[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
Timo Altun
olol13.samba at the-1337.org
Fri Mar 20 10:56:14 MDT 2015
On 20 March 2015 at 17:00, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 20/03/15 15:47, Timo Altun wrote:
>
>> I'm sorry it got confusing, changed the topic and I'll try to explain. I
>> am using Jessie on the DC. Server13 is a linux file server and domain
>> member, it is on squeeze. If possible, I do not want to upgrade it. The
>> problem here is, that it does not seem to generate a DNS record when
>> joining the domain and, after setting up the new smb.conf, the users aren't
>> passed on from winbind to the local authentication tools. It also caused
>> the single share I set up in the smb.conf to be unaccessible by user
>> administrator. Maybe something with the keytab file is not working.
>>
>
> You were confused :-D
And I most definitely still am :)
In general, am I right, that Kerberos is working as intended, when I am
able to get tickets?
Further, my old smb.conf used security = domain and no keytab...might this
be the reason for the winbind users not being transferred?
Maybe it's also necessary for DNS updates to have that part working.
>
>
>
>
>> Domain users have uidNumbers north of 10k, gidNumber are >20k. Doesn't
>> the classicupgrade function check if these are in order?
>> The errors in the /etc/hosts file were generated by my mail client. First
>> line is as you said Rowland.
>>
>
> As long as your uidNumbers and gidNumbers are inside '10000-999999', it
> should work, but there may be a problem because you are using squeeze with
> 3.5.6. As you do not want to upgrade squeeze, could you use backports, this
> will get you 3.6.6.
Would that help? I remember trying the backports, but it didn't go
smoothly. Is it normal on 3.5.6. that samba -V is an unknown command?
smbclient -V does work.
My intention of all this is to upgrade the current NT4 style domain to AD
with as few changes as possible besides the DC itself. There are just a
couple of other linux machines working as file servers, but most of them
are on squeeze. With only the installation/configuration of kerberos and
winbind I could get them to join the domain and have the old shares
working, but the DNS updates fail.
The windows clients don't even notice the new DC, which is perfect!
>
>
>> The krb.conf was as long and ugly as the smb.conf, already cut most of
>> it, but your 3 line example configuration did not work fully. With the
>> following getting kerberos tickets and the domain join are still working.
>>
>>
> It works for me on Linux Mint 17 (aka Ubuntu 14.04)
>
> What does 'pam-auth-update' show for authentication methods.
>
Unix authentication
Winbind NT/Active Directory authentication
LDAP Authentication
GNOME Keyring Daemon - Login keyring management
ConsoleKit Session Management
>
> Rowland
>
> Thanks for the ongoing support!
>>
>> My krb5.conf:
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> [realms]
>> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> = {
>> kdc = 192.168.11.250
>> admin_server = 192.168.11.250
>> default_domain = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> }
>>
>> [domain_realm]
>> .intranet.mayweg.net <http://intranet.mayweg.net> = INTRANET.MAYWEG.NET <
>> http://INTRANET.MAYWEG.NET>
>> intranet.mayweg.net <http://intranet.mayweg.net> = INTRANET.MAYWEG.NET <
>> http://INTRANET.MAYWEG.NET>
>>
>>
>>
>>
>>
>> On 20 March 2015 at 16:00, Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>> On 20/03/15 14:49, Timo Altun wrote:
>>
>> Ok, I setup a new smb.conf and rebooted. Winbind doesn't seem
>> to pass on the domain users anymore and the DNS Update during
>> domain join still fails.
>> For some reason, although I have all samba 3.5.6. packages
>> installed on this debian squeeze samba -V or samba-tool are
>> unknown commands.
>> Maybe this is why the dns update fails, some missing tools or
>> commands?
>>
>>
>> Getting a bit lost now, I am sure that you were using Jessie ??
>>
>>
>>
>> wbinfo -u and wbinfo -g return domain users and groups
>> correctly, getent passwd and getent group do not (did before
>> the smb.conf changes).
>>
>>
>> Do your users in AD have a uidNumber that is inside the range
>> 10000-999999, also does Domain Users (at least) have a gidNumber
>> inside the same range ?
>>
>> Yes, domain users have uidNumbers north of 10k, gidNumber are >20k.
>> Doesn't the classicupgrade function check if these are in order?
>>
>>
>>
>> The bigger problem right now is the dns record for
>> server13...for the user accounts I could always go back to the
>> old and ugly smb.conf ;)
>> Will try to add/exchange some lines to create a working
>> minimal configuration.
>> I added the rather simple hosts and resolv.conf files of
>> server13 as well.
>>
>> The new smb.conf:
>> [global]
>>
>> netbios name = server13
>> workgroup = MAYWEG.NET <http://MAYWEG.NET> <http://MAYWEG.NET>
>>
>> security = ADS
>> realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> <http://INTRANET.MAYWEG.NET>
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> idmap config MAYWEG.NET:backend = ad
>> idmap config MAYWEG.NET:schema_mode = rfc2307
>> idmap config MAYWEG.NET:range = 10000-99999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>>
>> [sda1]
>> comment = Laufwerk sda1 von Server13
>> path = /
>> valid users = administrator
>> admin users = administrator
>> read list =
>> invalid users =
>> case sensitive = no
>> ; msdfs proxy = no
>> read only = no
>> writable = yes
>> create mask = 0775
>> directory mask = 0775
>>
>> /etc/network/resolv.conf:
>> search intranet.mayweg.net <http://intranet.mayweg.net>
>> <http://intranet.mayweg.net>
>> nameserver 192.168.11.250
>>
>> /etc/hosts:
>> 127.0.0.1localhost.intranet.mayweg.net
>> <http://127.0.0.1localhost.intranet.mayweg.net>
>> <http://localhost.intranet.mayweg.net> localhost
>> 192.168.11.141server13.intranet.mayweg.net
>> <http://192.168.11.141server13.intranet.mayweg.net>
>> <http://server13.intranet.mayweg.net>server13
>>
>>
>> The top line should be '127.0.0.1 localhost.localdomain localhost'
>>
>> What is in /etc/krb5.conf ? it should be:
>>
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>>
>> Rowland
>>
>>
>> ::1 ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> On 20 March 2015 at 12:23, Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>> wrote:
>>
>> On 20/03/15 11:13, Timo Altun wrote:
>>
>> Hi guys,
>>
>> thanks again for the quick answers. First, the
>> smb.conf on the
>> linux
>> fileserver. It is quite long, as I took the old file
>> (working
>> version from
>> samba3 configuration) and only made adjustments, like
>> adding
>> the realm.
>>
>> /etc/samba/smb.conf:
>> [global]
>> ### Browsing/Identification ###
>>
>> workgroup = MAYWEG.NET <http://MAYWEG.NET>
>> <http://MAYWEG.NET>
>> realm = INTRANET.MAYWEG.NET
>> <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET>
>>
>>
>> netbios name = server13
>> smb ports = 139, 445
>> hosts allow = 127. 192.168.11.
>> interfaces = eth0 lo
>> server string = SAMBA Fileserver
>> wins support = no
>> wins server = 192.168.11.250
>> name resolve order = host wins lmhosts bcast
>>
>> idmap uid = 15000-25000
>> idmap gid = 15000-25000
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind use default domain = yes
>> winbind offline logon = true
>> winbind cache time = 15
>>
>> #### Debugging/Accounting ####
>>
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>>
>> ####### Authentication #######
>>
>> security = domain
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>> pam password change = yes
>>
>> ########## Printing ##########
>>
>> load printers = yes
>> printing = cups
>> printcap name = cups
>>
>> ############ Misc ############
>>
>> socket options = TCP_NODELAY SO_RCVBUF=8192
>> SO_SNDBUF=8192
>> restrict anonymous = no
>> domain master = no
>> local master = yes
>> preferred master = no
>> password server = 192.168.11.250
>> server signing = disabled
>> display charset = ISO8859-15
>> unix charset = ISO8859-15
>> dos charset = CP1250
>> read raw = yes
>> write raw = yes
>> oplocks = yes
>> level2oplocks = no
>> fake oplocks = no
>> debug level = 2
>> getwd cache = yes
>> keepalive = 30
>>
>> [sda1]
>> comment = Laufwerk sda1 von Server13
>> path = /
>> valid users = administrator
>> admin users = administrator
>> read list =
>> invalid users =
>> case sensitive = no
>> ; msdfs proxy = no
>> read only = no
>> writable = yes
>> create mask = 0775
>> directory mask = 0775
>>
>> Thanks for the dnstest script Louis, the output on the
>> DC is:
>> ==========Test DNS Records ==============================
>> =
>> Testing : dns entries
>> testing of : host -t SRV
>> _ldap._tcp.intranet.mayweg.net <http://tcp.intranet.mayweg.net>
>> <http://tcp.intranet.mayweg.net>. : ok
>> testing of : host -t SRV
>> _kerberos._udp.intranet.mayweg.net
>> <http://udp.intranet.mayweg.net>
>> <http://udp.intranet.mayweg.net>. : ok
>> testing of : host -t A server06.intranet.mayweg.net
>> <http://server06.intranet.mayweg.net>
>> <http://server06.intranet.mayweg.net>. : ok
>>
>> On server13, the linux client:
>> ==========Test DNS Records ==============================
>> =
>> Testing : dns entries
>> testing of : host -t SRV
>> _ldap._tcp.intranet.mayweg.net <http://tcp.intranet.mayweg.net>
>> <http://tcp.intranet.mayweg.net>. : ok
>> testing of : host -t SRV
>> _kerberos._udp.intranet.mayweg.net
>> <http://udp.intranet.mayweg.net>
>> <http://udp.intranet.mayweg.net>. : ok
>> testing of : host -t A server13.intranet.mayweg.net
>> <http://server13.intranet.mayweg.net>
>> <http://server13.intranet.mayweg.net>. : FAILED
>>
>> The fixing part does not work on server13, as
>> samba-tools (and
>> maybe other
>> packages) are not installed. I'll try to install the
>> missing
>> parts and will
>> try again.
>> Am I right though, that as a domain member this should
>> have worked
>> automatically for the machine? When join the domain
>> using net
>> ads join on
>> server13 it does still give me "DNS update failed!".
>>
>> Greetings,
>> Timo
>>
>>
>>
>>
>> On 20 March 2015 at 11:01, L.P.H. van Belle
>> <belle at bazuin.nl <mailto:belle at bazuin.nl>
>> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote:
>>
>> can you run these commands and tell us the output.
>> ( copy past it. )
>>
>> SETFQDN=`hostname -f`
>> SETDNSDOMAIN=`hostname -d`
>> SETHOSTNAME=`hostname -s`
>> SETSERVERIP=`hostname -i`
>> echo "==========Test DNS Records
>> ==============================="
>> echo "Testing : dns entries"
>> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
>> | grep
>> 'not found'`" ];
>> then
>> echo "testing of : host -t SRV
>> _ldap._tcp.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t SRV
>> _ldap._tcp.${SETDNSDOMAIN}. : FAILED"
>> fi
>> if [ -z "`host -t SRV
>> _kerberos._udp.${SETDNSDOMAIN}. |
>> grep "not found"
>> `" ]; then
>> echo "testing of : host -t SRV
>> _kerberos._udp.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t SRV
>> _kerberos._udp.${SETDNSDOMAIN}. :
>> FAILED"
>> fi
>> if [ -z "`host -t A
>> ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep
>> "not found" `"
>> ]; then
>> echo "testing of : host -t A
>> ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok"
>> else
>> echo "testing of : host -t A
>> ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED"
>> echo "trying to fix it now: "
>> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN}
>> ${SETDNSDOMAIN}
>> ${SETHOSTNAME} A ${SETSERVERIP}
>> fi
>>
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>
>> [mailto:samba-bounces at lists.samba.org
>> <mailto:samba-bounces at lists.samba.org>
>> <mailto:samba-bounces at lists.samba.org
>> <mailto:samba-bounces at lists.samba.org>>] Namens Rowland
>> Penny
>> Verzonden: vrijdag 20 maart 2015 10:21
>> Aan: samba at lists.samba.org
>> <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org
>>
>> <mailto:samba at lists.samba.org>>
>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS
>> Updates not
>> working.
>> samba_dnsupdate : (sambalist: message 3 of 20)
>> RuntimeError:
>> (sambalist: to exclusive) kinit for [DC at Realm]
>> failed
>> (Cannot
>> contact any KDC for requested realm)
>>
>> On 20/03/15 09:02, Timo Altun wrote:
>>
>> Thank you Louis for that answer! Actually
>> I did
>> get kinit and
>> samba_dnsupdate working, though I am
>> unsure how. I
>> tried
>>
>> some changes to
>>
>> krb5.conf in the [realms] and [domain_realm]
>> sections, als well as
>> setting dns_lookup_realm = false to true, but
>> reverted it
>>
>> all back to the
>>
>> initial file:
>>
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> <http://INTRANET.MAYWEG.NET>
>> <http://INTRANET.MAYWEG.NET>
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> After a reboot, both kinit and samba_dnsupdate
>> worked on the
>>
>> host machine.
>>
>> Shares can be accessed, RSAT tools are
>> working.
>> From the
>>
>> linux fileserver
>>
>> nslookup and ping work for hostnames of
>> domainmembers, dig
>>
>> command does not
>>
>> get an answer. The windows machines can
>> nslookup
>> and ping
>>
>> everything but
>>
>> the linux machine. Somehow it did not
>> generate an
>> entry in
>>
>> the DNS Server.
>>
>> Is this normal behavior for linux domain
>> members
>> and I need
>>
>> to create the
>>
>> DNS entry manually or is something still
>> amiss?
>>
>> Greetings and thanks for the help so far,
>> Timo
>>
>>
>> On 20 March 2015 at 08:42, L.P.H. van Belle
>> <belle at bazuin.nl <mailto:belle at bazuin.nl>
>> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote:
>>
>> Try change your resolv.conf from :
>>
>> nameserver 127.0.0.1
>> domain intranet.mayweg.net
>> <http://intranet.mayweg.net>
>> <http://intranet.mayweg.net>
>>
>> to
>> nameserver 192.168.11.250
>> search intranet.mayweg.net
>> <http://intranet.mayweg.net>
>> <http://intranet.mayweg.net>
>>
>> The only thing I was unsure about, was
>> which hostname to enter
>> for Kerberos
>> Server and Kerberos admin server when
>> asked during the
>> installation of the
>> packages..
>>
>> Try these defealt settings for kerberos..
>> You didnt have to enter the hostname,
>> Only the
>> default
>>
>> kerberos Domain
>>
>> name is needed.
>>
>> a copy past for you.
>>
>> echo "krb5-config
>> krb5-config/add_servers_realm string
>> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> <http://INTRANET.MAYWEG.NET>" |
>> debconf-set-selections
>> echo "krb5-config
>> krb5-config/read_conf boolean true" |
>> debconf-set-selections
>> echo "krb5-config
>> krb5-config/kerberos_servers string " |
>> debconf-set-selections
>> echo "krb5-config
>> krb5-config/default_realm string
>> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> <http://INTRANET.MAYWEG.NET>" |
>> debconf-set-selections
>> echo "krb5-config
>> krb5-config/add_servers boolean false" |
>> debconf-set-selections
>> echo "krb5-config
>> krb5-config/admin_server string " |
>> debconf-set-selections
>> echo "krb5-config
>> krb5-config/dns_for_default
>>
>> boolean true" |
>>
>> debconf-set-selections
>> dpkg-reconfigure plow krb5-config
>>
>> and if you want to point to a kerberos
>> server.
>> echo "krb5-config
>> krb5-config/kerberos_servers string
>> server06.intranet.mayweg.net <http://server06.intranet.mayweg.net
>> >
>> <http://server06.intranet.mayweg.net>" |
>> debconf-set-selections
>>
>> but its not needed, man krb5.conf
>> tells you
>> enough.
>>
>> after the changes, type:
>> host -t SRV
>> _kerberos._udp.intranet.mayweg.net
>> <http://udp.intranet.mayweg.net>
>> <http://udp.intranet.mayweg.net>
>>
>> if you get not found, then we need to
>> analize
>> more.
>>
>>
>>
>> If you want to start with a "Clean server"
>> just have a look here.
>>
>> https://secure.bazuin.nl/scripts/
>>
>> I added 2 simple scripts. a debian wheezy
>> backported and
>>
>> debian jessie
>>
>> script.
>> The Jessie script is basicly the wheezy
>> backported version,
>>
>> but without
>>
>> the backports repo.
>> Its a set with minimal changes to the
>> system,
>> and use the
>>
>> defaults there
>>
>> where possible.
>>
>> If you look in the script,
>> these settings MUST be set.
>> Settings you must change are :
>>
>> NTPD_SERVER1_EXTERNAL
>> NTPD_RESTRICT_INTERFACE ( if you dont
>> have a
>> eth0 )
>> BIND9_NETWORKS
>> SAMBA_DC1_IP
>> SAMBA_NT_DOMAIN
>> SAMBA_SITE_NAME
>>
>> optional:
>> SAMBA_PASS_POLICY_CHANGE
>> SAMBA_TEMPLATE_HOMEDIR
>> SAMBA_TEMPLATE_SHELL
>>
>>
>> and as last :
>> CONFIGURED
>>
>> All other options are optional.
>> If you have a different dns domain
>> name and
>> kerberos domain.
>> you must change that.. etc..
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: olol13.samba at the-1337.org
>> <mailto:olol13.samba at the-1337.org>
>> <mailto:olol13.samba at the-1337.org
>> <mailto:olol13.samba at the-1337.org>>
>> [mailto:samba-bounces at lists.
>> samba.org
>> <mailto:samba-bounces at lists.samba.org>
>> <mailto:samba-bounces at lists.
>> samba.org
>> <mailto:samba-bounces at lists.samba.org>>]
>> Namens Timo Altun
>> Verzonden: vrijdag 20 maart 2015 0:04
>> Aan: Peter Serbe;
>> samba at lists.samba.org <mailto:samba at lists.samba.org>
>> <mailto:samba at lists.samba.org
>> <mailto:samba at lists.samba.org>>; Rowland
>> Penny -
>> repenny241155 at gmail.com <mailto:repenny241155 at gmail.com>
>> <mailto:repenny241155 at gmail.com
>>
>> <mailto:repenny241155 at gmail.com>>
>> Onderwerp: Re: [Samba] Fwd:
>> Dynamic DNS
>> Updates not working.
>> samba_dnsupdate : (sambalist:
>> message 3 of
>> 20) RuntimeError:
>> (sambalist: to exclusive) kinit for
>> [DC at Realm] failed (Cannot
>> contact any KDC for requested realm)
>>
>> Ok, I setup a new machine with Debian
>> Jessie and checked
>>
>> and installed
>>
>> everything from OS requirements in
>> the wiki (
>> https://wiki.samba.org/index.php/OS_Requirements
>> ).
>> The only thing I was unsure about, was
>> which hostname to enter
>> for Kerberos
>> Server and Kerberos admin server when
>> asked during the
>> installation of the
>> packages...I used
>> krb.intranet.mayweg.net <http://krb.intranet.mayweg.net>
>> <http://krb.intranet.mayweg.net>.
>> Now, after the classicupgrade
>> kinit isn't
>> working anymore...I
>> get the same
>> error I get when trying
>> samba_dnsupdate:
>> kinit: Cannot contact any KDC for
>> realm
>> 'INTRANET.MAYWEG.NET
>> <http://INTRANET.MAYWEG.NET>
>> <http://INTRANET.MAYWEG.NET>'
>>
>> while getting
>> initial credentials.
>>
>> One step I did not do as stated in the
>> wiki is configuring
>>
>> bind with
>>
>> --with-gssapi=/usr/include/gssapi
>> --with-dlopen=yes.
>> Once again the dlopen driver seems
>> to work
>> in this version,
>> but I have no
>> idea about the first part. Should
>> I build
>> bind myself with the
>> first option?
>> @Rowland, did you have a working bind
>> installation before you
>> upgraded/provisioned your domain?
>>
>> @Peter There is no file called
>> namedb in
>> /etc/bind, but the
>> whole folder is
>> writeable for user bind.
>>
>> My configs, now mostly adapted from
>> Rowland's woking
>>
>> configuration are:
>>
>> /etc/network/interfaces:
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>> address 192.168.11.250
>> network 192.168.11.0
>> netmask 255.255.255.0
>> broadcast 192.168.11.255
>>
>> /etc/hosts:
>> 127.0.0.1 localhost
>> 192.168.11.250
>> server06.intranet.mayweg.net <http://server06.intranet.mayweg.net
>> >
>> <http://server06.intranet.
>> mayweg.net> server06 krb
>>
>> # The following lines are
>> desirable for
>> IPv6 capable hosts
>> ::1 localhost ip6-localhost
>> ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>> /etc/resolv.conf:
>> nameserver 127.0.0.1
>> domain intranet.mayweg.net
>> <http://intranet.mayweg.net>
>> <http://intranet.mayweg.net>
>>
>> /etc/bind/named.conf:
>> include
>> "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include
>> "/etc/bind/named.conf.default-zones";
>> include
>> "/var/lib/samba/private/named.conf";
>>
>> /etc/bin/named.conf.options:
>> options {
>> directory "/var/cache/bind";
>> dnssec-validation no;
>> auth-nxdomain no; # conform to
>> RFC1035
>> listen-on-v6 { any; };
>> tkey-gssapi-keytab
>> "/var/lib/samba/private/dns.keytab";
>> };
>>
>> /var/lib/samba/private/named.conf:
>> database "dlopen
>> /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9_9.so";
>>
>> /etc/krb5.conf:
>> [libdefaults]
>> default_realm =
>> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> <http://INTRANET.MAYWEG.NET>
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> /etc/samba/smb.conf:
>> # Global parameters
>> [global]
>> workgroup = MAYWEG.NET
>> <http://MAYWEG.NET> <http://MAYWEG.NET>
>> realm = INTRANET.MAYWEG.NET
>> <http://INTRANET.MAYWEG.NET>
>> <http://INTRANET.MAYWEG.NET>
>> netbios name = SERVER06
>> interfaces = lo, eth0
>> bind interfaces only = Yes
>> server role = active directory domain
>> controller
>> server services = s3fs, rpc, nbt,
>> wrepl,
>> ldap, cldap, kdc,
>> drepl, winbind,
>> ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>> path =
>> /var/lib/samba/sysvol/intranet
>> .mayweg.net/scripts
>> <http://intranet.mayweg.net/scripts>
>> <http://intranet.mayweg.net/scripts>
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
>> On 19 March 2015 at 15:31, Peter Serbe
>> <peter at serbe.ch
>> <mailto:peter at serbe.ch> <mailto:peter at serbe.ch
>>
>> <mailto:peter at serbe.ch>>>
>>
>> wrote:
>>
>> Timo Altun schrieb am
>> 19.03.2015 10:30:
>>
>> As I wrote in my first mail,
>> Kerberos does work. I can
>>
>> successfully
>>
>> request
>>
>> and list a ticket on the
>> AC DC.
>>
>> OK, then next things, which
>> come to my
>> mind are:
>> is the keytab, you set in
>> named.conf.options readable
>> for the user, under which bind
>> is run.
>>
>> Then, is the /etc/bind/namedb
>> writable
>> for bind.
>>
>> And in the end, it might be a
>> screwed
>> up installation.
>> I had troubles with dynamic
>> updates a
>> long time ago,
>> when it turned out, that I screwed
>> something up during
>> the installation.
>>
>> HTH
>> - Peter
>>
>>
>> --
>> To unsubscribe from this list go
>> to the
>> following URL and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the
>> following URL and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>> Can you post the smb.conf from the linux
>> fileserver
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the
>> following URL
>> and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following
>> URL and
>> read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>
>> OK, too much wrong in that smb.conf to mention, go and
>> have a look
>> here:
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list