[Samba] samba_dnsupdate --verbose --all-names fails with kinit RuntimeError
Udo Willke
udo.willke at freenet.de
Thu Nov 24 15:36:15 UTC 2016
Hi,
in the meantime, I found a solution:
During the installation the SRV DNS queries had the following results
(documented in my wiki):
> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan
> _ldap._tcp.mydomain.lan has SRV record 0 100 389 addc01.mydomain.lan.
> root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan
> _kerberos._udp.mydomain.lan has SRV record 0 100 88 addc01.mydomain.lan.
So, I tried the following
> root at addc01:~# samba-tool dns add localhost mydomain.lan
> _ldap._tcp.mydomain.lan SRV "addc01.mydomain.lan 389 100 0" -P
> Record added successfully
> root at addc01:~# samba-tool dns add localhost mydomain.lan
> _kerberos._udp.mydomain.lan SRV "addc01.mydomain.lan 88 100 0" -P
> Record added successfully
The quoted string is in reverse order compared to the result of the DNS
query. Forcing an error in the samba-tool dns add-command
> ERROR: Data requires 4 elements - server, port, priority, weight
seems to suggest that this is the right order of the data in the quoted
string.
After this "samba_dnsupdate --verbose --all-names" worked again(!)
However there is still a problem: samba_dnsupdate added a second entry
in the DNS for both names
> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan
> _ldap._tcp.mydomain.lan has SRV record 100 0 389 addc01.mydomain.lan.
> _ldap._tcp.mydomain.lan has SRV record 0 100 389 addc01.mydomain.lan.
>
> root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan
> _kerberos._udp.mydomain.lan has SRV record 100 0 88 addc01.mydomain.lan.
> _kerberos._udp.mydomain.lan has SRV record 0 100 88 addc01.mydomain.lan.
so I suspect the right order in the quoted string should be
"addc01.mydomain.lan {88|389} 0 100" (although counterintuitive;
priority=0, weigth=100!?!))
Removing the incorrect DNS entries was easier than expected:
> samba-tool dns delete localhost mydomain.lan _ldap._tcp.mydomain.lan
> SRV "addc01.mydomain.lan 389 100 0" -P
> samba-tool dns delete localhost mydomain.lan
> _kerberos._udp.mydomain.lan SRV "addc01.mydomain.lan 88 100 0" -P
Problem solved.
Best regards
Udo
Am 24.11.2016 um 13:46 schrieb Udo Willke via samba:
> Hi everyone,
>
> unfortunately, I managed to break my Samba AD DC configuration :-( and
> would like to ask the experts on this list.
>
> When restarting my Samba AC DC I noticed, that it didn't come up
> properly. samba outputs the following lines to /var/log/syslog
>
>> Nov 24 12:46:52 addc01 samba[30784]: /usr/sbin/samba_dnsupdate:
>> RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact
>> any KDC for requested realm)
>>
>> Nov 24 12:46:52 addc01 samba[30784]:
>> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
>> NT_STATUS_ACCESS_DENIED
>>
>
> I followed the Samba wiki pages
>
> <https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates>
>
> and found that the dynanic DNS update doesn't work
>
>> root at addc01:~# samba_dnsupdate --verbose --all-names
>> IPs: ['192.168.6.8']
>> Traceback (most recent call last):
>> File "/usr/sbin/samba_dnsupdate", line 621, in <module>
>> get_credentials(lp)
>> File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
>> raise e
>> RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact
>> any KDC for requested realm)
>>
>
> I also carried out the basic checks from
> <https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller>,
>
>
> where the lookup of the DNS Service Resource Records doesn't work as well
>
>> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan
>> Host _ldap._tcp.mydomain.lan not found: 3(NXDOMAIN)
>
>> root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan
>> Host _kerberos._udp.mydomain.lan not found: 3(NXDOMAIN)
>
> The confusing fact is, that I *can* obtain tickets from the KDC on the
> command line
>
>> root at addc01:~# kinit Administrator at MYDOMAIN.LAN
>> Password for Administrator at MYDOMAIN.LAN:
>> root at addc01:~# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at MYDOMAIN.LAN
>>
>> Valid starting Expires Service principal
>> 24.11.2016 12:46:04 24.11.2016 22:46:04
>> krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN
>> renew until 25.11.2016 12:46:00
>
> but not via the Python script samba_dnsupdate.
>
> I can't tell if this is a Kerberos or a DNS issue.
>
> My /etc/krb.conf looks like this
>
>> root at addc01:~# cat /etc/krb5.conf
>> [logging]
>> default = FILE:/var/log/krb5.log
>>
>> [libdefaults]
>> default_realm = MYDOMAIN.LAN
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> [realms]
>> MYDOMAIN.LAN = {
>> kdc = 192.168.6.8:88
>> admin_server = 192.168.6.8:464
>> default_domain = MYDOMAIN.LAN
>> }
>>
>> [domain_realm]
>> .mydomain.lan = MYDOMAIN.LAN
>> mydomain.lan = MYDOMAIN.LAN
>
> Basic name service does work as well:
>
>> root at addc01:~# samba-tool dns query localhost mydomain.lan @ ALL -P
>> Name=, Records=3, Children=0
>> SOA: serial=8, refresh=900, retry=600, expire=86400, minttl=3600,
>> ns=addc01.mydomain.lan., email=hostmaster.mydomain.lan.
>> (flags=600000f0, serial=8, ttl=3600)
>> NS: addc01.mydomain.lan. (flags=600000f0, serial=6, ttl=3600)
>> A: 192.168.6.8 (flags=600000f0, serial=8, ttl=900)
>> Name=addc01, Records=1, Children=0
>> A: 192.168.6.8 (flags=f0, serial=2, ttl=900)
>> Name=Admin-PC, Records=1, Children=0
>> A: 192.168.6.56 (flags=f0, serial=8, ttl=1200)
>> Name=fileserver, Records=1, Children=0
>> A: 192.168.6.1 (flags=f0, serial=4, ttl=900)
>> Name=Workstation-1, Records=1, Children=0
>> A: 192.168.6.19 (flags=f0, serial=7, ttl=1200)
>
> The Bind9 service starts up with no suspicious messages
>
>> Nov 24 11:36:51 addc01 systemd[1]: Started BIND Domain Name Server.
>> Nov 24 11:36:51 addc01 named[30541]: starting BIND 9.10.3-P4-Ubuntu
>> <id:ebd72b3> -f -u bind
>> Nov 24 11:36:51 addc01 named[30541]: built with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu'
>> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
>> '--localstatedir=/' '--enable-threads' '--enable-largefile'
>> '--with-libtool' '--enable-shared' '--enable-static'
>> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
>> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
>> '--enable-filter-aaaa' '--enable-native-pkcs11'
>> '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so'
>> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
>> -Werror=format-security -fno-strict-aliasing
>> -fno-delete-null-pointer-checks -DNO_VERSION_DATE'
>> 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
>> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
>> Nov 24 11:36:51 addc01 named[30541]:
>> ----------------------------------------------------
>> Nov 24 11:36:51 addc01 named[30541]: BIND 9 is maintained by Internet
>> Systems Consortium,
>> Nov 24 11:36:51 addc01 named[30541]: Inc. (ISC), a non-profit
>> 501(c)(3) public-benefit
>> Nov 24 11:36:51 addc01 named[30541]: corporation. Support and
>> training for BIND 9 are
>> Nov 24 11:36:51 addc01 named[30541]: available at
>> https://www.isc.org/support
>> Nov 24 11:36:51 addc01 named[30541]:
>> ----------------------------------------------------
>> Nov 24 11:36:51 addc01 named[30541]: adjusted limit on open files
>> from 4096 to 1048576
>> Nov 24 11:36:51 addc01 named[30541]: found 2 CPUs, using 2 worker
>> threads
>> Nov 24 11:36:51 addc01 named[30541]: using 2 UDP listeners per interface
>> Nov 24 11:36:51 addc01 named[30541]: using up to 4096 sockets
>> Nov 24 11:36:51 addc01 named[30541]: loading configuration from
>> '/etc/bind/named.conf'
>> Nov 24 11:36:51 addc01 named[30541]: reading built-in trusted keys
>> from file '/etc/bind/bind.keys'
>> Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country
>> (IPv4) (type 1) DB
>> Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu
>> Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country
>> (IPv6) (type 12) DB
>> Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 2) DB
>> not available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 6) DB
>> not available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 30) DB
>> not available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 31) DB
>> not available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 3) DB not
>> available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 7) DB not
>> available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP ISP (type 4) DB not available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP Org (type 5) DB not available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP AS (type 9) DB not available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP Domain (type 11) DB not
>> available
>> Nov 24 11:36:51 addc01 named[30541]: GeoIP NetSpeed (type 10) DB not
>> available
>> Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv4 port
>> range: [32768, 60999]
>> Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv6 port
>> range: [32768, 60999]
>> Nov 24 11:36:51 addc01 named[30541]: listening on IPv6 interfaces,
>> port 53
>> Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface lo,
>> 127.0.0.1#53
>> Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface
>> ens32, 192.168.6.8#53
>> Nov 24 11:36:51 addc01 named[30541]: generating session key for
>> dynamic DNS
>> Nov 24 11:36:51 addc01 named[30541]: sizing zone task pool based on 5
>> zones
>> Nov 24 11:36:51 addc01 named[30541]: Loading 'AD DNS Zone' using
>> driver dlopen
>> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: started for DN
>> DC=mydomain,DC=lan
>> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: starting configure
>> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable
>> zone '6.168.192.in-addr.arpa'
>> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable
>> zone 'mydomain.lan'
>> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable
>> zone '_msdcs.mydomain.lan'
>> Nov 24 11:36:51 addc01 named[30541]: set up managed keys zone for
>> view _default, file 'managed-keys.bind'
>> Nov 24 11:36:51 addc01 named[30541]: command channel listening on
>> 127.0.0.1#953
>> Nov 24 11:36:51 addc01 named[30541]: managed-keys-zone: loaded serial 8
>> Nov 24 11:36:51 addc01 named[30541]: zone 0.in-addr.arpa/IN: loaded
>> serial 1
>> Nov 24 11:36:51 addc01 named[30541]: zone 255.in-addr.arpa/IN: loaded
>> serial 1
>> Nov 24 11:36:51 addc01 named[30541]: zone 127.in-addr.arpa/IN: loaded
>> serial 1
>> Nov 24 11:36:51 addc01 named[30541]: zone localhost/IN: loaded serial 2
>> Nov 24 11:36:51 addc01 named[30541]: all zones loaded
>> Nov 24 11:36:51 addc01 named[30541]: running
>
> The AD DC runs on ubuntu 16.04 LTS with Samba packages from their
> repository (at the moment Version 4.3.11-Ubuntu) . I provisioned the
> DC with the command
>
>> samba-tool domain provision --use-rfc2307 --function-level=2008_R2
>> --dns-backend=BIND9_DLZ ...
>
> My internet searches didn't help to solve my problem, therefore any
> new ideas would be highly appreciated.
>
> Many thanks in advance
>
> Udo
>
>
>
>
More information about the samba
mailing list