Copyright Andrew Tridgell and the Samba Team 1992-2012
> samba: using 'single' process model
> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 507, in <module>
> /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp)
> /usr/local/samba/sbin/samba_dnsupdate: File
> "/usr/local/samba/sbin/samba_dnsupdate", line 121, in get_credentials
> /usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp,
> ccachename)
> /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for
> F10$@F10.PCCOM.CA failed (Cannot contact any KDC for requested realm)
> /usr/local/samba/sbin/samba_dnsupdate:
> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
> NT_STATUS_ACCESS_DENIED
> ^C
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
Hello again,
Your problem would seem to be that your version of nsupdate was not
compiled with GSSAPI, nsupdate is a bind program. You need to find out
what freebsd package contains nsupdate and either install a version that
has been compiled with GSSAPI or compile it yourself, adding
--with-openssl=<where ever openssl is> --with-gssapi=<where ever gssapi
is> to the configure line. You will also require the gssapi_krb5 and
OpenSSL libraries.
Sorry I cannot be any more help than this, but I have never used
freebsd, now if you were to jump distro and change to Ubuntu 12.04
server I could provide you with full working instructions.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list