[Samba] kinit user works, kinit user at domain.local doesn't
Danny Fedor
lubomirf.vav at gmail.com
Sun Oct 13 10:07:19 MDT 2013
I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
Samba was installed from source and provisioned with internal DNS as PDC of
the domain domain.local. Users were mapped through pam.
I created a new user (user at domain.local) and joined a winxp workstation
(workstation.domain.local). It seems kerberos is working since user can log
to workstation without any problem using user at domain.local. Same with DNS;
if I try to "ping pdc.domain.local", I get name resolved correctly, as well
as with just "ping pdc".
However, if I run "ping workstation.domain.local" from pdc, I get "unknown
host", though "ping workstation" works. Similarly, if I run "kinit user", I
get a ticket, but
"kinit user at domain.local"
produces
"Cannot contact any KDC for realm 'domain.local' while getting initial
credentials".
Probably related issue is with samba_dnsupdate. Running
"sudo /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
gives
"RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any KDC
for requested realm)".
"sudo host -t SRV _kerberos._udp.domain.local."
gives
"_kerberos._udp.domain.local has SRV record 0 100 88 pdc.domain.local."
so it seems there is a correct record for kdc in dns. I've read that this
issue can be caused by wrong dns setting in resolv.conf.
My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
domain domain.local
nameserver 127.0.0.1
and my /etc/hosts:
127.0.0.1 localhost.localdomain localhost
127.0.1.1 pdc.domain.local pdc
#network interface eth0:
192.168.1.67 pdc.domain.local pdc
So even here everything looks ok
My krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = true
[realms]
DOMAIN.LOCAL = {
kdc = pdc.domain.local
admin_server = pdc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
My smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
netbios name = PDC
server role = active directory domain controller
server role check:inhibit = yes
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
template shell = /bin/bash
security = user
map to guest = bad user
guest account = nobody
encrypt passwords = yes
allow dns updates = True
dns forwarder = 217.119.113.244
interfaces = 127.0.1.1/8 eth0 lo
bind interfaces only = yes
logon path = \\%L\profiles\%U\%a
logon drive = P:
wins support = yes
name resolve order = wins host bcast
load printers = yes
printing = cups
printcap name = cups
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
--
View this message in context: http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
Sent from the Samba - General mailing list archive at Nabble.com.
More information about the samba
mailing list