[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)

L.P.H. van Belle belle at bazuin.nl
Fri Mar 20 01:42:51 MDT 2015

Try change your resolv.conf from :
>domain intranet.mayweg.net

search intranet.mayweg.net 

>The only thing I was unsure about, was which hostname to enter 
>for Kerberos
>Server and Kerberos admin server when asked during the 
>installation of the

Try these defealt settings for kerberos..
You didnt have to enter the hostname, Only the default kerberos Domain name is needed. 

a copy past for you. 

    echo "krb5-config     krb5-config/add_servers_realm     string INTRANET.MAYWEG.NET" | debconf-set-selections
    echo "krb5-config     krb5-config/read_conf   boolean true" | debconf-set-selections
    echo "krb5-config     krb5-config/kerberos_servers string " | debconf-set-selections
    echo "krb5-config     krb5-config/default_realm string INTRANET.MAYWEG.NET" | debconf-set-selections
    echo "krb5-config     krb5-config/add_servers boolean false" | debconf-set-selections
    echo "krb5-config     krb5-config/admin_server string " | debconf-set-selections
    echo "krb5-config     krb5-config/dns_for_default boolean true" | debconf-set-selections
    dpkg-reconfigure plow krb5-config

and if you want to point to a kerberos server. 
    echo "krb5-config     krb5-config/kerberos_servers string server06.intranet.mayweg.net" | debconf-set-selections

but its not needed, man krb5.conf tells you enough. 

after the changes, type: 
host -t SRV _kerberos._udp.intranet.mayweg.net 
if you get not found, then we need to analize more. 

If you want to start with a "Clean server" 
just have a look here. 


I added 2 simple scripts. a debian wheezy backported and debian jessie script.
The Jessie script is basicly the wheezy backported version, but without the backports repo. 
Its a set with minimal changes to the system, and use the defaults there where possible. 

If you look in the script, 
these settings MUST be set.
Settings you must change are :  

NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 ) 


and as last : 

All other options are optional. 
If you have a different dns domain name and kerberos domain. 
you must change that.. etc.. 



>-----Oorspronkelijk bericht-----
>Van: olol13.samba at the-1337.org 
>[mailto:samba-bounces at lists.samba.org] Namens Timo Altun
>Verzonden: vrijdag 20 maart 2015 0:04
>Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny - 
>repenny241155 at gmail.com
>Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working. 
>samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: 
>(sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot 
>contact any KDC for requested realm)
>Ok, I setup a new machine with Debian Jessie and checked and installed
>everything from OS requirements in the wiki (
>https://wiki.samba.org/index.php/OS_Requirements ).
>The only thing I was unsure about, was which hostname to enter 
>for Kerberos
>Server and Kerberos admin server when asked during the 
>installation of the
>packages...I used krb.intranet.mayweg.net.
>Now, after the classicupgrade kinit isn't working anymore...I 
>get the same
>error I get when trying samba_dnsupdate:
>kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET' 
>while getting
>initial credentials.
>One step I did not do as stated in the wiki is configuring bind with
>Once again the dlopen driver seems to work in this version, 
>but I have no
>idea about the first part. Should I build bind myself with the 
>first option?
>@Rowland, did you have a working bind installation before you
>upgraded/provisioned your domain?
>@Peter There is no file called namedb in /etc/bind, but the 
>whole folder is
>writeable for user bind.
>My configs, now mostly adapted from Rowland's woking configuration are:
>auto lo
>iface lo inet loopback
>auto eth0
>iface eth0 inet static
>        address
>        network
>        netmask
>        broadcast
>       localhost
>  server06.intranet.mayweg.net    server06  krb
># The following lines are desirable for IPv6 capable hosts
>::1     localhost ip6-localhost ip6-loopback
>ff02::1 ip6-allnodes
>ff02::2 ip6-allrouters
>domain intranet.mayweg.net
>include "/etc/bind/named.conf.options";
>include "/etc/bind/named.conf.local";
>include "/etc/bind/named.conf.default-zones";
>include "/var/lib/samba/private/named.conf";
>options {
>directory "/var/cache/bind";
>dnssec-validation no;
>auth-nxdomain no;    # conform to RFC1035
>listen-on-v6 { any; };
>tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>    database "dlopen 
>default_realm = INTRANET.MAYWEG.NET
>dns_lookup_realm = false
>dns_lookup_kdc = true
># Global parameters
>workgroup = MAYWEG.NET
>netbios name = SERVER06
>interfaces = lo, eth0
>bind interfaces only = Yes
>server role = active directory domain controller
>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>drepl, winbind,
>ntp_signd, kcc, dnsupdate
>idmap_ldb:use rfc2307 = yes
>path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>read only = No
>path = /var/lib/samba/sysvol
>read only = No
>On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>> Timo Altun schrieb am 19.03.2015 10:30:
>> > As I wrote in my first mail, Kerberos does work. I can successfully
>> request
>> > and list a ticket on the AC DC.
>> OK, then next things, which come to my mind are:
>> is the keytab, you set in named.conf.options readable
>> for the user, under which bind is run.
>> Then, is the /etc/bind/namedb writable for bind.
>> And in the end, it might be a screwed up installation.
>> I had troubles with dynamic updates a long time ago,
>> when it turned out, that I screwed something up during
>> the installation.
>> HTH
>> - Peter
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list