[Samba] inconsistent DNS information, windows domain member issues..

Rowland penny rpenny at samba.org
Sun Jun 5 15:45:47 UTC 2016


On 05/06/16 13:43, Jo wrote:
>> Your DCs really need to be running at all times, so that replication 
>> can work properly, also each DC should use the other for their DNS 
>> server, anything unknown to the DNS servers on the DCs should be 
>> forwarded to an external DNS that does know or can find out. 
> I understand that they need to be up simultaneously for replication, but otherwise that should not be the case. Or why? Imho the point of redundancy is that you can tolerate failure. In fact I would like to run this on two bananas but havenĀ“t found a usable distribution so far that offers recent versions of Samba (and supports encryption at least of the relevant data). Running the windows hosts all the time is not an option due to noise, energy consumption, etc.

I take it that by 'bananas' you mean 'banana-pi', this probably suffers 
from the same problems as the rpi, you will probably have to build Samba 
yourself and it will probably be unable to cope with a lot of users etc.

You need to understand that if you only have one DC running, it will 
keep trying to contact the other, and any changes made on the running DC 
will need to be replicated to the other when it does come back up.

>
> The point of whether the DC should use the respective other DC for DNS is obviously debated here. The DCs do have an upstream forwarder configured in bind.

If you have two DCs, they need to use each other for DNS or you can get 
what is called 'islanding'

>
>> Can you please post  /etc/resolv.conf, /etc/hosts and /etc/krb5.conf from
>> each DC, can you also post the smb.conf file from each DC.
>>
> joachim at dc1:~$ cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.168.177.21
> search samba.domain

It is not really a good idea to run 'resolvconf' on a fixed ip machine 
(I take it the DCs do have fixed ipaddresses), I suggest you remove it 
and then set /etc/resolv.conf to:

nameserver 192.168.177.22
nameserver 192.168.177.21
search samba.domain

Switch the 'nameserver' lines for the second DC

> joachim at dc1:~$ cat /etc/hosts
> 127.0.0.1       localhost
> 192.168.177.21  dc1 dc1.samba.domain
> 192.168.15.22   dc2 dc2.samba.domain
>
> # The following lines are desirable for IPv6 capable hosts
> #::1     localhost ip6-localhost ip6-loopback
> #ff02::1 ip6-allnodes
> #ff02::2 ip6-allrouters

nothing wrong there, except you don't need the line for the other DC

> joachim at dc1:~$ cat /etc/krb5.conf
> [libdefaults]
>          default_realm = SAMBA.DOMAIN
>
> # The following krb5.conf variables are only for MIT Kerberos.
>          krb4_config = /etc/krb.conf
>          krb4_realms = /etc/krb.realms
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented.  In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # Thie only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such as
> # old versions of Sun Java).
>
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>          v4_instance_resolve = false
>          v4_name_convert = {
>                  host = {
>                          rcmd = host
>                          ftp = ftp
>                  }
>                  plain = {
>                          something = something-else
>                  }
>          }
>          fcc-mit-ticketflags = true
>
> [realms]
>          ATHENA.MIT.EDU = {
>                  kdc = kerberos.mit.edu:88
>                  kdc = kerberos-1.mit.edu:88
>                  kdc = kerberos-2.mit.edu:88
>                  admin_server = kerberos.mit.edu
>                  default_domain = mit.edu
>          }
>          MEDIA-LAB.MIT.EDU = {
>                  kdc = kerberos.media.mit.edu
>                  admin_server = kerberos.media.mit.edu
>          }
>          ZONE.MIT.EDU = {
>                  kdc = casio.mit.edu
>                  kdc = seiko.mit.edu
>                  admin_server = casio.mit.edu
>          }
>          MOOF.MIT.EDU = {
>                  kdc = three-headed-dogcow.mit.edu:88
>                  kdc = three-headed-dogcow-1.mit.edu:88
>                  admin_server = three-headed-dogcow.mit.edu
>          }
>          CSAIL.MIT.EDU = {
>                  kdc = kerberos-1.csail.mit.edu
>                  kdc = kerberos-2.csail.mit.edu
>                  admin_server = kerberos.csail.mit.edu
>                  default_domain = csail.mit.edu
>                  krb524_server = krb524.csail.mit.edu
>          }
>          IHTFP.ORG = {
>                  kdc = kerberos.ihtfp.org
>                  admin_server = kerberos.ihtfp.org
>          }
>          GNU.ORG = {
>                  kdc = kerberos.gnu.org
>                  kdc = kerberos-2.gnu.org
>                  kdc = kerberos-3.gnu.org
>                  admin_server = kerberos.gnu.org
>          }
>          1TS.ORG = {
>                  kdc = kerberos.1ts.org
>                  admin_server = kerberos.1ts.org
>          }
>          GRATUITOUS.ORG = {
>                  kdc = kerberos.gratuitous.org
>                  admin_server = kerberos.gratuitous.org
>          }
>          DOOMCOM.ORG = {
>                  kdc = kerberos.doomcom.org
>                  admin_server = kerberos.doomcom.org
>          }
>          ANDREW.CMU.EDU = {
>                  kdc = kerberos.andrew.cmu.edu
>                  kdc = kerberos2.andrew.cmu.edu
>                  kdc = kerberos3.andrew.cmu.edu
>                  admin_server = kerberos.andrew.cmu.edu
>                  default_domain = andrew.cmu.edu
>          }
>          CS.CMU.EDU = {
>                  kdc = kerberos.cs.cmu.edu
>                  kdc = kerberos-2.srv.cs.cmu.edu
>                  admin_server = kerberos.cs.cmu.edu
>          }
>          DEMENTIA.ORG = {
>                  kdc = kerberos.dementix.org
>                  kdc = kerberos2.dementix.org
>                  admin_server = kerberos.dementix.org
>          }
>          stanford.edu = {
>                  kdc = krb5auth1.stanford.edu
>                  kdc = krb5auth2.stanford.edu
>                  kdc = krb5auth3.stanford.edu
>                  master_kdc = krb5auth1.stanford.edu
>                  admin_server = krb5-admin.stanford.edu
>                  default_domain = stanford.edu
>          }
>          UTORONTO.CA = {
>                  kdc = kerberos1.utoronto.ca
>                  kdc = kerberos2.utoronto.ca
>                  kdc = kerberos3.utoronto.ca
>                  admin_server = kerberos1.utoronto.ca
>                  default_domain = utoronto.ca
>          }
>
> [domain_realm]
>          .mit.edu = ATHENA.MIT.EDU
>          mit.edu = ATHENA.MIT.EDU
>          .media.mit.edu = MEDIA-LAB.MIT.EDU
>          media.mit.edu = MEDIA-LAB.MIT.EDU
>          .csail.mit.edu = CSAIL.MIT.EDU
>          csail.mit.edu = CSAIL.MIT.EDU
>          .whoi.edu = ATHENA.MIT.EDU
>          whoi.edu = ATHENA.MIT.EDU
>          .stanford.edu = stanford.edu
>          .slac.stanford.edu = SLAC.STANFORD.EDU
>          .toronto.edu = UTORONTO.CA
>          .utoronto.ca = UTORONTO.CA
>
> [login]
>          krb4_convert = true
>          krb4_get_tickets = false

Here's the thing, your /etc/krb5.conf only needs to look like this:

[libdefaults]
         default_realm = SAMBA.DOMAIN

Everything else is unneeded or the default.


> joachim at dc1:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
>          workgroup = SAMBA
>          realm = SAMBA.DOMAIN
>          netbios name = DC1
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>          path = /var/lib/samba/sysvol/samba.domain/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> joachim at dc1:~$

This looks ok.

The files on the second DC should be similar to the first, except for 
the obvious name & ip changes.

>
>
>
> One new piece of mosaic:
>
> root at dc2:/home/joachim# tail /var/log/samba/log.samba
> [2016/06/05 14:28:12.674356,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
> [2016/06/05 14:28:12.697076,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
> [2016/06/05 14:28:12.719968,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
> [2016/06/05 14:28:12.743569,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>    /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
> [2016/06/05 14:28:12.756246,  0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
>    ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_UNSUCCESSFUL
> root at dc2:/home/joachim#
>
> I tried to follow https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable, but may be that is outdated? I found a keytab file at /var/lib/samba/private/secrets.keytab and it contains what is described on the wiki page:
>
> root at dc2:/home/joachim# klist -k /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>     1 HOST/dc2 at SAMBA.DOMAIN
>     1 HOST/dc2.samba.domain at SAMBA.DOMAIN
>     1 DC2$@SAMBA.DOMAIN
>     1 HOST/dc2 at SAMBA.DOMAIN
>     1 HOST/dc2.samba.domain at SAMBA.DOMAIN
>     1 DC2$@SAMBA.DOMAIN
>     1 HOST/dc2 at SAMBA.DOMAIN
>     1 HOST/dc2.samba.domain at SAMBA.DOMAIN
>     1 DC2$@SAMBA.DOMAIN
>     1 HOST/dc2 at SAMBA.DOMAIN
>     1 HOST/dc2.samba.domain at SAMBA.DOMAIN
>     1 DC2$@SAMBA.DOMAIN
>     1 HOST/dc2 at SAMBA.DOMAIN
>     1 HOST/dc2.samba.domain at SAMBA.DOMAIN
>     1 DC2$@SAMBA.DOMAIN
>
> Do I have to update some configuration path to point to that file? Create a link? Or what else to check?
>
>
>

Are you running an ntp server on each DC? if not, I suggest you do.

How have you set up Bind, can you post your named.conf files.

Rowland






More information about the samba mailing list