[Samba] samba_dnsupdate --verbose --all-names fails with kinit RuntimeError

Udo Willke udo.willke at freenet.de
Thu Nov 24 12:46:47 UTC 2016 

Hi everyone,

unfortunately, I managed to break my Samba AD DC configuration :-( and 
would like to ask the experts on this list.

When restarting my Samba AC DC I noticed, that it didn't come up 
properly. samba outputs the following lines to /var/log/syslog

> Nov 24 12:46:52 addc01 samba[30784]: /usr/sbin/samba_dnsupdate: 
> RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact 
> any KDC for requested realm)
>
> Nov 24 12:46:52 addc01 samba[30784]: 
> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - 
> NT_STATUS_ACCESS_DENIED
>

I followed the Samba wiki pages

<https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates>

and found that the dynanic DNS update doesn't work

> root at addc01:~# samba_dnsupdate --verbose --all-names
> IPs: ['192.168.6.8']
> Traceback (most recent call last):
>   File "/usr/sbin/samba_dnsupdate", line 621, in <module>
>     get_credentials(lp)
>   File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
>     raise e
> RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact 
> any KDC for requested realm)
>

I also carried out the basic checks from 
<https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller>, 


where the lookup of the DNS Service Resource Records doesn't work as well

> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan
> Host _ldap._tcp.mydomain.lan not found: 3(NXDOMAIN)

> root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan
> Host _kerberos._udp.mydomain.lan not found: 3(NXDOMAIN)

The confusing fact is, that I *can* obtain tickets from the KDC on the 
command line

> root at addc01:~# kinit Administrator at MYDOMAIN.LAN
> Password for Administrator at MYDOMAIN.LAN:
> root at addc01:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at MYDOMAIN.LAN
>
> Valid starting       Expires              Service principal
> 24.11.2016 12:46:04  24.11.2016 22:46:04 krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN
>         renew until 25.11.2016 12:46:00

but not via the Python script samba_dnsupdate.

I can't tell if this is a Kerberos or a DNS issue.

My /etc/krb.conf looks like this

> root at addc01:~# cat /etc/krb5.conf
> [logging]
>     default = FILE:/var/log/krb5.log
>
> [libdefaults]
>         default_realm = MYDOMAIN.LAN
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> [realms]
>     MYDOMAIN.LAN = {
>         kdc = 192.168.6.8:88
>         admin_server = 192.168.6.8:464
>         default_domain = MYDOMAIN.LAN
>     }
>
> [domain_realm]
>     .mydomain.lan = MYDOMAIN.LAN
>     mydomain.lan = MYDOMAIN.LAN

Basic name service does work as well:

> root at addc01:~# samba-tool dns query localhost mydomain.lan @ ALL -P
>   Name=, Records=3, Children=0
>     SOA: serial=8, refresh=900, retry=600, expire=86400, minttl=3600, 
> ns=addc01.mydomain.lan., email=hostmaster.mydomain.lan. 
> (flags=600000f0, serial=8, ttl=3600)
>     NS: addc01.mydomain.lan. (flags=600000f0, serial=6, ttl=3600)
>     A: 192.168.6.8 (flags=600000f0, serial=8, ttl=900)
>   Name=addc01, Records=1, Children=0
>     A: 192.168.6.8 (flags=f0, serial=2, ttl=900)
>   Name=Admin-PC, Records=1, Children=0
>     A: 192.168.6.56 (flags=f0, serial=8, ttl=1200)
>   Name=fileserver, Records=1, Children=0
>     A: 192.168.6.1 (flags=f0, serial=4, ttl=900)
>   Name=Workstation-1, Records=1, Children=0
>     A: 192.168.6.19 (flags=f0, serial=7, ttl=1200)

The Bind9 service starts up with no suspicious messages

> Nov 24 11:36:51 addc01 systemd[1]: Started BIND Domain Name Server.
> Nov 24 11:36:51 addc01 named[30541]: starting BIND 9.10.3-P4-Ubuntu 
> <id:ebd72b3> -f -u bind
> Nov 24 11:36:51 addc01 named[30541]: built with '--prefix=/usr' 
> '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' 
> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' 
> '--localstatedir=/' '--enable-threads' '--enable-largefile' 
> '--with-libtool' '--enable-shared' '--enable-static' 
> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' 
> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' 
> '--enable-filter-aaaa' '--enable-native-pkcs11' 
> '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 
> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat 
> -Werror=format-security -fno-strict-aliasing 
> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 
> 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 
> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
> Nov 24 11:36:51 addc01 named[30541]: 
> ----------------------------------------------------
> Nov 24 11:36:51 addc01 named[30541]: BIND 9 is maintained by Internet 
> Systems Consortium,
> Nov 24 11:36:51 addc01 named[30541]: Inc. (ISC), a non-profit 
> 501(c)(3) public-benefit
> Nov 24 11:36:51 addc01 named[30541]: corporation.  Support and 
> training for BIND 9 are
> Nov 24 11:36:51 addc01 named[30541]: available at 
> https://www.isc.org/support
> Nov 24 11:36:51 addc01 named[30541]: 
> ----------------------------------------------------
> Nov 24 11:36:51 addc01 named[30541]: adjusted limit on open files from 
> 4096 to 1048576
> Nov 24 11:36:51 addc01 named[30541]: found 2 CPUs, using 2 worker threads
> Nov 24 11:36:51 addc01 named[30541]: using 2 UDP listeners per interface
> Nov 24 11:36:51 addc01 named[30541]: using up to 4096 sockets
> Nov 24 11:36:51 addc01 named[30541]: loading configuration from 
> '/etc/bind/named.conf'
> Nov 24 11:36:51 addc01 named[30541]: reading built-in trusted keys 
> from file '/etc/bind/bind.keys'
> Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country (IPv4) 
> (type 1) DB
> Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu
> Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country (IPv6) 
> (type 12) DB
> Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu
> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 2) DB not 
> available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 6) DB not 
> available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 30) DB 
> not available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 31) DB 
> not available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 3) DB not 
> available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 7) DB not 
> available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP ISP (type 4) DB not available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP Org (type 5) DB not available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP AS (type 9) DB not available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP Domain (type 11) DB not 
> available
> Nov 24 11:36:51 addc01 named[30541]: GeoIP NetSpeed (type 10) DB not 
> available
> Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv4 port 
> range: [32768, 60999]
> Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv6 port 
> range: [32768, 60999]
> Nov 24 11:36:51 addc01 named[30541]: listening on IPv6 interfaces, port 53
> Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface lo, 
> 127.0.0.1#53
> Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface 
> ens32, 192.168.6.8#53
> Nov 24 11:36:51 addc01 named[30541]: generating session key for 
> dynamic DNS
> Nov 24 11:36:51 addc01 named[30541]: sizing zone task pool based on 5 
> zones
> Nov 24 11:36:51 addc01 named[30541]: Loading 'AD DNS Zone' using 
> driver dlopen
> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: started for DN 
> DC=mydomain,DC=lan
> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: starting configure
> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable 
> zone '6.168.192.in-addr.arpa'
> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable 
> zone 'mydomain.lan'
> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable 
> zone '_msdcs.mydomain.lan'
> Nov 24 11:36:51 addc01 named[30541]: set up managed keys zone for view 
> _default, file 'managed-keys.bind'
> Nov 24 11:36:51 addc01 named[30541]: command channel listening on 
> 127.0.0.1#953
> Nov 24 11:36:51 addc01 named[30541]: managed-keys-zone: loaded serial 8
> Nov 24 11:36:51 addc01 named[30541]: zone 0.in-addr.arpa/IN: loaded 
> serial 1
> Nov 24 11:36:51 addc01 named[30541]: zone 255.in-addr.arpa/IN: loaded 
> serial 1
> Nov 24 11:36:51 addc01 named[30541]: zone 127.in-addr.arpa/IN: loaded 
> serial 1
> Nov 24 11:36:51 addc01 named[30541]: zone localhost/IN: loaded serial 2
> Nov 24 11:36:51 addc01 named[30541]: all zones loaded
> Nov 24 11:36:51 addc01 named[30541]: running

The AD DC runs on ubuntu 16.04 LTS with Samba packages from their 
repository (at the moment Version 4.3.11-Ubuntu) . I provisioned the DC 
with the command

> samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --dns-backend=BIND9_DLZ ...

My internet searches didn't help to solve my problem, therefore any new 
ideas would be highly appreciated.

Many thanks in advance

Udo

More information about the samba mailing list