[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)

L.P.H. van Belle belle at bazuin.nl
Fri Mar 20 04:01:13 MDT 2015


can you run these commands and tell us the output. 
( copy past it. ) 

SETFQDN=`hostname -f`
SETDNSDOMAIN=`hostname -d`
SETHOSTNAME=`hostname -s`
SETSERVERIP=`hostname -i`
echo "==========Test DNS Records  ==============================="
echo "Testing : dns entries"
if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ]; then
    echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok"
else
    echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
fi
if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" `" ]; then
    echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok"
else
    echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : FAILED"
fi
if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not found" `" ]; then
    echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok"
else
    echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED"
    echo "trying to fix it now: "
    samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN} ${SETDNSDOMAIN} ${SETHOSTNAME} A ${SETSERVERIP}
fi



>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 20 maart 2015 10:21
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working. 
>samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: 
>(sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot 
>contact any KDC for requested realm)
>
>On 20/03/15 09:02, Timo Altun wrote:
>> Thank you Louis for that answer! Actually I did get kinit and
>> samba_dnsupdate working, though I am unsure how. I tried 
>some changes to
>> krb5.conf in the [realms] and [domain_realm] sections, als well as
>> setting dns_lookup_realm = false to true, but reverted it 
>all back to the
>> initial file:
>>
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> After a reboot, both kinit and samba_dnsupdate worked on the 
>host machine.
>> Shares can be accessed, RSAT tools are working. From the 
>linux fileserver
>> nslookup and ping work for hostnames of domainmembers, dig 
>command does not
>> get an answer. The windows machines can nslookup and ping 
>everything but
>> the linux machine. Somehow it did not generate an entry in 
>the DNS Server.
>> Is this normal behavior for linux domain members and I need 
>to create the
>> DNS entry manually or is something still amiss?
>>
>> Greetings and thanks for the help so far,
>> Timo
>>
>>
>> On 20 March 2015 at 08:42, L.P.H. van Belle <belle at bazuin.nl> wrote:
>>
>>> Try change your resolv.conf from :
>>>> nameserver 127.0.0.1
>>>> domain intranet.mayweg.net
>>> to
>>> nameserver 192.168.11.250
>>> search intranet.mayweg.net
>>>
>>>> The only thing I was unsure about, was which hostname to enter
>>>> for Kerberos
>>>> Server and Kerberos admin server when asked during the
>>>> installation of the
>>>> packages..
>>> Try these defealt settings for kerberos..
>>> You didnt have to enter the hostname, Only the default 
>kerberos Domain
>>> name is needed.
>>>
>>> a copy past for you.
>>>
>>>      echo "krb5-config     krb5-config/add_servers_realm     string
>>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>>      echo "krb5-config     krb5-config/read_conf   boolean true" |
>>> debconf-set-selections
>>>      echo "krb5-config     krb5-config/kerberos_servers string " |
>>> debconf-set-selections
>>>      echo "krb5-config     krb5-config/default_realm string
>>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>>      echo "krb5-config     krb5-config/add_servers boolean false" |
>>> debconf-set-selections
>>>      echo "krb5-config     krb5-config/admin_server string " |
>>> debconf-set-selections
>>>      echo "krb5-config     krb5-config/dns_for_default 
>boolean true" |
>>> debconf-set-selections
>>>      dpkg-reconfigure plow krb5-config
>>>
>>> and if you want to point to a kerberos server.
>>>      echo "krb5-config     krb5-config/kerberos_servers string
>>> server06.intranet.mayweg.net" | debconf-set-selections
>>>
>>> but its not needed, man krb5.conf tells you enough.
>>>
>>> after the changes, type:
>>> host -t SRV _kerberos._udp.intranet.mayweg.net
>>> if you get not found, then we need to analize more.
>>>
>>>
>>>
>>> If you want to start with a "Clean server"
>>> just have a look here.
>>>
>>> https://secure.bazuin.nl/scripts/
>>>
>>> I added 2 simple scripts. a debian wheezy backported and 
>debian jessie
>>> script.
>>> The Jessie script is basicly the wheezy backported version, 
>but without
>>> the backports repo.
>>> Its a set with minimal changes to the system, and use the 
>defaults there
>>> where possible.
>>>
>>> If you look in the script,
>>> these settings MUST be set.
>>> Settings you must change are :
>>>
>>> NTPD_SERVER1_EXTERNAL
>>> NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 )
>>> BIND9_NETWORKS
>>> SAMBA_DC1_IP
>>> SAMBA_NT_DOMAIN
>>> SAMBA_SITE_NAME
>>>
>>> optional:
>>> SAMBA_PASS_POLICY_CHANGE
>>> SAMBA_TEMPLATE_HOMEDIR
>>> SAMBA_TEMPLATE_SHELL
>>>
>>>
>>> and as last :
>>> CONFIGURED
>>>
>>> All other options are optional.
>>> If you have a different dns domain name and kerberos domain.
>>> you must change that.. etc..
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: olol13.samba at the-1337.org
>>>> [mailto:samba-bounces at lists.samba.org] Namens Timo Altun
>>>> Verzonden: vrijdag 20 maart 2015 0:04
>>>> Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny -
>>>> repenny241155 at gmail.com
>>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
>>>> samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
>>>> (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot
>>>> contact any KDC for requested realm)
>>>>
>>>> Ok, I setup a new machine with Debian Jessie and checked 
>and installed
>>>> everything from OS requirements in the wiki (
>>>> https://wiki.samba.org/index.php/OS_Requirements ).
>>>> The only thing I was unsure about, was which hostname to enter
>>>> for Kerberos
>>>> Server and Kerberos admin server when asked during the
>>>> installation of the
>>>> packages...I used krb.intranet.mayweg.net.
>>>> Now, after the classicupgrade kinit isn't working anymore...I
>>>> get the same
>>>> error I get when trying samba_dnsupdate:
>>>> kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET'
>>>> while getting
>>>> initial credentials.
>>>>
>>>> One step I did not do as stated in the wiki is configuring 
>bind with
>>>> --with-gssapi=/usr/include/gssapi
>>>> --with-dlopen=yes.
>>>> Once again the dlopen driver seems to work in this version,
>>>> but I have no
>>>> idea about the first part. Should I build bind myself with the
>>>> first option?
>>>> @Rowland, did you have a working bind installation before you
>>>> upgraded/provisioned your domain?
>>>>
>>>> @Peter There is no file called namedb in /etc/bind, but the
>>>> whole folder is
>>>> writeable for user bind.
>>>>
>>>> My configs, now mostly adapted from Rowland's woking 
>configuration are:
>>>>
>>>> /etc/network/interfaces:
>>>> auto lo
>>>> iface lo inet loopback
>>>>
>>>> auto eth0
>>>> iface eth0 inet static
>>>>         address         192.168.11.250
>>>>         network         192.168.11.0
>>>>         netmask         255.255.255.0
>>>>         broadcast       192.168.11.255
>>>>
>>>> /etc/hosts:
>>>> 127.0.0.1       localhost
>>>> 192.168.11.250  server06.intranet.mayweg.net    server06  krb
>>>>
>>>> # The following lines are desirable for IPv6 capable hosts
>>>> ::1     localhost ip6-localhost ip6-loopback
>>>> ff02::1 ip6-allnodes
>>>> ff02::2 ip6-allrouters
>>>>
>>>> /etc/resolv.conf:
>>>> nameserver 127.0.0.1
>>>> domain intranet.mayweg.net
>>>>
>>>> /etc/bind/named.conf:
>>>> include "/etc/bind/named.conf.options";
>>>> include "/etc/bind/named.conf.local";
>>>> include "/etc/bind/named.conf.default-zones";
>>>> include "/var/lib/samba/private/named.conf";
>>>>
>>>> /etc/bin/named.conf.options:
>>>> options {
>>>> directory "/var/cache/bind";
>>>> dnssec-validation no;
>>>> auth-nxdomain no;    # conform to RFC1035
>>>> listen-on-v6 { any; };
>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>> };
>>>>
>>>> /var/lib/samba/private/named.conf:
>>>>     database "dlopen
>>>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>>>>
>>>> /etc/krb5.conf:
>>>> [libdefaults]
>>>> default_realm = INTRANET.MAYWEG.NET
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> /etc/samba/smb.conf:
>>>> # Global parameters
>>>> [global]
>>>> workgroup = MAYWEG.NET
>>>> realm = INTRANET.MAYWEG.NET
>>>> netbios name = SERVER06
>>>> interfaces = lo, eth0
>>>> bind interfaces only = Yes
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbind,
>>>> ntp_signd, kcc, dnsupdate
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>>
>>>>
>>>> On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>>>>
>>>>>
>>>>> Timo Altun schrieb am 19.03.2015 10:30:
>>>>>
>>>>>> As I wrote in my first mail, Kerberos does work. I can 
>successfully
>>>>> request
>>>>>> and list a ticket on the AC DC.
>>>>> OK, then next things, which come to my mind are:
>>>>> is the keytab, you set in named.conf.options readable
>>>>> for the user, under which bind is run.
>>>>>
>>>>> Then, is the /etc/bind/namedb writable for bind.
>>>>>
>>>>> And in the end, it might be a screwed up installation.
>>>>> I had troubles with dynamic updates a long time ago,
>>>>> when it turned out, that I screwed something up during
>>>>> the installation.
>>>>>
>>>>> HTH
>>>>> - Peter
>>>>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>
>Can you post the smb.conf from the linux fileserver
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list