[Samba] Samba43 Kerberos problems

mathias dufresne infractory at gmail.com
Mon Jul 4 08:18:42 UTC 2016 

2016-07-04 4:40 GMT+02:00 Juan Garcia <juan at ish.com.au>:

> Hi,
>>
>> Try to add "rdns = false" in krb5.conf on SERVER1.
>>
>> Hi Mathias,
>
> Thanks for your reply I have tried that option but same issues. This is
> getting worst now. Not sure what else to do, any other test/changes you
> advise me to do? Right now I'm out of ideas.
>
>
>> 2016-06-21 13:36 GMT+02:00 Juan Garcia <juan at ish.com.au
>> <mailto:juan at ish.com.au>>:
>>
>>     Hi There,
>>
>>     I have an odd issue with my samba4 infrastructure, I have two
>>     servers both replicating fine.
>>     DC1 passes all tests documented here:
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>     Except the following test:
>>
>>     # kinit administrator
>>     # kinit: krb5_get_init_creds: Client administrator at DOMAIN.NAME.COM.AU
>> unknown
>>
>>     And in the logs I have found the following:
>>
>>     # kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in
>> Kerberos database) SERVER1 is my DC1,
>>     not sure why it has a $ right before the @ is this normal?
>>
>
ldbsearch (and ldapsearch) is very useful to dig into AD and understand it
better. Use it ;)

ldbsearch -H $sam cn=dc208 sAMAccountName
# record 1
dn: CN=DC208,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
sAMAccountName: DC208$

sAMAccountName is pre-Windows2000 login. It is 20 character max and that
limit is still existing in modern Windows, which could demonstrate that
they don't like to change the engine, only the color...
Anyway that $ at end is normal. That's how computers login are forged in AD.



>     I get the same error when running
>>
>>     # samba_dnsupdate --verbose --all-names
>>     IPs: ['0.0.0.0'] -> shows the real DC1 ip address
>>     Traceback (most recent call last):
>>       File "/usr/local/sbin/samba_dnsupdate", line 621, in <module>
>>         get_credentials(lp)
>>       File "/usr/local/sbin/samba_dnsupdate", line 125, in get_credentials
>>         raise e
>>     RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client
>> not found in Kerberos
>>     database)
>>
>>     Not sure if this is useful but I have run:
>>
>>     # samba_dnsupdate --verbose --all-names --no-credentials
>>
>>     Calling nsupdate for A server1.domain.name.com.au
>>     0.0.0.0 (add) -> Both lines don't show 0.0.0.0 it shows the real ip
>> address
>>     Failed nsupdate: A server1.domain.name.com.au 0.0.0.0 : [Errno 2] No
>> such file
>>
>>     or directory
>>
>>
0.0.0.0 is, for me, "all addresses". It is used by netstat, ip... using
A.B.C.D or a fake address should limit confusion :)

This said it sounds like a SPN (servicePrincipalName) could be missing on
your DC1's LDAP object.

Once more, ldbsearch:
ldbsearch -H $sam cn=dc208 servicePrincipalName
# record 1
dn: CN=DC208,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
servicePrincipalName: HOST/DC208
servicePrincipalName: HOST/dc208.ad.domain.tld
servicePrincipalName: GC/dc208.ad.domain.tld/ad.domain.tld
servicePrincipalName:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/9a4b7c12-ae49-484b-
 baaa-524621ddb52e/ad.domain.tld
servicePrincipalName: HOST/dc208.ad.domain.tld/AD
servicePrincipalName: ldap/dc208.ad.domain.tld/AD
servicePrincipalName: ldap/dc208.ad.domain.tld
servicePrincipalName: HOST/dc208.ad.domain.tld/ad.domain.tld
servicePrincipalName: ldap/dc208.ad.domain.tld/ad.domain.tld
servicePrincipalName:
ldap/9a4b7c12-ae49-484b-baaa-524621ddb52e._msdcs.ad.domain.tld
servicePrincipalName: ldap/DC208
servicePrincipalName: RestrictedKrbHost/DC208
servicePrincipalName: RestrictedKrbHost/dc208.ad.domain.tld
servicePrincipalName: ldap/dc208.ad.domain.tld/DomainDnsZones.ad.domain.tld
servicePrincipalName: ldap/dc208.ad.domain.tld/ForestDnsZones.ad.domain.tld

That's one of my DC.

Perform the same search on your two DC, check they have both same number of
SPN.

If you don't find anything relevant, redo that search without specifying
attribute filter. What I call "attribute filter" is the addition at the end
of the command of "servicePrincipalName". This tells ldbsearch to return
only "dn" and specified attributes (here only "servicePrincipalName").
And compare both entries.

You could have a look on FSMO ownership too, sometimes there is issue with
them but as I never faced that issue I don't know what kind of issue that
fathers.



>     And it keeps trying to find those files all with the same error:
>>     [Errno 2] No such file or directory
>>
>>     Calling nsupdate for A gc._msdcs.a
>>     Calling nsupdate for SRV _gc._tcp.
>>
>>     Last thing that I found
>>     On DC1
>>     # ps ax | grep samba
>>     38636  -  Is      0:00.40 /usr/local/sbin/samba --daemon
>>     --configfile=/usr/local/etc/smb4.conf
>>     38637  -  I       0:00.00 samba: task[s3fs_parent] (samba)
>>     38638  -  S       0:27.24 samba: task[dcesrv] (samba)
>>     38640  -  I       0:00.01 samba: task wrepl server_id[38640] (samba)
>>     38641  -  I       0:08.63 samba: task[ldapsrv] (samba)
>>     38642  -  S       0:00.07 samba: task[cldapd] (samba)
>>     38644  -  S       1:04.27 samba: task[dreplsrv] (samba)
>>     38645  -  I       0:00.00 samba: task[winbindd_parent] (samba)
>>     38646  -  I       0:00.01 samba: task[ntp_signd] (samba)
>>     38648  -  I       0:03.79 samba: task[kccsrv] (samba)
>>     38649  -  S       0:00.89 samba: task[dnsupdate] (samba)
>>     38650  -  I       0:04.54 samba: task[dns] (samba)
>>
>>     on DC2
>>     # ps ax | grep samba
>>     11108  -  Ss       0:00.41 /usr/local/sbin/samba --daemon
>>     --configfile=/usr/local/etc/smb4.conf
>>     11109  -  I        0:00.00 samba: task[s3fs_parent] (samba)
>>     11110  -  S        0:02.74 samba: task[dcesrv] (samba)
>>     11112  -  S        0:00.00 samba: task wrepl server_id[11112] (samba)
>>     11113  -  I        0:01.77 samba: task[ldapsrv] (samba)
>>     11114  -  S        0:00.19 samba: task[cldapd] (samba)
>>     11115  -  I        0:00.44 samba: task[kdc] (samba)
>>     11116  -  S        0:01.07 samba: task[dreplsrv] (samba)
>>     11117  -  I        0:00.00 samba: task[winbindd_parent] (samba)
>>     11118  -  S        0:00.00 samba: task[ntp_signd] (samba)
>>     11120  -  I        0:00.43 samba: task[kccsrv] (samba)
>>     11121  -  S        0:00.04 samba: task[dnsupdate] (samba)
>>     11122  -  S        0:00.01 samba: task[dns] (samba)
>>
>>     As you can see task[kdc] (samba) is not running on DC1, I'm pretty
>>     sure this is something to do with my issues, but not sure how to fix
>>     this.
>>
>>     This is my /etc/resolv.conf
>>
>>     domain domain.name.com.au <http://domain.name.com.au>
>>     nameserver 192.168.1.1 -> ip address of firewall which handles DNS
>>
>
Does your firewall which handles DNS request is aware that DNS requests
about AD must be forwarded to your AD servers?

AD is relying on DNS to work. Not to work correctly but to work, simply.

on both DC:
dig domain.name.com.au

DNS resolver of DC could be:
- 127.0.0.1 or local IP if your DC is running Samba4 >= 4.2. My favourite.
- other DC address. I don't like that because it seems to me that doing
that the DC need another DC to work correctly (ie: one DC fails, two DC out
of order)
- any DNS server which is configured to forward DNS requests about your AD
domain to AD DNS servers. I never tried that for DC, that's what we use for
clients.

Anyway on both DC you must be able to run "dig domain.name.com.au" and get
answer.


>
>>     This is my /etc/krb5.conf
>>
>>     [libdefaults]
>>             default_realm = DOMAIN.NAME.COM.AU
>>             dns_lookup_realm = false
>>             dns_lookup_kdc = true
>>
>>     This is my /usr/local/etc/smb4.conf
>>
>>     Global parameters
>>     [global]
>>             interfaces = 192.168.1.100
>>             bind interfaces only = yes
>>             workgroup = CW1
>>             realm = AD.CARRIAGEWORKS.COM.AU
>>
>>             netbios name = SERVER1
>>             server role = active directory domain controller
>>             dns forwarder = 192.168.1.1
>>             printing = bsd
>>             server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
>>     winbind, ntp_signd, kcc, dnsupdate, dns
>>             dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>     netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>     eventlog6, backupkey, dnsserver
>>             restrict anonymous = 1
>>             map acl inherit = no
>>             store dos attributes = yes
>>             unix extensions = no
>>             ea support = no
>>             idmap_ldb:use rfc2307 = yes
>>             browseable= yes
>>             writable = yes
>>             read only= no
>>             create mask = 770
>>             force create mode = 770
>>             directory mask = 770
>>             force directory mode = 770
>>             kerberos method = system keytab
>>             client ldap sasl wrapping = sign
>>             allow dns updates = nonsecure and secure
>>
>
For "server services" and "dcerpc endpoint servers" if you don't have
modified them, don't write them. This, in my mind, applies to almost
everything. Just to simplify your smb.conf, the simpler is the better ( :

Not sure anything of that helps, but I tried :p


>
>>     I appreciate your help and thanks in advance for reading this.
>>
>>     Regards,
>>
>>     --
>>     Juan Garcia
>>     ish
>>     http://www.ish.com.au
>>     Level 1, 30 Wilson Street Newtown 2042 Australia
>>     phone +61 2 9550 5001 <tel:%2B61%202%209550%205001>   fax +61 2 9550
>>     4001 <tel:%2B61%202%209550%204001>
>>
>>     --
>>     To unsubscribe from this list go to the following URL and read the
>>     instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>

More information about the samba mailing list