[Samba] kinit: Cannot contact any KDC for realm 'MY.LOCAL.' while getting initial credentials
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Sep 15 16:04:56 UTC 2015
On 15/09/15 16:54, James wrote:
> On 9/15/2015 10:42 AM, Rowland Penny wrote:
>> On 15/09/15 13:58, James wrote:
>>> On 9/15/2015 8:30 AM, Lluís Danés wrote:
>>>> Solved! It was related to .local TLD. (perhaps avahi (I have an
>>>> avahi-daemon running)... I don't know since I have never used it and I
>>>> don't know what is)
>>>>
>>>> Since I've replaced by a new one (ad.example.com using EXAMPLE NetBIOS
>>>> domain) all works again and kinit administrator at AD.EXAMPLE.COM works
>>>> again.
>>>>
>>>> Thanks
>>>>
>>>>
>>>> 2015-09-15 12:21 GMT+02:00 Rowland Penny
>>>> <rowlandpenny241155 at gmail.com>:
>>>>
>>>>> On 15/09/15 10:59, Lluís Danés wrote:
>>>>>
>>>>>> 2015-09-15 11:39 GMT+02:00 Rowland Penny
>>>>>> <rowlandpenny241155 at gmail.com
>>>>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>>>>
>>>>>> On 15/09/15 09:40, Lluís Danés wrote:
>>>>>>
>>>>>> Well, I downloaded it manually without using git. I've
>>>>>> compiled it with the "--with-acl-support" because I
>>>>>> thought it
>>>>>> was not included as default (I remember that I read it from
>>>>>> the wiki that it was said to build samba by yourself if you
>>>>>> want to use windows ACL's).
>>>>>>
>>>>>>
>>>>>> Can you remember just where on the wiki it said that ?
>>>>>> You can use distro packages (well except red-hat packages and
>>>>>> only
>>>>>> then if you want to setup a DC) or the packages from Sernet.
>>>>>>
>>>>>>
>>>>>> I read this wiki
>>>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs This line:
>>>>>> "To use the advanced features of Samba, it has to be compiled with
>>>>>> ACL
>>>>>> support (e. g. RHEL requires the libacl-devel to be installed, when
>>>>>> compiling)." confused me.
>>>>>>
>>>>> Would you have understood this better:
>>>>>
>>>>> To use the advanced features of Samba, it needs to have been
>>>>> compiled with
>>>>> ACL support. As far as is known, all available Samba 4 packages are
>>>>> compiled in this way. Unfortunately there are no Samba 4 RHEL AD DC
>>>>> distro
>>>>> packages available at this time, so if you require to install an AD
>>>>> DC on a
>>>>> RHEL based system you will need to compile Samba4 yourself, or use the
>>>>> Sernet packages. If you do compile Samba 4, you will need to
>>>>> install the
>>>>> relevant libacl development package for your distro (e.g. RHEL
>>>>> requires the
>>>>> libacl-devel package to be installed).
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>>> How can I see the default options before run ./configure?
>>>>>>
>>>>>>
>>>>>> ./configure --help
>>>>>>
>>>>>> You usually don't have to add anything, unless you need to
>>>>>> specify
>>>>>> something that isn't a default or is different from the default
>>>>>> i.e. use a different prefix.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Otherwise, I've a dot on my realm MY.LOCAL. but it was a
>>>>>> mistake when I create this mail. I've the same problem
>>>>>> without
>>>>>> the dot. This dot was introduced because I've tried it
>>>>>> using a
>>>>>> dot without success. So if I've
>>>>>>
>>>>>> /etc/krb5.conf
>>>>>> [libdefaults]
>>>>>> default_realm = MY.LOCAL
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = true
>>>>>>
>>>>>>
>>>>>> and then i run: kinit administrator at MY.LOCAL
>>>>>> I get: kinit: Cannot contact any KDC for realm 'MY.LOCAL'
>>>>>> while getting initial credentials
>>>>>>
>>>>>>
>>>>>> Is your 'TLD' actually '.local' and if so, try stopping avahi
>>>>>>
>>>>>>
>>>>>> Yes, its my TLD. I will check by stopping avahi.Perhaps .LOCAL is
>>>>>> a bad
>>>>>> TLD for samba as I've read right now.
>>>>>>
>>>>>> Is Samba running at this stage ? if it isn't, then your KDC
>>>>>> isn't
>>>>>> either.
>>>>>>
>>>>>>
>>>>>> Samba is running. These 2 commands also works:
>>>>>> smbclient -L localhost -U%
>>>>>> smbclient //localhost/netlogon -UAdministrator -c 'ls'
>>>>>>
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>> -- To unsubscribe from this list go to the following URL
>>>>>> and read
>>>>>> the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Lluís Danés
>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>> I ran into this problem on a member server. I searched but didn't find
>>> mention of Avahi and .local in the Wiki. Could this be added to
>>>
>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>>
>>>
>>> Under 'Testing Kerberos' as a note if possible failure? I wish I didn't
>>> use .local when I started.
>>>
>> I don't know just when you last looked at the wiki, but if you goto :
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>
>>
>> Look under the 'Preconditions' header, there is a link to the 'Active
>> Directory Naming FAQ' :
>>
>> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
>>
>> There is an heading 'Using an invalid TLD' , it is all explained there.
>>
>> Rowland
>>
>>
> I was searching the wiki for 'avahi' and seen no mention. There is a bit
> of a contradiction in this section.
>
> "*It is possible that the invalid TLD you are now using, could become a
> valid TLD in the future.* While .local is reserved by ICANN, the TLD
> system is currently scheduled to undergo a vast expansion of the generic
> TLD (gTLD) it supports, from 22 to over a thousand new names. This trend
> is likely to continue. "
>
> It appears to me the leave the door open for someone choosing '.local'
> as a TLD.
>
The problem is, there are people out there using .local because at one
time, microsoft said it was okay to do so (they don't now). If they now
add a Samba 4 DC, they have to continue using .local, the only cure is
to stop avahi on the Samba 4 AD DC and any other Unix clients.
Rowland
More information about the samba
mailing list