[Samba] samba4 dnsupdate failed with bind (cannot contact KDC)

Maarten Claes MClaes at baltimoreaircoil.be
Thu Jan 10 06:56:27 MST 2013

I upgrade our samba3 server to the latest samba4.

Everything is working except for the dnsupdate:

> /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names:
IPs: ['172.x.x.x']
Traceback (most recent call last):
  File "/usr/local/samba/sbin/samba_dnsupdate", line 508, in <module>
  File "/usr/local/samba/sbin/samba_dnsupdate", line 122, in 
    creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for ADSRV1$@MYDOMAIN.EU failed (Cannot contact any KDC 
for requested realm)

But kinit works runnig as root after adding the [realms] section to 
/etc/krb5.conf (did not work without the [realms] section:

        default_realm = MYDOMAIN.EU
        dns_lookup_realm = false
        dns_lookup_kdc = true

        MYDOMAIN.EU = {
        kdc = ADSRV1.mydomain.eu

> kinit administrator at MYDOMAIN.EU
> klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.EU

Valid starting     Expires            Service principal
01/10/13 15:22:47  01/11/13 01:22:47  krbtgt/MYDOMAIN.EU at MYDOMAIN.EU
        renew until 01/11/13 15:22:46

Bind is running and responding:

tcp        0      0 172.x.x.x:53   * LISTEN 1075/named   
tcp        0      0      *  LISTEN 

> Host –t SRV _ldap._tcp.mydomain.eu
ldap._tcp.mydomain.eu has SRV record 0 100 389 adsrv1.mydomain.eu.
        workgroup = MYCOMPANY
        realm = MYDOMAIN.EU
        netbios name = ADSRV1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        bind interfaces only = yes

        path = /usr/local/samba/var/locks/sysvol/mydomain.eu/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No
Has this something to do with the fact that my domain is not part of the 
realm? (domain: MYCOMPANY, realm: MYDOMAIN.EU)
That's why kinit running as root was not working without the [realm] 
section I guess. I copied /etc/krb5.conf to /usr/local/samba/private/ 
because I suspected the dnsupdate script was using that file, but no luck.
A second question: Is there any way to change the domain name during the 
upgrade without breaking the whole AD? I was planning to join a windows 
2008 server and then use rendom to change the domain name. But if there's 
any other better way, I'd like like to hear that.

This email has been scanned by the IT101 / Symantec.cloud Email Security System.
For more information please visit http://www.it101.be 

More information about the samba mailing list