[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 20 01:42:51 MDT 2015
Try change your resolv.conf from :
>nameserver 127.0.0.1
>domain intranet.mayweg.net
to
nameserver 192.168.11.250
search intranet.mayweg.net
>The only thing I was unsure about, was which hostname to enter
>for Kerberos
>Server and Kerberos admin server when asked during the
>installation of the
>packages..
Try these defealt settings for kerberos..
You didnt have to enter the hostname, Only the default kerberos Domain name is needed.
a copy past for you.
echo "krb5-config krb5-config/add_servers_realm string INTRANET.MAYWEG.NET" | debconf-set-selections
echo "krb5-config krb5-config/read_conf boolean true" | debconf-set-selections
echo "krb5-config krb5-config/kerberos_servers string " | debconf-set-selections
echo "krb5-config krb5-config/default_realm string INTRANET.MAYWEG.NET" | debconf-set-selections
echo "krb5-config krb5-config/add_servers boolean false" | debconf-set-selections
echo "krb5-config krb5-config/admin_server string " | debconf-set-selections
echo "krb5-config krb5-config/dns_for_default boolean true" | debconf-set-selections
dpkg-reconfigure plow krb5-config
and if you want to point to a kerberos server.
echo "krb5-config krb5-config/kerberos_servers string server06.intranet.mayweg.net" | debconf-set-selections
but its not needed, man krb5.conf tells you enough.
after the changes, type:
host -t SRV _kerberos._udp.intranet.mayweg.net
if you get not found, then we need to analize more.
If you want to start with a "Clean server"
just have a look here.
https://secure.bazuin.nl/scripts/
I added 2 simple scripts. a debian wheezy backported and debian jessie script.
The Jessie script is basicly the wheezy backported version, but without the backports repo.
Its a set with minimal changes to the system, and use the defaults there where possible.
If you look in the script,
these settings MUST be set.
Settings you must change are :
NTPD_SERVER1_EXTERNAL
NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 )
BIND9_NETWORKS
SAMBA_DC1_IP
SAMBA_NT_DOMAIN
SAMBA_SITE_NAME
optional:
SAMBA_PASS_POLICY_CHANGE
SAMBA_TEMPLATE_HOMEDIR
SAMBA_TEMPLATE_SHELL
and as last :
CONFIGURED
All other options are optional.
If you have a different dns domain name and kerberos domain.
you must change that.. etc..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: olol13.samba at the-1337.org
>[mailto:samba-bounces at lists.samba.org] Namens Timo Altun
>Verzonden: vrijdag 20 maart 2015 0:04
>Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny -
>repenny241155 at gmail.com
>Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
>samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
>(sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot
>contact any KDC for requested realm)
>
>Ok, I setup a new machine with Debian Jessie and checked and installed
>everything from OS requirements in the wiki (
>https://wiki.samba.org/index.php/OS_Requirements ).
>The only thing I was unsure about, was which hostname to enter
>for Kerberos
>Server and Kerberos admin server when asked during the
>installation of the
>packages...I used krb.intranet.mayweg.net.
>Now, after the classicupgrade kinit isn't working anymore...I
>get the same
>error I get when trying samba_dnsupdate:
>kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET'
>while getting
>initial credentials.
>
>One step I did not do as stated in the wiki is configuring bind with
>--with-gssapi=/usr/include/gssapi
>--with-dlopen=yes.
>Once again the dlopen driver seems to work in this version,
>but I have no
>idea about the first part. Should I build bind myself with the
>first option?
>@Rowland, did you have a working bind installation before you
>upgraded/provisioned your domain?
>
>@Peter There is no file called namedb in /etc/bind, but the
>whole folder is
>writeable for user bind.
>
>My configs, now mostly adapted from Rowland's woking configuration are:
>
>/etc/network/interfaces:
>auto lo
>iface lo inet loopback
>
>auto eth0
>iface eth0 inet static
> address 192.168.11.250
> network 192.168.11.0
> netmask 255.255.255.0
> broadcast 192.168.11.255
>
>/etc/hosts:
>127.0.0.1 localhost
>192.168.11.250 server06.intranet.mayweg.net server06 krb
>
># The following lines are desirable for IPv6 capable hosts
>::1 localhost ip6-localhost ip6-loopback
>ff02::1 ip6-allnodes
>ff02::2 ip6-allrouters
>
>/etc/resolv.conf:
>nameserver 127.0.0.1
>domain intranet.mayweg.net
>
>/etc/bind/named.conf:
>include "/etc/bind/named.conf.options";
>include "/etc/bind/named.conf.local";
>include "/etc/bind/named.conf.default-zones";
>include "/var/lib/samba/private/named.conf";
>
>/etc/bin/named.conf.options:
>options {
>directory "/var/cache/bind";
>dnssec-validation no;
>auth-nxdomain no; # conform to RFC1035
>listen-on-v6 { any; };
>tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>};
>
>/var/lib/samba/private/named.conf:
> database "dlopen
>/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>
>/etc/krb5.conf:
>[libdefaults]
>default_realm = INTRANET.MAYWEG.NET
>dns_lookup_realm = false
>dns_lookup_kdc = true
>
>/etc/samba/smb.conf:
># Global parameters
>[global]
>workgroup = MAYWEG.NET
>realm = INTRANET.MAYWEG.NET
>netbios name = SERVER06
>interfaces = lo, eth0
>bind interfaces only = Yes
>server role = active directory domain controller
>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>drepl, winbind,
>ntp_signd, kcc, dnsupdate
>idmap_ldb:use rfc2307 = yes
>
>[netlogon]
>path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>read only = No
>
>[sysvol]
>path = /var/lib/samba/sysvol
>read only = No
>
>
>On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>
>>
>>
>> Timo Altun schrieb am 19.03.2015 10:30:
>>
>> > As I wrote in my first mail, Kerberos does work. I can successfully
>> request
>> > and list a ticket on the AC DC.
>>
>> OK, then next things, which come to my mind are:
>> is the keytab, you set in named.conf.options readable
>> for the user, under which bind is run.
>>
>> Then, is the /etc/bind/namedb writable for bind.
>>
>> And in the end, it might be a screwed up installation.
>> I had troubles with dynamic updates a long time ago,
>> when it turned out, that I screwed something up during
>> the installation.
>>
>> HTH
>> - Peter
>>
>>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list