[Samba] Samba43 Kerberos issues
Juan Garcia
juan at ish.com.au
Thu Jun 2 06:01:25 UTC 2016
> Hi Juan,
>
> I reply below but information requested by Rowland are still needed (or at
> least they will be helpful).
>
Hi Mathias,
Thanks for your reply, I've been busy working on other tasks but now
this issue is my priority.
/etc/krb5.conf:
[libdefaults]
default_realm = MY.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/resolv.conf:
# Generated by resolvconf
domain my.domain.com
nameserver 192.168.1.1 -> this is the ip address of my Firewall as I
have all DNS requests go through the FW first and the firewall will talk
to the SERVER1 for authentication.
/usr/local/etcs/smb4.conf:
Global parameters
[global]
interfaces = 192.168.0.100 -> ip address of DC1
bind interfaces only = yes
workgroup = CW1
realm = MY.DOMAIN.COM
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 192.168.0.1
printing = bsd
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
restrict anonymous = 1
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = yes
unix extensions = no
inherit acls = yes
inherit permissions = yes
ea support = no
idmap_ldb:use rfc2307 = yes
browseable= yes
writable = yes
read only= no
create mask = 664
force create mode = 664
directory mask = 2777
force directory mode = 2777
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
I have also run the following tests on SERVER1:
# host -t A SERVER1.mydomain.com
SERVER1.mydomain.com has address 192.168.0.100
# klist -l
Name Cache name Expires
administrator at MY.DOMAIN.COM /tmp/krb5cc_0 >>> Expired <<< *
> KDC is Key Distribution Center from Kerberos so I think as you: issue could
> come from there.
>
> You can force your client to use DC2 to verify the issue comes from DC1
> only. You will have to force in your krb5.conf usage of DC2 (no example
> from my side so you will need to look for an example by yourself :)
>
Ok, will do a research an try that
> As a useful information you could also tell us if you use internal DNS or
> Bind-DLZ DNS backend. That's important.
>
I use internal DNS, I've read that BIND sometimes could be a pain in the
ass.
> About samba_dnsupdate:
> using --no-credentials:
> About DNS updates issue on _gc._tcp: no idea.
> About DNS updates issue on _msdcs zone: you must be authenticated to modify
> that zone.
>
> Using "testparm -v | grep nsupdate" you should see how is configured your
> samba server regarding how it sends DNS update.
> Using vi on samba_dnsupdate, commenting around line 408 (unlink(tmp) or
> something like that) you will find /tmp/tmp* files containing nsupdate
> commands. These files are generated by samba_dnsupdate and used by nsupdate.
>
I have commented the following line:
except Exception, estr:
if opts.fail_immediately:
sys.exit(1)
error_count = error_count + 1
if opts.verbose:
print("Failed nsupdate: %s : %s" % (str(d), estr))
#os.unlink(tmpfile) => (this is commented) inside
/usr/local/sbin/samba_dnsupdate
I have run testparm -v | grep nsupdate
# testparm -v | grep nsupdate
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[Vol1]"
Processing section "[Vol2]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
dns update command = /usr/local/sbin/samba_dnsupdate
nsupdate command = /usr/bin/nsupdate -g
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate, dns
Not sure where those definitions "nsupdate command" and "dns update
command" are coming from as they are not in my smb4.conf
Thanks for looking into this.
Cheers,
Juan
More information about the samba
mailing list