[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)

Timo Altun olol13.samba at the-1337.org
Thu Mar 19 17:03:57 MDT 2015


Ok, I setup a new machine with Debian Jessie and checked and installed
everything from OS requirements in the wiki (
https://wiki.samba.org/index.php/OS_Requirements ).
The only thing I was unsure about, was which hostname to enter for Kerberos
Server and Kerberos admin server when asked during the installation of the
packages...I used krb.intranet.mayweg.net.
Now, after the classicupgrade kinit isn't working anymore...I get the same
error I get when trying samba_dnsupdate:
kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET' while getting
initial credentials.

One step I did not do as stated in the wiki is configuring bind with
--with-gssapi=/usr/include/gssapi
--with-dlopen=yes.
Once again the dlopen driver seems to work in this version, but I have no
idea about the first part. Should I build bind myself with the first option?
@Rowland, did you have a working bind installation before you
upgraded/provisioned your domain?

@Peter There is no file called namedb in /etc/bind, but the whole folder is
writeable for user bind.

My configs, now mostly adapted from Rowland's woking configuration are:

/etc/network/interfaces:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address         192.168.11.250
        network         192.168.11.0
        netmask         255.255.255.0
        broadcast       192.168.11.255

/etc/hosts:
127.0.0.1       localhost
192.168.11.250  server06.intranet.mayweg.net    server06  krb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/resolv.conf:
nameserver 127.0.0.1
domain intranet.mayweg.net

/etc/bind/named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bin/named.conf.options:
options {
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

/var/lib/samba/private/named.conf:
    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

/etc/krb5.conf:
[libdefaults]
default_realm = INTRANET.MAYWEG.NET
dns_lookup_realm = false
dns_lookup_kdc = true

/etc/samba/smb.conf:
# Global parameters
[global]
workgroup = MAYWEG.NET
realm = INTRANET.MAYWEG.NET
netbios name = SERVER06
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:

>
>
> Timo Altun schrieb am 19.03.2015 10:30:
>
> > As I wrote in my first mail, Kerberos does work. I can successfully
> request
> > and list a ticket on the AC DC.
>
> OK, then next things, which come to my mind are:
> is the keytab, you set in named.conf.options readable
> for the user, under which bind is run.
>
> Then, is the /etc/bind/namedb writable for bind.
>
> And in the end, it might be a screwed up installation.
> I had troubles with dynamic updates a long time ago,
> when it turned out, that I screwed something up during
> the installation.
>
> HTH
> - Peter
>
>


More information about the samba mailing list