[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot contact any KDC for requested realm)
Rowland Penny
rowlandpenny at googlemail.com
Fri Mar 20 09:00:33 MDT 2015
On 20/03/15 14:49, Timo Altun wrote:
> Ok, I setup a new smb.conf and rebooted. Winbind doesn't seem to pass
> on the domain users anymore and the DNS Update during domain join
> still fails.
> For some reason, although I have all samba 3.5.6. packages installed
> on this debian squeeze samba -V or samba-tool are unknown commands.
> Maybe this is why the dns update fails, some missing tools or commands?
Getting a bit lost now, I am sure that you were using Jessie ??
>
> wbinfo -u and wbinfo -g return domain users and groups correctly,
> getent passwd and getent group do not (did before the smb.conf changes).
Do your users in AD have a uidNumber that is inside the range
10000-999999, also does Domain Users (at least) have a gidNumber inside
the same range ?
>
> The bigger problem right now is the dns record for server13...for the
> user accounts I could always go back to the old and ugly smb.conf ;)
> Will try to add/exchange some lines to create a working minimal
> configuration.
> I added the rather simple hosts and resolv.conf files of server13 as well.
>
> The new smb.conf:
> [global]
>
> netbios name = server13
> workgroup = MAYWEG.NET <http://MAYWEG.NET>
> security = ADS
> realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config MAYWEG.NET:backend = ad
> idmap config MAYWEG.NET:schema_mode = rfc2307
> idmap config MAYWEG.NET:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
>
> [sda1]
> comment = Laufwerk sda1 von Server13
> path = /
> valid users = administrator
> admin users = administrator
> read list =
> invalid users =
> case sensitive = no
> ; msdfs proxy = no
> read only = no
> writable = yes
> create mask = 0775
> directory mask = 0775
>
> /etc/network/resolv.conf:
> search intranet.mayweg.net <http://intranet.mayweg.net>
> nameserver 192.168.11.250
>
> /etc/hosts:
> 127.0.0.1localhost.intranet.mayweg.net
> <http://localhost.intranet.mayweg.net> localhost
> 192.168.11.141server13.intranet.mayweg.net
> <http://server13.intranet.mayweg.net>server13
The top line should be '127.0.0.1 localhost.localdomain localhost'
What is in /etc/krb5.conf ? it should be:
[libdefaults]
default_realm = INTRANET.MAYWEG.NET
dns_lookup_realm = false
dns_lookup_kdc = true
Rowland
>
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> On 20 March 2015 at 12:23, Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 20/03/15 11:13, Timo Altun wrote:
>
> Hi guys,
>
> thanks again for the quick answers. First, the smb.conf on the
> linux
> fileserver. It is quite long, as I took the old file (working
> version from
> samba3 configuration) and only made adjustments, like adding
> the realm.
>
> /etc/samba/smb.conf:
> [global]
> ### Browsing/Identification ###
>
> workgroup = MAYWEG.NET <http://MAYWEG.NET>
> realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
> netbios name = server13
> smb ports = 139, 445
> hosts allow = 127. 192.168.11.
> interfaces = eth0 lo
> server string = SAMBA Fileserver
> wins support = no
> wins server = 192.168.11.250
> name resolve order = host wins lmhosts bcast
>
> idmap uid = 15000-25000
> idmap gid = 15000-25000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/bash
> winbind use default domain = yes
> winbind offline logon = true
> winbind cache time = 15
>
> #### Debugging/Accounting ####
>
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
>
> ####### Authentication #######
>
> security = domain
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> pam password change = yes
>
> ########## Printing ##########
>
> load printers = yes
> printing = cups
> printcap name = cups
>
> ############ Misc ############
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> restrict anonymous = no
> domain master = no
> local master = yes
> preferred master = no
> password server = 192.168.11.250
> server signing = disabled
> display charset = ISO8859-15
> unix charset = ISO8859-15
> dos charset = CP1250
> read raw = yes
> write raw = yes
> oplocks = yes
> level2oplocks = no
> fake oplocks = no
> debug level = 2
> getwd cache = yes
> keepalive = 30
>
> [sda1]
> comment = Laufwerk sda1 von Server13
> path = /
> valid users = administrator
> admin users = administrator
> read list =
> invalid users =
> case sensitive = no
> ; msdfs proxy = no
> read only = no
> writable = yes
> create mask = 0775
> directory mask = 0775
>
> Thanks for the dnstest script Louis, the output on the DC is:
> ==========Test DNS Records ===============================
> Testing : dns entries
> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net
> <http://tcp.intranet.mayweg.net>. : ok
> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net
> <http://udp.intranet.mayweg.net>. : ok
> testing of : host -t A server06.intranet.mayweg.net
> <http://server06.intranet.mayweg.net>. : ok
>
> On server13, the linux client:
> ==========Test DNS Records ===============================
> Testing : dns entries
> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net
> <http://tcp.intranet.mayweg.net>. : ok
> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net
> <http://udp.intranet.mayweg.net>. : ok
> testing of : host -t A server13.intranet.mayweg.net
> <http://server13.intranet.mayweg.net>. : FAILED
>
> The fixing part does not work on server13, as samba-tools (and
> maybe other
> packages) are not installed. I'll try to install the missing
> parts and will
> try again.
> Am I right though, that as a domain member this should have worked
> automatically for the machine? When join the domain using net
> ads join on
> server13 it does still give me "DNS update failed!".
>
> Greetings,
> Timo
>
>
>
>
> On 20 March 2015 at 11:01, L.P.H. van Belle <belle at bazuin.nl
> <mailto:belle at bazuin.nl>> wrote:
>
> can you run these commands and tell us the output.
> ( copy past it. )
>
> SETFQDN=`hostname -f`
> SETDNSDOMAIN=`hostname -d`
> SETHOSTNAME=`hostname -s`
> SETSERVERIP=`hostname -i`
> echo "==========Test DNS Records
> ==============================="
> echo "Testing : dns entries"
> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep
> 'not found'`" ];
> then
> echo "testing of : host -t SRV
> _ldap._tcp.${SETDNSDOMAIN}. : ok"
> else
> echo "testing of : host -t SRV
> _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
> fi
> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. |
> grep "not found"
> `" ]; then
> echo "testing of : host -t SRV
> _kerberos._udp.${SETDNSDOMAIN}. : ok"
> else
> echo "testing of : host -t SRV
> _kerberos._udp.${SETDNSDOMAIN}. :
> FAILED"
> fi
> if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep
> "not found" `"
> ]; then
> echo "testing of : host -t A
> ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok"
> else
> echo "testing of : host -t A
> ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED"
> echo "trying to fix it now: "
> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN}
> ${SETDNSDOMAIN}
> ${SETHOSTNAME} A ${SETSERVERIP}
> fi
>
>
>
> -----Oorspronkelijk bericht-----
> Van: rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>
> [mailto:samba-bounces at lists.samba.org
> <mailto:samba-bounces at lists.samba.org>] Namens Rowland
> Penny
> Verzonden: vrijdag 20 maart 2015 10:21
> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not
> working.
> samba_dnsupdate : (sambalist: message 3 of 20)
> RuntimeError:
> (sambalist: to exclusive) kinit for [DC at Realm] failed
> (Cannot
> contact any KDC for requested realm)
>
> On 20/03/15 09:02, Timo Altun wrote:
>
> Thank you Louis for that answer! Actually I did
> get kinit and
> samba_dnsupdate working, though I am unsure how. I
> tried
>
> some changes to
>
> krb5.conf in the [realms] and [domain_realm]
> sections, als well as
> setting dns_lookup_realm = false to true, but
> reverted it
>
> all back to the
>
> initial file:
>
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET
> <http://INTRANET.MAYWEG.NET>
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> After a reboot, both kinit and samba_dnsupdate
> worked on the
>
> host machine.
>
> Shares can be accessed, RSAT tools are working.
> From the
>
> linux fileserver
>
> nslookup and ping work for hostnames of
> domainmembers, dig
>
> command does not
>
> get an answer. The windows machines can nslookup
> and ping
>
> everything but
>
> the linux machine. Somehow it did not generate an
> entry in
>
> the DNS Server.
>
> Is this normal behavior for linux domain members
> and I need
>
> to create the
>
> DNS entry manually or is something still amiss?
>
> Greetings and thanks for the help so far,
> Timo
>
>
> On 20 March 2015 at 08:42, L.P.H. van Belle
> <belle at bazuin.nl <mailto:belle at bazuin.nl>> wrote:
>
> Try change your resolv.conf from :
>
> nameserver 127.0.0.1
> domain intranet.mayweg.net
> <http://intranet.mayweg.net>
>
> to
> nameserver 192.168.11.250
> search intranet.mayweg.net
> <http://intranet.mayweg.net>
>
> The only thing I was unsure about, was
> which hostname to enter
> for Kerberos
> Server and Kerberos admin server when
> asked during the
> installation of the
> packages..
>
> Try these defealt settings for kerberos..
> You didnt have to enter the hostname, Only the
> default
>
> kerberos Domain
>
> name is needed.
>
> a copy past for you.
>
> echo "krb5-config
> krb5-config/add_servers_realm string
> INTRANET.MAYWEG.NET
> <http://INTRANET.MAYWEG.NET>" |
> debconf-set-selections
> echo "krb5-config
> krb5-config/read_conf boolean true" |
> debconf-set-selections
> echo "krb5-config
> krb5-config/kerberos_servers string " |
> debconf-set-selections
> echo "krb5-config
> krb5-config/default_realm string
> INTRANET.MAYWEG.NET
> <http://INTRANET.MAYWEG.NET>" |
> debconf-set-selections
> echo "krb5-config
> krb5-config/add_servers boolean false" |
> debconf-set-selections
> echo "krb5-config
> krb5-config/admin_server string " |
> debconf-set-selections
> echo "krb5-config
> krb5-config/dns_for_default
>
> boolean true" |
>
> debconf-set-selections
> dpkg-reconfigure plow krb5-config
>
> and if you want to point to a kerberos server.
> echo "krb5-config
> krb5-config/kerberos_servers string
> server06.intranet.mayweg.net
> <http://server06.intranet.mayweg.net>" |
> debconf-set-selections
>
> but its not needed, man krb5.conf tells you
> enough.
>
> after the changes, type:
> host -t SRV _kerberos._udp.intranet.mayweg.net
> <http://udp.intranet.mayweg.net>
> if you get not found, then we need to analize
> more.
>
>
>
> If you want to start with a "Clean server"
> just have a look here.
>
> https://secure.bazuin.nl/scripts/
>
> I added 2 simple scripts. a debian wheezy
> backported and
>
> debian jessie
>
> script.
> The Jessie script is basicly the wheezy
> backported version,
>
> but without
>
> the backports repo.
> Its a set with minimal changes to the system,
> and use the
>
> defaults there
>
> where possible.
>
> If you look in the script,
> these settings MUST be set.
> Settings you must change are :
>
> NTPD_SERVER1_EXTERNAL
> NTPD_RESTRICT_INTERFACE ( if you dont have a
> eth0 )
> BIND9_NETWORKS
> SAMBA_DC1_IP
> SAMBA_NT_DOMAIN
> SAMBA_SITE_NAME
>
> optional:
> SAMBA_PASS_POLICY_CHANGE
> SAMBA_TEMPLATE_HOMEDIR
> SAMBA_TEMPLATE_SHELL
>
>
> and as last :
> CONFIGURED
>
> All other options are optional.
> If you have a different dns domain name and
> kerberos domain.
> you must change that.. etc..
>
> Greetz,
>
> Louis
>
>
>
> -----Oorspronkelijk bericht-----
> Van: olol13.samba at the-1337.org
> <mailto:olol13.samba at the-1337.org>
> [mailto:samba-bounces at lists.samba.org
> <mailto:samba-bounces at lists.samba.org>]
> Namens Timo Altun
> Verzonden: vrijdag 20 maart 2015 0:04
> Aan: Peter Serbe; samba at lists.samba.org
> <mailto:samba at lists.samba.org>; Rowland
> Penny -
> repenny241155 at gmail.com
> <mailto:repenny241155 at gmail.com>
> Onderwerp: Re: [Samba] Fwd: Dynamic DNS
> Updates not working.
> samba_dnsupdate : (sambalist: message 3 of
> 20) RuntimeError:
> (sambalist: to exclusive) kinit for
> [DC at Realm] failed (Cannot
> contact any KDC for requested realm)
>
> Ok, I setup a new machine with Debian
> Jessie and checked
>
> and installed
>
> everything from OS requirements in the wiki (
> https://wiki.samba.org/index.php/OS_Requirements
> ).
> The only thing I was unsure about, was
> which hostname to enter
> for Kerberos
> Server and Kerberos admin server when
> asked during the
> installation of the
> packages...I used krb.intranet.mayweg.net
> <http://krb.intranet.mayweg.net>.
> Now, after the classicupgrade kinit isn't
> working anymore...I
> get the same
> error I get when trying samba_dnsupdate:
> kinit: Cannot contact any KDC for realm
> 'INTRANET.MAYWEG.NET
> <http://INTRANET.MAYWEG.NET>'
> while getting
> initial credentials.
>
> One step I did not do as stated in the
> wiki is configuring
>
> bind with
>
> --with-gssapi=/usr/include/gssapi
> --with-dlopen=yes.
> Once again the dlopen driver seems to work
> in this version,
> but I have no
> idea about the first part. Should I build
> bind myself with the
> first option?
> @Rowland, did you have a working bind
> installation before you
> upgraded/provisioned your domain?
>
> @Peter There is no file called namedb in
> /etc/bind, but the
> whole folder is
> writeable for user bind.
>
> My configs, now mostly adapted from
> Rowland's woking
>
> configuration are:
>
> /etc/network/interfaces:
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet static
> address 192.168.11.250
> network 192.168.11.0
> netmask 255.255.255.0
> broadcast 192.168.11.255
>
> /etc/hosts:
> 127.0.0.1 localhost
> 192.168.11.250
> server06.intranet.mayweg.net
> <http://server06.intranet.mayweg.net>
> server06 krb
>
> # The following lines are desirable for
> IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> /etc/resolv.conf:
> nameserver 127.0.0.1
> domain intranet.mayweg.net
> <http://intranet.mayweg.net>
>
> /etc/bind/named.conf:
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> /etc/bin/named.conf.options:
> options {
> directory "/var/cache/bind";
> dnssec-validation no;
> auth-nxdomain no; # conform to RFC1035
> listen-on-v6 { any; };
> tkey-gssapi-keytab
> "/var/lib/samba/private/dns.keytab";
> };
>
> /var/lib/samba/private/named.conf:
> database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>
> /etc/krb5.conf:
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET
> <http://INTRANET.MAYWEG.NET>
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> /etc/samba/smb.conf:
> # Global parameters
> [global]
> workgroup = MAYWEG.NET <http://MAYWEG.NET>
> realm = INTRANET.MAYWEG.NET
> <http://INTRANET.MAYWEG.NET>
> netbios name = SERVER06
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain
> controller
> server services = s3fs, rpc, nbt, wrepl,
> ldap, cldap, kdc,
> drepl, winbind,
> ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path =
> /var/lib/samba/sysvol/intranet.mayweg.net/scripts
> <http://intranet.mayweg.net/scripts>
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> On 19 March 2015 at 15:31, Peter Serbe
> <peter at serbe.ch <mailto:peter at serbe.ch>>
> wrote:
>
> Timo Altun schrieb am 19.03.2015 10:30:
>
> As I wrote in my first mail,
> Kerberos does work. I can
>
> successfully
>
> request
>
> and list a ticket on the AC DC.
>
> OK, then next things, which come to my
> mind are:
> is the keytab, you set in
> named.conf.options readable
> for the user, under which bind is run.
>
> Then, is the /etc/bind/namedb writable
> for bind.
>
> And in the end, it might be a screwed
> up installation.
> I had troubles with dynamic updates a
> long time ago,
> when it turned out, that I screwed
> something up during
> the installation.
>
> HTH
> - Peter
>
>
> --
> To unsubscribe from this list go to the
> following URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the
> following URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
> Can you post the smb.conf from the linux fileserver
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL
> and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and
> read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> OK, too much wrong in that smb.conf to mention, go and have a look
> here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list