[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems

Peter Serbe peter at serbe.ch
Thu Mar 12 15:57:32 MDT 2015 


Matthias Busch schrieb am 12.03.2015 22:08:


> --- this is my /etc/krb5.conf
> 
> [libdefaults]
>         default_realm = MY-DOMAIN.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true

add these (partly done below)
        forwardable = true
        renewable = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        debug = false

delete from here .....

> 
> 
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
> 
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true

.... to here.

> 
> [realms]
>         MY-DOMAIN.LOCAL = {
>                 kdc = adserver.my-domain.local			<-- tried with adserver
>                 admin_server = adserver.my-domain.local		and
>                 adserver.my-domain.local

add:
          default_domain = my-domain.local

>			}

delete from here ......


> 
>	... lots of .MIT.EDU entries ...
> 

.... to here

> [domain_realm]

should be:
       .my-domain.local = MY-DOMAIN.LOCAL
       my-domain.local = MY-DOMAIN.LOCAL

[logging]
        # kdc = /var/log/kdc.log
        # admin_server = /var/log/kadmin.log
        default = /var/log/kdc.log

delete the remaining stuff...


>         .mit.edu = ATHENA.MIT.EDU
>         mit.edu = ATHENA.MIT.EDU
>         .media.mit.edu = MEDIA-LAB.MIT.EDU
>         media.mit.edu = MEDIA-LAB.MIT.EDU
>         .csail.mit.edu = CSAIL.MIT.EDU
>         csail.mit.edu = CSAIL.MIT.EDU
>         .whoi.edu = ATHENA.MIT.EDU
>         whoi.edu = ATHENA.MIT.EDU
>         .stanford.edu = stanford.edu
>         .slac.stanford.edu = SLAC.STANFORD.EDU
>         .toronto.edu = UTORONTO.CA
>         .utoronto.ca = UTORONTO.CA
> 
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
> 
> 

Regarding the nsswitch.conf I am a bit clueless. I use sssd, and therefore 
nearly all the lines got an sss as second entry. Maybe winbind would be 
the correct one for You. But this should be examined _after_ Kerberos is 
working OK. At least we now know, that Kerberos couldn't have worked with 
this configuration. Btw, we would like to check the smb.conf, too...

HTH
Peter
 
> --- this is my /etc/nsswitch.conf:
> 
> passwd:         compat
> group:          compat
> shadow:         compat
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> ---
> 
> Matze
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list