[Samba] Ubuntu client ddns failure

steve steve at steve-ss.com
Tue May 20 07:12:16 MDT 2014 

Hi
I'm trying to get an Ubuntu 14.04 client to update its rr to a working 
bind dns DC with Samba 4.1.7. The setup is the same as with our openSUSE 
clients with sssd 1.11.15
sssd.conf
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False

/etc/hosts
127.0.0.1    lubuntu-laptop.hh3.site lubuntu-laptop
127.0.1.1 localhost

But it is sending a request for the wrong zone:

Kerberos: ENC-TS Pre-authentication succeeded -- 
LUBUNTU-LAPTOP$@HH3.SITE using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-05-20T14:01:35 starttime: unset endtime: 
2014-05-21T00:01:35 renew till: 2014-05-21T14:01:35
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using 
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:40240 
for ldap/hh16.hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2014-05-20T14:01:35 starttime: 
2014-05-20T14:01:35 endtime: 2014-05-21T00:01:35 renew till: 
2014-05-21T14:01:35
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:40241 
for DNS/a.root-servers.net at HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for a.root-servers.net
Kerberos: Returning a referral to realm ROOT-SERVERS.NET for server 
DNS/a.root-servers.net at HH3.SITE that was not found
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=ROOT-SERVERS.NET)(trustPartner=ROOT-SERVERS.NET))): 
got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: 
krbtgt/ROOT-SERVERS.NET at HH3.SITE: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40241
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:40242 
for DNS/a.root-servers.net at HH3.SITE [renewable]
Kerberos: Server not found in database: DNS/a.root-servers.net at HH3.SITE: 
no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40242
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:40243 
for DNS/a.root-servers.net at HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for a.root-servers.net
Kerberos: Returning a referral to realm ROOT-SERVERS.NET for server 
DNS/a.root-servers.net at HH3.SITE that was not found
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=ROOT-SERVERS.NET)(trustPartner=ROOT-SERVERS.NET))): 
got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: 
krbtgt/ROOT-SERVERS.NET at HH3.SITE: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40243
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:40244 
for DNS/a.root-servers.net at HH3.SITE [renewable]
Kerberos: Server not found in database: DNS/a.root-servers.net at HH3.SITE: 
no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40244

The worrying thing is that we can still get tickets even though it has 
the wrong A record in DNS.
What is this, 'a.root-servers.net' business? Why not our domain?
What have we overlooked?
Thanks,
Steve

More information about the samba mailing list