[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)

Rowland Penny rowlandpenny at googlemail.com
Fri Mar 20 03:21:30 MDT 2015


On 20/03/15 09:02, Timo Altun wrote:
> Thank you Louis for that answer! Actually I did get kinit and
> samba_dnsupdate working, though I am unsure how. I tried some changes to
> krb5.conf in the [realms] and [domain_realm] sections, als well as
> setting dns_lookup_realm = false to true, but reverted it all back to the
> initial file:
>
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> After a reboot, both kinit and samba_dnsupdate worked on the host machine.
> Shares can be accessed, RSAT tools are working. From the linux fileserver
> nslookup and ping work for hostnames of domainmembers, dig command does not
> get an answer. The windows machines can nslookup and ping everything but
> the linux machine. Somehow it did not generate an entry in the DNS Server.
> Is this normal behavior for linux domain members and I need to create the
> DNS entry manually or is something still amiss?
>
> Greetings and thanks for the help so far,
> Timo
>
>
> On 20 March 2015 at 08:42, L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>> Try change your resolv.conf from :
>>> nameserver 127.0.0.1
>>> domain intranet.mayweg.net
>> to
>> nameserver 192.168.11.250
>> search intranet.mayweg.net
>>
>>> The only thing I was unsure about, was which hostname to enter
>>> for Kerberos
>>> Server and Kerberos admin server when asked during the
>>> installation of the
>>> packages..
>> Try these defealt settings for kerberos..
>> You didnt have to enter the hostname, Only the default kerberos Domain
>> name is needed.
>>
>> a copy past for you.
>>
>>      echo "krb5-config     krb5-config/add_servers_realm     string
>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>      echo "krb5-config     krb5-config/read_conf   boolean true" |
>> debconf-set-selections
>>      echo "krb5-config     krb5-config/kerberos_servers string " |
>> debconf-set-selections
>>      echo "krb5-config     krb5-config/default_realm string
>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>      echo "krb5-config     krb5-config/add_servers boolean false" |
>> debconf-set-selections
>>      echo "krb5-config     krb5-config/admin_server string " |
>> debconf-set-selections
>>      echo "krb5-config     krb5-config/dns_for_default boolean true" |
>> debconf-set-selections
>>      dpkg-reconfigure plow krb5-config
>>
>> and if you want to point to a kerberos server.
>>      echo "krb5-config     krb5-config/kerberos_servers string
>> server06.intranet.mayweg.net" | debconf-set-selections
>>
>> but its not needed, man krb5.conf tells you enough.
>>
>> after the changes, type:
>> host -t SRV _kerberos._udp.intranet.mayweg.net
>> if you get not found, then we need to analize more.
>>
>>
>>
>> If you want to start with a "Clean server"
>> just have a look here.
>>
>> https://secure.bazuin.nl/scripts/
>>
>> I added 2 simple scripts. a debian wheezy backported and debian jessie
>> script.
>> The Jessie script is basicly the wheezy backported version, but without
>> the backports repo.
>> Its a set with minimal changes to the system, and use the defaults there
>> where possible.
>>
>> If you look in the script,
>> these settings MUST be set.
>> Settings you must change are :
>>
>> NTPD_SERVER1_EXTERNAL
>> NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 )
>> BIND9_NETWORKS
>> SAMBA_DC1_IP
>> SAMBA_NT_DOMAIN
>> SAMBA_SITE_NAME
>>
>> optional:
>> SAMBA_PASS_POLICY_CHANGE
>> SAMBA_TEMPLATE_HOMEDIR
>> SAMBA_TEMPLATE_SHELL
>>
>>
>> and as last :
>> CONFIGURED
>>
>> All other options are optional.
>> If you have a different dns domain name and kerberos domain.
>> you must change that.. etc..
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: olol13.samba at the-1337.org
>>> [mailto:samba-bounces at lists.samba.org] Namens Timo Altun
>>> Verzonden: vrijdag 20 maart 2015 0:04
>>> Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny -
>>> repenny241155 at gmail.com
>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
>>> samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
>>> (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot
>>> contact any KDC for requested realm)
>>>
>>> Ok, I setup a new machine with Debian Jessie and checked and installed
>>> everything from OS requirements in the wiki (
>>> https://wiki.samba.org/index.php/OS_Requirements ).
>>> The only thing I was unsure about, was which hostname to enter
>>> for Kerberos
>>> Server and Kerberos admin server when asked during the
>>> installation of the
>>> packages...I used krb.intranet.mayweg.net.
>>> Now, after the classicupgrade kinit isn't working anymore...I
>>> get the same
>>> error I get when trying samba_dnsupdate:
>>> kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET'
>>> while getting
>>> initial credentials.
>>>
>>> One step I did not do as stated in the wiki is configuring bind with
>>> --with-gssapi=/usr/include/gssapi
>>> --with-dlopen=yes.
>>> Once again the dlopen driver seems to work in this version,
>>> but I have no
>>> idea about the first part. Should I build bind myself with the
>>> first option?
>>> @Rowland, did you have a working bind installation before you
>>> upgraded/provisioned your domain?
>>>
>>> @Peter There is no file called namedb in /etc/bind, but the
>>> whole folder is
>>> writeable for user bind.
>>>
>>> My configs, now mostly adapted from Rowland's woking configuration are:
>>>
>>> /etc/network/interfaces:
>>> auto lo
>>> iface lo inet loopback
>>>
>>> auto eth0
>>> iface eth0 inet static
>>>         address         192.168.11.250
>>>         network         192.168.11.0
>>>         netmask         255.255.255.0
>>>         broadcast       192.168.11.255
>>>
>>> /etc/hosts:
>>> 127.0.0.1       localhost
>>> 192.168.11.250  server06.intranet.mayweg.net    server06  krb
>>>
>>> # The following lines are desirable for IPv6 capable hosts
>>> ::1     localhost ip6-localhost ip6-loopback
>>> ff02::1 ip6-allnodes
>>> ff02::2 ip6-allrouters
>>>
>>> /etc/resolv.conf:
>>> nameserver 127.0.0.1
>>> domain intranet.mayweg.net
>>>
>>> /etc/bind/named.conf:
>>> include "/etc/bind/named.conf.options";
>>> include "/etc/bind/named.conf.local";
>>> include "/etc/bind/named.conf.default-zones";
>>> include "/var/lib/samba/private/named.conf";
>>>
>>> /etc/bin/named.conf.options:
>>> options {
>>> directory "/var/cache/bind";
>>> dnssec-validation no;
>>> auth-nxdomain no;    # conform to RFC1035
>>> listen-on-v6 { any; };
>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>> };
>>>
>>> /var/lib/samba/private/named.conf:
>>>     database "dlopen
>>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>>>
>>> /etc/krb5.conf:
>>> [libdefaults]
>>> default_realm = INTRANET.MAYWEG.NET
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> /etc/samba/smb.conf:
>>> # Global parameters
>>> [global]
>>> workgroup = MAYWEG.NET
>>> realm = INTRANET.MAYWEG.NET
>>> netbios name = SERVER06
>>> interfaces = lo, eth0
>>> bind interfaces only = Yes
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbind,
>>> ntp_signd, kcc, dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>>
>>> On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>>>
>>>>
>>>> Timo Altun schrieb am 19.03.2015 10:30:
>>>>
>>>>> As I wrote in my first mail, Kerberos does work. I can successfully
>>>> request
>>>>> and list a ticket on the AC DC.
>>>> OK, then next things, which come to my mind are:
>>>> is the keytab, you set in named.conf.options readable
>>>> for the user, under which bind is run.
>>>>
>>>> Then, is the /etc/bind/namedb writable for bind.
>>>>
>>>> And in the end, it might be a screwed up installation.
>>>> I had troubles with dynamic updates a long time ago,
>>>> when it turned out, that I screwed something up during
>>>> the installation.
>>>>
>>>> HTH
>>>> - Peter
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Can you post the smb.conf from the linux fileserver

Rowland



More information about the samba mailing list