[Samba] Samba4 - Cannot contact any KDC for requested realm

Rowland penny rpenny at samba.org
Tue Mar 22 14:57:13 UTC 2016 

On 22/03/16 14:38, Daniele Manfredi wrote:
> Il 22/03/2016 14.45, Rowland penny ha scritto:
>> On 22/03/16 13:35, Daniele Manfredi wrote:
>>> Good afternoon,
>>> I have installed a fileserver with samba4 environment.
>>> This is configured to works as AD-DC even if I only use it as a 
>>> fileserver (at the moment).
>>> All seems to works fine but, every 10 minutes, the log print these 
>>> messages:
>>>
>>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 
>>> 11:53:17.557554,  0] 
>>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>> Mar 22 11:53:17 fileserver samba[1946]: 
>>> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call 
>>> last):
>>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 
>>> 11:53:17.557717,  0] 
>>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>> Mar 22 11:53:17 fileserver samba[1946]: 
>>> /usr/local/samba/sbin/samba_dnsupdate:   File 
>>> "/usr/local/samba/sbin/samba_dnsupdate", line 614, in <module>
>>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 
>>> 11:53:17.557790,  0] 
>>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>> Mar 22 11:53:17 fileserver samba[1946]: 
>>> /usr/local/samba/sbin/samba_dnsupdate:     get_credentials(lp)
>>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 
>>> 11:53:17.557825,  0] 
>>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>> Mar 22 11:53:17 fileserver samba[1946]: 
>>> /usr/local/samba/sbin/samba_dnsupdate:   File 
>>> "/usr/local/samba/sbin/samba_dnsupdate", line 125, in get_credentials
>>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 
>>> 11:53:17.557867,  0] 
>>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>> Mar 22 11:53:17 fileserver samba[1946]: 
>>> /usr/local/samba/sbin/samba_dnsupdate:     raise e
>>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 
>>> 11:53:17.557896,  0] 
>>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>> Mar 22 11:53:17 fileserver samba[1946]: 
>>> /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for 
>>> FILESERVER$@MYDOMAIN.IT failed (Cannot contact any KDC for requested 
>>> realm)
>>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 
>>> 11:53:17.557967,  0] 
>>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
>>> Mar 22 11:53:17 fileserver samba[1946]: 
>>> /usr/local/samba/sbin/samba_dnsupdate:
>>>
>>>
>>> Following, some configuration files that may help you to understand 
>>> the problem.
>>>
>>> /etc/krb5.conf and /usr/local/samba/private/krb5.conf:
>>>
>>> [libdefaults]
>>>         default_realm = MYDOMAIN.IT
>>>         dns_lookup_realm = false
>>>         dns_lookup_kdc = true
>>>
>>> smb.conf
>>>
>>> # Global parameters
>>> [global]
>>>         realm = mydomain.it
>>>         server role = active directory domain controller
>>>         server services = -dns
>>>         printcap name = /dev/null
>>>         unix extensions = no
>>>         printing = bsd
>>>         dns forwarder = 8.8.8.8
>>>         workgroup = MYDOMAIN
>>>         os level = 255
>>>         interfaces = 192.168.0.221/255.255.255.0
>>>         load printers = no
>>>         netbios name = FILESERVER
>>>         winbind use default domain = yes
>>>         winbind trusted domains only = no
>>>
>>> Thank you in advance for your help.
>>> Daniele
>>>
>>>
>>>
>>
>> OK, you have this:
>>
>>         server services = -dns
>>
>> and this:
>>
>>         dns forwarder = 8.8.8.8
>>
>> Is Bind9 running on the DC ?
>> If it is, is it setup correctly ?
>>
>> What is in /etc/resolv.conf ?
>>
>> Rowland
>>
>>
> Yes,
> Bind9 is up and running.
>
> Following, Bind9 configuration files:
>
> /etc/bind/named.conf:
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/usr/local/samba/private/named.conf";
>
> /etc/bind/named.conf.options:
>
> options {
>         directory "/var/cache/bind";
>
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you may need to fix the firewall to allow multiple
>         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>
>         // If your ISP provided one or more IP addresses for stable
>         // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the addresses 
> replacing
>         // the all-0's placeholder.
>
> forwarders {
>         8.8.8.8;
>         8.8.4.4;
>
>  };
>
>
> //======================================================================== 
>
>         // If BIND logs error messages about the root key being expired,
>         // you will need to update your keys.  See 
> https://www.isc.org/bind-keys
> //======================================================================== 
>
>         // dnssec-validation auto;
>
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # 
> per samba4
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { any; };
> };
>
> /etc/bind/named.conf.local: (all commented : I tried to make zones but 
> seems to be wrong...)
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> #zone "mydomain.it" IN {
> #       type master;
> #       file "/etc/bind/zones/mydomain.it.hosts";
> #};
> #
> #zone "0.168.192.in-addr.arpa" {
> #       type master;
> #       file "/etc/bind/zones/0.168.192.in-addr.arpa";
> #};
>
>
> /etc/bind/named.conf.default-zones:
>
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
>
> /usr/local/samba/private/named.conf:
>
> dlz "AD DNS Zone" {
>     # For BIND 9.8.x
>     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
>
>     # For BIND 9.9.x
>      database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
>
>     # For BIND 9.10.x
>     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";
> };
>
>
> /etc/resolv.conf
>
> nameserver 8.8.8.8
> nameserver 127.0.0.1
> #nameserver 192.168.2.221
> nameserver 192.168.0.221
> domain  MYDOMAIN.IT

Everything looks ok apart from your /etc/resolv.conf. I would suggest 
you change it to:

nameserver 127.0.0.1
search mydomain.it

Remove the forwarder line from smb.conf, you only need it if you are 
using the internal DNS server. Talking of which, did you provision with 
the internal DNS server and then change to Bind9 ?
If you did, have you read this Samba wiki page:

https://wiki.samba.org/index.php/Changing_the_DNS_backend

Rowland

More information about the samba mailing list