[Samba] Custom SAMBA4/OpenChage ZEG applicance

John Russell jb.fresh at gmail.com
Fri Sep 14 23:06:22 MDT 2012 

Was able to fix one problem with kinit not working. Added the following
lines to /etc/krb5.conf:
[realms]
        EXAMPLE.COM = {
                kdc = sogo
                admin_server = sogo
                default_domain = EXAMPLE.COM
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM
This gave me the following output when running kinit sogo at EXAMPLE.COM
Kerberos: AS-REQ sogo at EXAMPLE.COM from ipv4:172.16.1.20:59784 for krbtgt/
EXAMPLE.COM at EXAMPLE.COM
Kerberos: Client sent patypes: REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- sogo at EXAMPLE.COM
Kerberos: Looking for PK-INIT(win2k) pa-data -- sogo at EXAMPLE.COM
Kerberos: Looking for ENC-TS pa-data -- sogo at EXAMPLE.COM
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Kerberos: AS-REQ sogo at EXAMPLE.COM from ipv4:172.16.1.20:50248 for krbtgt/
EXAMPLE.COM at EXAMPLE.COM
Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- sogo at EXAMPLE.COM
Kerberos: Looking for PK-INIT(win2k) pa-data -- sogo at EXAMPLE.COM
Kerberos: Looking for ENC-TS pa-data -- sogo at EXAMPLE.COM
Kerberos: ENC-TS Pre-authentication succeeded -- sogo at EXAMPLE.COM using
arcfour-hmac-md5
Kerberos: ENC-TS pre-authentication succeeded -- sogo at EXAMPLE.COM
Kerberos: AS-REQ authtime: 2012-09-15T01:02:47 starttime: unset endtime:
2012-09-15T11:02:47 renew till: 2012-09-16T01:02:43
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok

samba_dnsupdate still fails as mentioned before and I still can not join an
XP client to the domain.


On Fri, Sep 14, 2012 at 3:54 PM, John Russell <jb.fresh at gmail.com> wrote:

> Changing direction yet again. I decided do some testing with the latest *SOGo
> ZEG v2.0.0 rc5 appliance.*
>
> Since this is supposed to be a turnkey package with SAMBA4, OpenChange and
> SOGo all somewhat working together I figured i'd give it a shot.
>
> Started up the appliance and try to join an XP client to the "EXAMPLE"
> domain... FAILED: The error was: "DNS name does not exist." (error code
> 0x0000232B RCODE_NAME_ERROR)
> Try to join an XP client to the "OPENCHANGE" domain... FAILED: The error
> was: "Network path was not found". The DNS lookup partially worked buttail /var/log/samba/log.sambashowed:
> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
> for requested realm)
> Basically samba_dnsupdate fails with the following output.
> Traceback (most recent call last):
>   File "/usr/sbin/samba_dnsupdate", line 485, in <module>
>     get_credentials(lp)
>   File "/usr/sbin/samba_dnsupdate", line 120, in get_credentials
>     creds.get_named_ccache(lp, ccachename)
> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
> for requested realm)
>
> This is the same problem found here
> http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358
>
> At this point I know I have a KRB/KDC related issue and possibly DNS is
> not running properly. kinit isnt installed and Bind9 isnt configured with'--with-dlopen=yes'.
> Here is the output of
> /usr/sbin/named -V:
> BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'
> '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
> '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6'
> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
> 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
> 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
> using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012
> using libxml2 version: 2.7.8
>
> From here:
> I installed krb5-user dpkg-dev libkrb5-dev libssl-dev libgeoip-dev
> Recompiled bind9 with the '--with-dlopen=yes' option
> Re-provisioned samba4 with domain EXAMPLE and realm EXAMPLE.COM
> Added tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; to
> /etc/bind/named.conf.options
> Copied /var/lib/samba/private/krb5.conf to /etc/krb5.conf
> Modified /etc/hosts so that "sogo.example.com        sogo" uses interface
> IP instead of loopback.
> Restarted bind and samba
>
> And still get the same error. Any ideas? Just trying to add a windows
> client to the domain at this point. Thanks
>
>
>
> On Tue, Apr 17, 2012 at 1:20 PM, John Russell <jb.fresh at gmail.com> wrote:
>
>> Question following HowTo build your own OpenChange/SOGo appliance:
>> I have been building my own SAMBA4/OpenChange appliance *MOSTLY*following the instructions at
>> http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance
>> .
>>
>> I am using Ubuntu-Server 12.04 LTS (Precise Pangolin)
>> precise-server-amd64.iso
>> OpenChange from svn co -r 3923
>> https://svn.openchange.org/openchange/branches/sogo
>> SAMBA4 - Samba-4.0.0Alpha18
>>
>> At the step titled "Configure DNS service"
>> # cd /etc/bind
>> # mkdir samba
>> # cp /usr/local/samba/private/named.* samba/
>> # cp –rfi /usr/local/samba/private/dns samba/
>>
>> my named.* files are actually in "/usr/local/samba/share/setup/" (no big
>> deal)
>> logically I would assume my dns files would be in
>> "/usr/local/samba/share/setup/dns" but no cookie :(
>>
>> Find reveals:
>> find / -name "dns"
>> /openchange/sogo/samba4/lib/dnspython/dns
>> /openchange/sogo/samba4/libcli/dns
>> /openchange/sogo/samba4/bin/default/libcli/dns
>> /openchange/sogo/samba4/bin/default/source4/dsdb/dns
>> /openchange/sogo/samba4/source4/selftest/provisions/alpha13/private/dns
>> /openchange/sogo/samba4/source4/dsdb/dns
>> /usr/share/pyshared/dns
>> /usr/lib/python2.7/dist-packages/dns
>> /usr/src/linux-headers-3.2.0-23-generic/include/config/ceph/lib/use/dns
>> /usr/src/linux-headers-3.2.0-23-generic/include/config/dns
>>
>> Does anyone know the correct dns file or directory to copy to the bind
>> directory?
>>
>> Thanks
>>
>
>
>
> --
> "It's better to be boldly decisive and risk being wrong than to agonize at
> length and be right too late."
> Marilyn Moats Kennedy
>



-- 
"It's better to be boldly decisive and risk being wrong than to agonize at
length and be right too late."
Marilyn Moats Kennedy

More information about the samba mailing list