[Samba] samba4 dnsupdate failed with bind (cannot contact KDC)

Maarten Claes MClaes at baltimoreaircoil.be
Thu Jan 10 06:56:27 MST 2013


I upgrade our samba3 server to the latest samba4.

Everything is working except for the dnsupdate:

> /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names:
IPs: ['172.x.x.x']
Traceback (most recent call last):
  File "/usr/local/samba/sbin/samba_dnsupdate", line 508, in <module>
    get_credentials(lp)
  File "/usr/local/samba/sbin/samba_dnsupdate", line 122, in 
get_credentials
    creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for ADSRV1$@MYDOMAIN.EU failed (Cannot contact any KDC 
for requested realm)
---

But kinit works runnig as root after adding the [realms] section to 
/etc/krb5.conf (did not work without the [realms] section:

---
[libdefaults]
        default_realm = MYDOMAIN.EU
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        MYDOMAIN.EU = {
        kdc = ADSRV1.mydomain.eu
        }
---

> kinit administrator at MYDOMAIN.EU
> klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.EU

Valid starting     Expires            Service principal
01/10/13 15:22:47  01/11/13 01:22:47  krbtgt/MYDOMAIN.EU at MYDOMAIN.EU
        renew until 01/11/13 15:22:46
---

Bind is running and responding:

---
tcp        0      0 172.x.x.x:53             0.0.0.0:* LISTEN 1075/named   
 
tcp        0      0 127.0.0.1:53                0.0.0.0:*  LISTEN 
1075/named 
---

> Host –t SRV _ldap._tcp.mydomain.eu
ldap._tcp.mydomain.eu has SRV record 0 100 389 adsrv1.mydomain.eu.
---
smb.conf:
---
[global]
        workgroup = MYCOMPANY
        realm = MYDOMAIN.EU
        netbios name = ADSRV1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        interfaces=172.x.x.x/20 127.0.0.0/8
        bind interfaces only = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/mydomain.eu/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
---
Has this something to do with the fact that my domain is not part of the 
realm? (domain: MYCOMPANY, realm: MYDOMAIN.EU)
That's why kinit running as root was not working without the [realm] 
section I guess. I copied /etc/krb5.conf to /usr/local/samba/private/ 
because I suspected the dnsupdate script was using that file, but no luck.
A second question: Is there any way to change the domain name during the 
upgrade without breaking the whole AD? I was planning to join a windows 
2008 server and then use rendom to change the domain name. But if there's 
any other better way, I'd like like to hear that.
Thanks

______________________________________________________________________
This email has been scanned by the IT101 / Symantec.cloud Email Security System.
For more information please visit http://www.it101.be 
______________________________________________________________________


More information about the samba mailing list