[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)
Rowland Penny
rowlandpenny at googlemail.com
Fri Mar 20 05:23:57 MDT 2015
On 20/03/15 11:13, Timo Altun wrote:
> Hi guys,
>
> thanks again for the quick answers. First, the smb.conf on the linux
> fileserver. It is quite long, as I took the old file (working version from
> samba3 configuration) and only made adjustments, like adding the realm.
>
> /etc/samba/smb.conf:
> [global]
> ### Browsing/Identification ###
>
> workgroup = MAYWEG.NET
> realm = INTRANET.MAYWEG.NET
> netbios name = server13
> smb ports = 139, 445
> hosts allow = 127. 192.168.11.
> interfaces = eth0 lo
> server string = SAMBA Fileserver
> wins support = no
> wins server = 192.168.11.250
> name resolve order = host wins lmhosts bcast
>
> idmap uid = 15000-25000
> idmap gid = 15000-25000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/bash
> winbind use default domain = yes
> winbind offline logon = true
> winbind cache time = 15
>
> #### Debugging/Accounting ####
>
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
> security = domain
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> pam password change = yes
>
> ########## Printing ##########
>
> load printers = yes
> printing = cups
> printcap name = cups
>
> ############ Misc ############
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> restrict anonymous = no
> domain master = no
> local master = yes
> preferred master = no
> password server = 192.168.11.250
> server signing = disabled
> display charset = ISO8859-15
> unix charset = ISO8859-15
> dos charset = CP1250
> read raw = yes
> write raw = yes
> oplocks = yes
> level2oplocks = no
> fake oplocks = no
> debug level = 2
> getwd cache = yes
> keepalive = 30
>
> [sda1]
> comment = Laufwerk sda1 von Server13
> path = /
> valid users = administrator
> admin users = administrator
> read list =
> invalid users =
> case sensitive = no
> ; msdfs proxy = no
> read only = no
> writable = yes
> create mask = 0775
> directory mask = 0775
>
> Thanks for the dnstest script Louis, the output on the DC is:
> ==========Test DNS Records ===============================
> Testing : dns entries
> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok
> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok
> testing of : host -t A server06.intranet.mayweg.net. : ok
>
> On server13, the linux client:
> ==========Test DNS Records ===============================
> Testing : dns entries
> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok
> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok
> testing of : host -t A server13.intranet.mayweg.net. : FAILED
>
> The fixing part does not work on server13, as samba-tools (and maybe other
> packages) are not installed. I'll try to install the missing parts and will
> try again.
> Am I right though, that as a domain member this should have worked
> automatically for the machine? When join the domain using net ads join on
> server13 it does still give me "DNS update failed!".
>
> Greetings,
> Timo
>
>
>
>
> On 20 March 2015 at 11:01, L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>> can you run these commands and tell us the output.
>> ( copy past it. )
>>
>> SETFQDN=`hostname -f`
>> SETDNSDOMAIN=`hostname -d`
>> SETHOSTNAME=`hostname -s`
>> SETSERVERIP=`hostname -i`
>> echo "==========Test DNS Records ==============================="
>> echo "Testing : dns entries"
>> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ];
>> then
>> echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
>> fi
>> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found"
>> `" ]; then
>> echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
>> FAILED"
>> fi
>> if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not found" `"
>> ]; then
>> echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED"
>> echo "trying to fix it now: "
>> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN} ${SETDNSDOMAIN}
>> ${SETHOSTNAME} A ${SETSERVERIP}
>> fi
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: rowlandpenny at googlemail.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: vrijdag 20 maart 2015 10:21
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
>>> samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
>>> (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot
>>> contact any KDC for requested realm)
>>>
>>> On 20/03/15 09:02, Timo Altun wrote:
>>>> Thank you Louis for that answer! Actually I did get kinit and
>>>> samba_dnsupdate working, though I am unsure how. I tried
>>> some changes to
>>>> krb5.conf in the [realms] and [domain_realm] sections, als well as
>>>> setting dns_lookup_realm = false to true, but reverted it
>>> all back to the
>>>> initial file:
>>>>
>>>> [libdefaults]
>>>> default_realm = INTRANET.MAYWEG.NET
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> After a reboot, both kinit and samba_dnsupdate worked on the
>>> host machine.
>>>> Shares can be accessed, RSAT tools are working. From the
>>> linux fileserver
>>>> nslookup and ping work for hostnames of domainmembers, dig
>>> command does not
>>>> get an answer. The windows machines can nslookup and ping
>>> everything but
>>>> the linux machine. Somehow it did not generate an entry in
>>> the DNS Server.
>>>> Is this normal behavior for linux domain members and I need
>>> to create the
>>>> DNS entry manually or is something still amiss?
>>>>
>>>> Greetings and thanks for the help so far,
>>>> Timo
>>>>
>>>>
>>>> On 20 March 2015 at 08:42, L.P.H. van Belle <belle at bazuin.nl> wrote:
>>>>
>>>>> Try change your resolv.conf from :
>>>>>> nameserver 127.0.0.1
>>>>>> domain intranet.mayweg.net
>>>>> to
>>>>> nameserver 192.168.11.250
>>>>> search intranet.mayweg.net
>>>>>
>>>>>> The only thing I was unsure about, was which hostname to enter
>>>>>> for Kerberos
>>>>>> Server and Kerberos admin server when asked during the
>>>>>> installation of the
>>>>>> packages..
>>>>> Try these defealt settings for kerberos..
>>>>> You didnt have to enter the hostname, Only the default
>>> kerberos Domain
>>>>> name is needed.
>>>>>
>>>>> a copy past for you.
>>>>>
>>>>> echo "krb5-config krb5-config/add_servers_realm string
>>>>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>>>> echo "krb5-config krb5-config/read_conf boolean true" |
>>>>> debconf-set-selections
>>>>> echo "krb5-config krb5-config/kerberos_servers string " |
>>>>> debconf-set-selections
>>>>> echo "krb5-config krb5-config/default_realm string
>>>>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>>>> echo "krb5-config krb5-config/add_servers boolean false" |
>>>>> debconf-set-selections
>>>>> echo "krb5-config krb5-config/admin_server string " |
>>>>> debconf-set-selections
>>>>> echo "krb5-config krb5-config/dns_for_default
>>> boolean true" |
>>>>> debconf-set-selections
>>>>> dpkg-reconfigure plow krb5-config
>>>>>
>>>>> and if you want to point to a kerberos server.
>>>>> echo "krb5-config krb5-config/kerberos_servers string
>>>>> server06.intranet.mayweg.net" | debconf-set-selections
>>>>>
>>>>> but its not needed, man krb5.conf tells you enough.
>>>>>
>>>>> after the changes, type:
>>>>> host -t SRV _kerberos._udp.intranet.mayweg.net
>>>>> if you get not found, then we need to analize more.
>>>>>
>>>>>
>>>>>
>>>>> If you want to start with a "Clean server"
>>>>> just have a look here.
>>>>>
>>>>> https://secure.bazuin.nl/scripts/
>>>>>
>>>>> I added 2 simple scripts. a debian wheezy backported and
>>> debian jessie
>>>>> script.
>>>>> The Jessie script is basicly the wheezy backported version,
>>> but without
>>>>> the backports repo.
>>>>> Its a set with minimal changes to the system, and use the
>>> defaults there
>>>>> where possible.
>>>>>
>>>>> If you look in the script,
>>>>> these settings MUST be set.
>>>>> Settings you must change are :
>>>>>
>>>>> NTPD_SERVER1_EXTERNAL
>>>>> NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 )
>>>>> BIND9_NETWORKS
>>>>> SAMBA_DC1_IP
>>>>> SAMBA_NT_DOMAIN
>>>>> SAMBA_SITE_NAME
>>>>>
>>>>> optional:
>>>>> SAMBA_PASS_POLICY_CHANGE
>>>>> SAMBA_TEMPLATE_HOMEDIR
>>>>> SAMBA_TEMPLATE_SHELL
>>>>>
>>>>>
>>>>> and as last :
>>>>> CONFIGURED
>>>>>
>>>>> All other options are optional.
>>>>> If you have a different dns domain name and kerberos domain.
>>>>> you must change that.. etc..
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: olol13.samba at the-1337.org
>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Timo Altun
>>>>>> Verzonden: vrijdag 20 maart 2015 0:04
>>>>>> Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny -
>>>>>> repenny241155 at gmail.com
>>>>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
>>>>>> samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
>>>>>> (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot
>>>>>> contact any KDC for requested realm)
>>>>>>
>>>>>> Ok, I setup a new machine with Debian Jessie and checked
>>> and installed
>>>>>> everything from OS requirements in the wiki (
>>>>>> https://wiki.samba.org/index.php/OS_Requirements ).
>>>>>> The only thing I was unsure about, was which hostname to enter
>>>>>> for Kerberos
>>>>>> Server and Kerberos admin server when asked during the
>>>>>> installation of the
>>>>>> packages...I used krb.intranet.mayweg.net.
>>>>>> Now, after the classicupgrade kinit isn't working anymore...I
>>>>>> get the same
>>>>>> error I get when trying samba_dnsupdate:
>>>>>> kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET'
>>>>>> while getting
>>>>>> initial credentials.
>>>>>>
>>>>>> One step I did not do as stated in the wiki is configuring
>>> bind with
>>>>>> --with-gssapi=/usr/include/gssapi
>>>>>> --with-dlopen=yes.
>>>>>> Once again the dlopen driver seems to work in this version,
>>>>>> but I have no
>>>>>> idea about the first part. Should I build bind myself with the
>>>>>> first option?
>>>>>> @Rowland, did you have a working bind installation before you
>>>>>> upgraded/provisioned your domain?
>>>>>>
>>>>>> @Peter There is no file called namedb in /etc/bind, but the
>>>>>> whole folder is
>>>>>> writeable for user bind.
>>>>>>
>>>>>> My configs, now mostly adapted from Rowland's woking
>>> configuration are:
>>>>>> /etc/network/interfaces:
>>>>>> auto lo
>>>>>> iface lo inet loopback
>>>>>>
>>>>>> auto eth0
>>>>>> iface eth0 inet static
>>>>>> address 192.168.11.250
>>>>>> network 192.168.11.0
>>>>>> netmask 255.255.255.0
>>>>>> broadcast 192.168.11.255
>>>>>>
>>>>>> /etc/hosts:
>>>>>> 127.0.0.1 localhost
>>>>>> 192.168.11.250 server06.intranet.mayweg.net server06 krb
>>>>>>
>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>> ::1 localhost ip6-localhost ip6-loopback
>>>>>> ff02::1 ip6-allnodes
>>>>>> ff02::2 ip6-allrouters
>>>>>>
>>>>>> /etc/resolv.conf:
>>>>>> nameserver 127.0.0.1
>>>>>> domain intranet.mayweg.net
>>>>>>
>>>>>> /etc/bind/named.conf:
>>>>>> include "/etc/bind/named.conf.options";
>>>>>> include "/etc/bind/named.conf.local";
>>>>>> include "/etc/bind/named.conf.default-zones";
>>>>>> include "/var/lib/samba/private/named.conf";
>>>>>>
>>>>>> /etc/bin/named.conf.options:
>>>>>> options {
>>>>>> directory "/var/cache/bind";
>>>>>> dnssec-validation no;
>>>>>> auth-nxdomain no; # conform to RFC1035
>>>>>> listen-on-v6 { any; };
>>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>>> };
>>>>>>
>>>>>> /var/lib/samba/private/named.conf:
>>>>>> database "dlopen
>>>>>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>>>>>>
>>>>>> /etc/krb5.conf:
>>>>>> [libdefaults]
>>>>>> default_realm = INTRANET.MAYWEG.NET
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = true
>>>>>>
>>>>>> /etc/samba/smb.conf:
>>>>>> # Global parameters
>>>>>> [global]
>>>>>> workgroup = MAYWEG.NET
>>>>>> realm = INTRANET.MAYWEG.NET
>>>>>> netbios name = SERVER06
>>>>>> interfaces = lo, eth0
>>>>>> bind interfaces only = Yes
>>>>>> server role = active directory domain controller
>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>>> drepl, winbind,
>>>>>> ntp_signd, kcc, dnsupdate
>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>
>>>>>> [netlogon]
>>>>>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>>>>>> read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>> path = /var/lib/samba/sysvol
>>>>>> read only = No
>>>>>>
>>>>>>
>>>>>> On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>>>>>>
>>>>>>> Timo Altun schrieb am 19.03.2015 10:30:
>>>>>>>
>>>>>>>> As I wrote in my first mail, Kerberos does work. I can
>>> successfully
>>>>>>> request
>>>>>>>> and list a ticket on the AC DC.
>>>>>>> OK, then next things, which come to my mind are:
>>>>>>> is the keytab, you set in named.conf.options readable
>>>>>>> for the user, under which bind is run.
>>>>>>>
>>>>>>> Then, is the /etc/bind/namedb writable for bind.
>>>>>>>
>>>>>>> And in the end, it might be a screwed up installation.
>>>>>>> I had troubles with dynamic updates a long time ago,
>>>>>>> when it turned out, that I screwed something up during
>>>>>>> the installation.
>>>>>>>
>>>>>>> HTH
>>>>>>> - Peter
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>> Can you post the smb.conf from the linux fileserver
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
OK, too much wrong in that smb.conf to mention, go and have a look here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Rowland
More information about the samba
mailing list