[Samba] Samba43 Kerberos issues

mathias dufresne infractory at gmail.com
Thu Mar 24 13:33:05 UTC 2016 

Hi Juan,

I reply below but information requested by Rowland are still needed (or at
least they will be helpful).

2016-03-22 8:44 GMT+01:00 Rowland penny <rpenny at samba.org>:

> On 22/03/16 05:24, Juan Garcia wrote:
>
>> Hi There,
>>
>> I have an odd issue with my samba4 infrastructure, I have two servers
>> both replicating fine.
>> DC1 passes all tests documented here:
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>> Except the following test:
>>
>> # kinit administrator
>> # kinit: krb5_get_init_creds: Client (administrator at DOMAIN.NAME.COM.AU)
>> unknown
>>
>
> The wiki page says run 'kinit administrator at DOMAIN.NAME.COM.AU', does
> this work ?
> What is in /etc/krb5.conf ?
>
> What is in /etc/resolv.conf ?
> Does each DC use the other for DNS ?
>
> Can you post your smb.conf files ?
>
> Rowland
>
>
>
>> And in the logs I have found the following:
>>
>> # kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in
>> Kerberos database) SERVER1 is my DC1, not sure why it has a $ right before
>> the @ is this normal?
>> I get the same error when running
>>
>> # samba_dnsupdate --verbose --all-names
>> IPs: ['0.0.0.0'] -> shows the real DC1 ip address
>> Traceback (most recent call last):
>>   File "/usr/local/sbin/samba_dnsupdate", line 621, in <module>
>>     get_credentials(lp)
>>   File "/usr/local/sbin/samba_dnsupdate", line 125, in get_credentials
>>     raise e
>> RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not
>> found in Kerberos database)
>>
>> Not sure if this is useful but I have run:
>>
>> # samba_dnsupdate --verbose --all-names --no-credentials
>>
>> Calling nsupdate for A server1.domain.name.com.au 0.0.0.0 (add) -> Both
>> lines don't show 0.0.0.0 it shows the real ip address
>> Failed nsupdate: A server1.domain.name.com.au 0.0.0.0 : [Errno 2] No
>> such file or directory
>>
>> And it keeps trying to find those files all with the same error:
>> [Errno 2] No such file or directory
>>
>> Calling nsupdate for A gc._msdcs.a
>> Calling nsupdate for SRV _gc._tcp.
>>
>> Last thing that I found
>> On DC1
>> # ps ax | grep samba
>> 38636  -  Is      0:00.40 /usr/local/sbin/samba --daemon
>> --configfile=/usr/local/etc/smb4.conf
>> 38637  -  I       0:00.00 samba: task[s3fs_parent] (samba)
>> 38638  -  S       0:27.24 samba: task[dcesrv] (samba)
>> 38640  -  I       0:00.01 samba: task wrepl server_id[38640] (samba)
>> 38641  -  I       0:08.63 samba: task[ldapsrv] (samba)
>> 38642  -  S       0:00.07 samba: task[cldapd] (samba)
>> 38644  -  S       1:04.27 samba: task[dreplsrv] (samba)
>> 38645  -  I       0:00.00 samba: task[winbindd_parent] (samba)
>> 38646  -  I       0:00.01 samba: task[ntp_signd] (samba)
>> 38648  -  I       0:03.79 samba: task[kccsrv] (samba)
>> 38649  -  S       0:00.89 samba: task[dnsupdate] (samba)
>> 38650  -  I       0:04.54 samba: task[dns] (samba)
>>
>> on DC2
>> # ps ax | grep samba
>> 11108  -  Ss       0:00.41 /usr/local/sbin/samba --daemon
>> --configfile=/usr/local/etc/smb4.conf
>> 11109  -  I        0:00.00 samba: task[s3fs_parent] (samba)
>> 11110  -  S        0:02.74 samba: task[dcesrv] (samba)
>> 11112  -  S        0:00.00 samba: task wrepl server_id[11112] (samba)
>> 11113  -  I        0:01.77 samba: task[ldapsrv] (samba)
>> 11114  -  S        0:00.19 samba: task[cldapd] (samba)
>> 11115  -  I        0:00.44 samba: task[kdc] (samba)
>> 11116  -  S        0:01.07 samba: task[dreplsrv] (samba)
>> 11117  -  I        0:00.00 samba: task[winbindd_parent] (samba)
>> 11118  -  S        0:00.00 samba: task[ntp_signd] (samba)
>> 11120  -  I        0:00.43 samba: task[kccsrv] (samba)
>> 11121  -  S        0:00.04 samba: task[dnsupdate] (samba)
>> 11122  -  S        0:00.01 samba: task[dns] (samba)
>>
>> As you can see task[kdc] (samba) is not running on DC1, I'm pretty sure
>> this is something to do with my issues, but not sure how to fix this, I
>> appreciate your help and thanks in advance for reading this.
>>
>
KDC is Key Distribution Center from Kerberos so I think as you: issue could
come from there.

You can force your client to use DC2 to verify the issue comes from DC1
only. You will have to force in your krb5.conf usage of DC2 (no example
from my side so you will need to look for an example by yourself :)

As a useful information you could also tell us if you use internal DNS or
Bind-DLZ DNS backend. That's important.

About samba_dnsupdate:
using --no-credentials:
About DNS updates issue on _gc._tcp: no idea.
About DNS updates issue on _msdcs zone: you must be authenticated to modify
that zone.

Using "testparm -v | grep nsupdate" you should see how is configured your
samba server regarding how it sends DNS update.
Using vi on samba_dnsupdate, commenting around line 408 (unlink(tmp) or
something like that) you will find /tmp/tmp* files containing nsupdate
commands. These files are generated by samba_dnsupdate and used by nsupdate.

Then you will be able to launch updates manually, for debugging or at least
understanding better. And be back here with more information : )

Cheers,

mathias



>
>>
>> Regards,
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list