[Samba] CentOS 6, BIND_DLZ and kinit errors (Cannot contact any KDC for requested realm)
Thomas Harold
thomas-lists at nybeta.com
Sun May 4 10:46:29 MDT 2014
On 5/3/2014 2:42 PM, Sketch wrote:
> On Sat, 3 May 2014, Thomas Harold wrote:
>
>> It seems like the BIND 9.8 that ships with CentOS 6.x (and probably RHEL
>> 6.x) is not built with --with-dlopen option.
>
> You need to install the bind-sdb package. This one is built with DLZ
> support.
Thanks, I ended up building BIND 9.9.5 from scratch, with a custom
configuration file so that the install paths (etc.) matched the CentOS 6
BIND 9.8 RPM locations. Then I wiped out the contents
/var/lib/samba/private and did a domain provision from scratch.
But the real problem is that I am using BIND views on this particular
server, which means the Samba4 named.conf include file needs to be
inside the view section.
The following did not work (/etc/named.conf):
...
include "/var/lib/samba/private/named.conf";
view "internal"
{
...
// internal view stuff
...
};
...
The following *does* work:
...
view "internal"
{
...
// internal view stuff
include "/var/lib/samba/private/named.conf";
...
};
...
After fixing that, restarting named and sernet-samba-ad fixed the issue.
Troubleshooting tests for this can include:
host -t SRV _kerberos._udp.DOMAIN.EXAMPLE.COM
If that returns NXDOMAIN, then Samba4 is not talking to BIND over the
"DLZ connection" (or whatever it is called).
And as Rowland pointed out, I should have seen something like the
following in /var/log/named (or wherever your BIND log entries are being
written) when BIND starts:
named[#]: ----------------------------------------------------
named[#]: BIND 9 is maintained by Internet Systems Consortium,
named[#]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
named[#]: corporation. Support and training for BIND 9 are
named[#]: available at https://www.isc.org/support
named[#]: ----------------------------------------------------
named[#]: adjusted limit on open files from 4096 to 1048576
named[#]: found 4 CPUs, using 4 worker threads
named[#]: using 4 UDP listeners per interface
named[#]: using up to 4096 sockets
named[#]: loading configuration from '/etc/named.conf'
named[#]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
named[#]: statistics-channels specified but not effective due to missing
XML library
named[#]: statistics channel listening on 127.0.0.1#8053
named[#]: using default UDP/IPv4 port range: [1024, 65535]
named[#]: using default UDP/IPv6 port range: [1024, 65535]
named[#]: no IPv6 interfaces found
named[#]: listening on IPv4 interface lo, 127.0.0.1#53
named[#]: listening on IPv4 interface bridge0, 192.168.142.1#53
named[#]: generating session key for dynamic DNS
named[#]: sizing zone task pool based on 3 zones
named[#]: Loading 'AD DNS Zone' using driver dlopen
named[#]: samba_dlz: GENSEC backend 'gssapi_spnego' registered
named[#]: samba_dlz: GENSEC backend 'gssapi_krb5' registered
named[#]: samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
named[#]: samba_dlz: GENSEC backend 'sasl-DIGEST-MD5' registered
named[#]: samba_dlz: GENSEC backend 'schannel' registered
named[#]: samba_dlz: GENSEC backend 'spnego' registered
named[#]: samba_dlz: GENSEC backend 'ntlmssp' registered
named[#]: samba_dlz: GENSEC backend 'krb5' registered
named[#]: samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
named[#]: samba_dlz: started for DN DC=domain,DC=example,DC=com
named[#]: samba_dlz: starting configure
named[#]: samba_dlz: configured writeable zone 'domain.example.com'
named[#]: samba_dlz: configured writeable zone '_msdcs.domain.example.com'
named[#]: using built-in DLV key for view internal
named[#]: using built-in root key for view internal
More information about the samba
mailing list