[Samba] Samba43 Kerberos problems
Juan Garcia
juan at ish.com.au
Mon Jul 4 02:40:27 UTC 2016
> Hi,
>
> Try to add "rdns = false" in krb5.conf on SERVER1.
>
Hi Mathias,
Thanks for your reply I have tried that option but same issues. This is
getting worst now. Not sure what else to do, any other test/changes you
advise me to do? Right now I'm out of ideas.
>
> 2016-06-21 13:36 GMT+02:00 Juan Garcia <juan at ish.com.au
> <mailto:juan at ish.com.au>>:
>
> Hi There,
>
> I have an odd issue with my samba4 infrastructure, I have two
> servers both replicating fine.
> DC1 passes all tests documented here:
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
> Except the following test:
>
> # kinit administrator
> # kinit: krb5_get_init_creds: Client
> (administrator at DOMAIN.NAME.COM.AU
> <mailto:administrator at DOMAIN.NAME.COM.AU>) unknown
>
> And in the logs I have found the following:
>
> # kinit for SERVER1$@DOMAIN.NAME.COM.AU <http://DOMAIN.NAME.COM.AU>
> failed (Client not found in Kerberos database) SERVER1 is my DC1,
> not sure why it has a $ right before the @ is this normal?
> I get the same error when running
>
> # samba_dnsupdate --verbose --all-names
> IPs: ['0.0.0.0'] -> shows the real DC1 ip address
> Traceback (most recent call last):
> File "/usr/local/sbin/samba_dnsupdate", line 621, in <module>
> get_credentials(lp)
> File "/usr/local/sbin/samba_dnsupdate", line 125, in get_credentials
> raise e
> RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU
> <http://DOMAIN.NAME.COM.AU> failed (Client not found in Kerberos
> database)
>
> Not sure if this is useful but I have run:
>
> # samba_dnsupdate --verbose --all-names --no-credentials
>
> Calling nsupdate for A server1.domain.name.com.au
> <http://server1.domain.name.com.au> 0.0.0.0 (add) -> Both lines
> don't show 0.0.0.0 it shows the real ip address
> Failed nsupdate: A server1.domain.name.com.au
> <http://server1.domain.name.com.au> 0.0.0.0 : [Errno 2] No such file
> or directory
>
> And it keeps trying to find those files all with the same error:
> [Errno 2] No such file or directory
>
> Calling nsupdate for A gc._msdcs.a
> Calling nsupdate for SRV _gc._tcp.
>
> Last thing that I found
> On DC1
> # ps ax | grep samba
> 38636 - Is 0:00.40 /usr/local/sbin/samba --daemon
> --configfile=/usr/local/etc/smb4.conf
> 38637 - I 0:00.00 samba: task[s3fs_parent] (samba)
> 38638 - S 0:27.24 samba: task[dcesrv] (samba)
> 38640 - I 0:00.01 samba: task wrepl server_id[38640] (samba)
> 38641 - I 0:08.63 samba: task[ldapsrv] (samba)
> 38642 - S 0:00.07 samba: task[cldapd] (samba)
> 38644 - S 1:04.27 samba: task[dreplsrv] (samba)
> 38645 - I 0:00.00 samba: task[winbindd_parent] (samba)
> 38646 - I 0:00.01 samba: task[ntp_signd] (samba)
> 38648 - I 0:03.79 samba: task[kccsrv] (samba)
> 38649 - S 0:00.89 samba: task[dnsupdate] (samba)
> 38650 - I 0:04.54 samba: task[dns] (samba)
>
> on DC2
> # ps ax | grep samba
> 11108 - Ss 0:00.41 /usr/local/sbin/samba --daemon
> --configfile=/usr/local/etc/smb4.conf
> 11109 - I 0:00.00 samba: task[s3fs_parent] (samba)
> 11110 - S 0:02.74 samba: task[dcesrv] (samba)
> 11112 - S 0:00.00 samba: task wrepl server_id[11112] (samba)
> 11113 - I 0:01.77 samba: task[ldapsrv] (samba)
> 11114 - S 0:00.19 samba: task[cldapd] (samba)
> 11115 - I 0:00.44 samba: task[kdc] (samba)
> 11116 - S 0:01.07 samba: task[dreplsrv] (samba)
> 11117 - I 0:00.00 samba: task[winbindd_parent] (samba)
> 11118 - S 0:00.00 samba: task[ntp_signd] (samba)
> 11120 - I 0:00.43 samba: task[kccsrv] (samba)
> 11121 - S 0:00.04 samba: task[dnsupdate] (samba)
> 11122 - S 0:00.01 samba: task[dns] (samba)
>
> As you can see task[kdc] (samba) is not running on DC1, I'm pretty
> sure this is something to do with my issues, but not sure how to fix
> this.
>
> This is my /etc/resolv.conf
>
> domain domain.name.com.au <http://domain.name.com.au>
> nameserver 192.168.1.1 -> ip address of firewall which handles DNS
>
> This is my /etc/krb5.conf
>
> [libdefaults]
> default_realm = DOMAIN.NAME.COM.AU <http://DOMAIN.NAME.COM.AU>
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> This is my /usr/local/etc/smb4.conf
>
> Global parameters
> [global]
> interfaces = 192.168.1.100
> bind interfaces only = yes
> workgroup = CW1
> realm = AD.CARRIAGEWORKS.COM.AU <http://AD.CARRIAGEWORKS.COM.AU>
> netbios name = SERVER1
> server role = active directory domain controller
> dns forwarder = 192.168.1.1
> printing = bsd
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> eventlog6, backupkey, dnsserver
> restrict anonymous = 1
> map acl inherit = no
> store dos attributes = yes
> unix extensions = no
> ea support = no
> idmap_ldb:use rfc2307 = yes
> browseable= yes
> writable = yes
> read only= no
> create mask = 770
> force create mode = 770
> directory mask = 770
> force directory mode = 770
> kerberos method = system keytab
> client ldap sasl wrapping = sign
> allow dns updates = nonsecure and secure
>
> I appreciate your help and thanks in advance for reading this.
>
> Regards,
>
> --
> Juan Garcia
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001 <tel:%2B61%202%209550%205001> fax +61 2 9550
> 4001 <tel:%2B61%202%209550%204001>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list