[Samba] Suggestions for cross site domain

Wayne Merricks waynemerricks at thevoiceasia.com
Fri Jan 29 16:47:16 UTC 2016 

Hi again all,

As mentioned before, I am using Samba 4's internal DNS but even so, I 
think I have issues with DNS or Kerberos.  The only strange thing is the 
UK side works the same as it always has and the India side "kind of" 
works.

What works:
* If I add users etc to AD they appear on my India server.
* I can join the domain in India
* Adding a DC in India, it appears in AD under the Domain Controllers 
as you would expect

What doesn't work:
* Even though the India DCs are in Active Directory they are not in the 
DNS entries e.g.

$ host -t SRV _ldap._tcp.int.thevoiceasia.com.

I only get listings for 2 UK servers and the Old India server (it is 
still there even though it was demoted properly and is no longer in AD)

* I get kerberos errors in the samba logs like this:

  [2016/01/29 15:23:25.833496,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ ukpcw019$@INT.THEVOICEASIA.COM from 
ipv4:10.43.10.144:49339 for 
cifs/ukads001.int.thevoiceasia.com at INT.THEVOICEASIA.COM [canonicalize, 
renewable, forwardable]
[2016/01/29 15:23:25.836150,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Searching referral for ukads001.int.thevoiceasia.com
[2016/01/29 15:23:25.836219,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Server not found in database: 
cifs/ukads001.int.thevoiceasia.com at INT.THEVOICEASIA.COM: no such entry 
found in hdb
[2016/01/29 15:23:25.836262,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:10.43.10.144:49339
[2016/01/29 15:23:25.836295,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: tgs-req: sending error: -1765328377 to client

* If I turn off IPv6, samba_dnsupdate fails even in the UK like this:

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  
Minor code may provide more information, Minor = Server not found in 
Kerberos database.
Failed nsupdate: 1
Failed update of 4 entries

Sincere apologies for list spamming, if anyone needs more information 
please let me know.

Thanks,

Wayne


On 2016-01-28 23:26, Wayne Merricks wrote:
> Possibly but then that would mean DNS is working for IPv6 but not for
> v4.  I'll look into the DNS side, I'm more familiar with Bind than I
> am with Samba's internal DNS so time for more reading.
>
> Thanks,
>
> Wayne
>
> On 2016-01-28 22:07, Rowland penny wrote:
>> On 28/01/16 21:32, Wayne Merricks wrote:
>>> Apologies, managed to venture onto the dreaded 2nd page of Google 
>>> and found an answer.
>>>
>>> If anyone gets stuck add --server to the end of the command and 
>>> this points samba-tool directly to the DC you wish to use for 
>>> joining.
>>>
>>> E.g. my dc of ukads001.int.thevoiceasia.com makes this command:
>>>
>>> sudo samba-tool domain join int.thevoiceasia.com DC -Uadministrator 
>>> --realm=int.thevoiceasia.com
>>>
>>> into
>>>
>>> sudo samba-tool domain join int.thevoiceasia.com DC -Uadministrator 
>>> --realm=int.thevoiceasia.com --server ukads001.int.thevoiceasia.com
>>>
>>> If anyone knows why this is necessary without IPv6 I would be 
>>> interested in the answer.
>>>
>>> Apologies for any time wasting.
>>>
>>>
>>> On 2016-01-28 21:17, Wayne Merricks wrote:
>>>> Hi James,
>>>>
>>>> Command to join:
>>>>
>>>> sudo samba-tool domain join int.thevoiceasia.com DC 
>>>> -Uadministrator
>>>> --realm=int.thevoiceasia.com
>>>>
>>>> I can reproduce the problem in the UK and it seems to be something 
>>>> to
>>>> do with IPv6.  As far as I'm aware, although my network switches
>>>> support IPv6, I have never set it up.
>>>>
>>>> I have disabled IPv6 addresses on all the DCs a few days ago.  I
>>>> suppose it is possible part of my original domain set up harbours 
>>>> some
>>>> IPv6 shenanigans but it certainly isn't intended.
>>>>
>>>> To reproduce:
>>>>
>>>> New UK Server with IPv6 enabled even though my DCs themselves 
>>>> report
>>>> no IPv6 addresses (default state):
>>>>
>>>> All OK
>>>>
>>>> New UK Server with IPv6 disabled:
>>>>
>>>> ERROR(exception): uncaught exception - Failed to find a writeable 
>>>> DC
>>>> for domain 'int.thevoiceasia.com'
>>>>
>>>> Does anyone know how I stop IPv6 being used on join?
>>>>
>>>> Regards,
>>>>
>>>> Wayne
>>>>
>>>> On 2016-01-28 18:23, James wrote:
>>>>> On 1/28/2016 12:53 PM, Wayne Merricks wrote:
>>>>>> Failed to find a writeable DC for domain
>>>>> What is the command you are using to join? Have you done any DNS
>>>>> testing to confirm you can find the DC you wish to join?
>>>>>
>>>>> -- -James
>>>
>>>
>>
>> I don't think this has anything to do with ipv6, I just think that 
>> it
>> is a dns problem. If you don't tell the join command which DC to 
>> join
>> to, it will have to search for one and if this fails, you get the
>> error message you did.
>>
>> Rowland

More information about the samba mailing list