[Samba] kinit user works, kinit user at domain.local doesn't

Danny Fedor lubomirf.vav at gmail.com
Sun Oct 13 10:07:19 MDT 2013

I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
Samba was installed from source and provisioned with internal DNS as PDC of
the domain domain.local. Users were mapped through pam.

I created a new user (user at domain.local) and joined a winxp workstation
(workstation.domain.local). It seems kerberos is working since user can log
to workstation without any problem using user at domain.local. Same with DNS;
if I try to "ping pdc.domain.local", I get name resolved correctly, as well
as with just "ping pdc".

However, if I run "ping workstation.domain.local" from pdc, I get "unknown
host", though "ping workstation" works. Similarly, if I run "kinit user", I
get a ticket, but
"kinit user at domain.local"
"Cannot contact any KDC for realm 'domain.local' while getting initial

Probably related issue is with samba_dnsupdate. Running
"sudo /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
"RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any KDC
for requested realm)".
"sudo host -t SRV _kerberos._udp.domain.local."
"_kerberos._udp.domain.local has SRV record 0 100 88 pdc.domain.local."
so it seems there is a correct record for kdc in dns. I've read that this
issue can be caused by wrong dns setting in resolv.conf.
My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
domain domain.local

and my /etc/hosts:       localhost.localdomain   localhost       pdc.domain.local        pdc
#network interface eth0:    pdc.domain.local        pdc 

So even here everything looks ok

My krb5.conf:
        default_realm = DOMAIN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
        forwardable = true

        kdc = pdc.domain.local
        admin_server = pdc.domain.local

.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

My smb.conf:
        workgroup = DOMAIN
        realm = DOMAIN.LOCAL
        netbios name = PDC
        server role = active directory domain controller
        server role check:inhibit = yes
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
        template shell = /bin/bash
        security = user
        map to guest = bad user
        guest account = nobody
        encrypt passwords = yes
        allow dns updates = True
        dns forwarder =
        interfaces = eth0 lo
        bind interfaces only = yes
        logon path = \\%L\profiles\%U\%a
        logon drive = P:
        wins support = yes
        name resolve order = wins host bcast
        load printers = yes
        printing = cups
        printcap name = cups

        path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No

View this message in context: http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list