[Samba] kinit user works, kinit user at domain.local doesn't
Rob Townley
rob.townley at gmail.com
Sun Oct 13 15:15:07 MDT 2013
Try appending a dot character to the end and put it in domain_realm
mapping. Let us know.
kinit user at domain.local.
On Oct 13, 2013 11:08 AM, "Danny Fedor" <lubomirf.vav at gmail.com> wrote:
> I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
> Samba was installed from source and provisioned with internal DNS as PDC of
> the domain domain.local. Users were mapped through pam.
>
> I created a new user (user at domain.local) and joined a winxp workstation
> (workstation.domain.local). It seems kerberos is working since user can log
> to workstation without any problem using user at domain.local. Same with DNS;
> if I try to "ping pdc.domain.local", I get name resolved correctly, as well
> as with just "ping pdc".
>
> However, if I run "ping workstation.domain.local" from pdc, I get "unknown
> host", though "ping workstation" works. Similarly, if I run "kinit user", I
> get a ticket, but
> "kinit user at domain.local"
> produces
> "Cannot contact any KDC for realm 'domain.local' while getting initial
> credentials".
>
> Probably related issue is with samba_dnsupdate. Running
> "sudo /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
> gives
> "RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any KDC
> for requested realm)".
> "sudo host -t SRV _kerberos._udp.domain.local."
> gives
> "_kerberos._udp.domain.local has SRV record 0 100 88 pdc.domain.local."
> so it seems there is a correct record for kdc in dns. I've read that this
> issue can be caused by wrong dns setting in resolv.conf.
> My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
> domain domain.local
> nameserver 127.0.0.1
>
> and my /etc/hosts:
> 127.0.0.1 localhost.localdomain localhost
> 127.0.1.1 pdc.domain.local pdc
> #network interface eth0:
> 192.168.1.67 pdc.domain.local pdc
>
> So even here everything looks ok
>
> My krb5.conf:
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
> forwardable = true
>
> [realms]
> DOMAIN.LOCAL = {
> kdc = pdc.domain.local
> admin_server = pdc.domain.local
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
> domain.local = DOMAIN.LOCAL
>
> My smb.conf:
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> netbios name = PDC
> server role = active directory domain controller
> server role check:inhibit = yes
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
> template shell = /bin/bash
> security = user
> map to guest = bad user
> guest account = nobody
> encrypt passwords = yes
> allow dns updates = True
> dns forwarder = 217.119.113.244
> interfaces = 127.0.1.1/8 eth0 lo
> bind interfaces only = yes
> logon path = \\%L\profiles\%U\%a
> logon drive = P:
> wins support = yes
> name resolve order = wins host bcast
> load printers = yes
> printing = cups
> printcap name = cups
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
>
> --
> View this message in context:
> http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list