[Samba] UNSOLVED: Difficulties with Windows XP: failed to find cifs/fileserver.y.z at Y.Z in keytab (arcfour-hmac-md5)

Rowland Penny rpenny at samba.org
Tue Jan 17 14:29:43 UTC 2017

On Tue, 17 Jan 2017 05:54:41 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:

> No, I have dhcp and a full bind9 serving master zones forward and
> reverse, with exception of the _msdcs... SOA, which I let only
> forward and it seems enough...

I have been using BIND_DLZ and DHCP updating the Samba AD database for
the last 4 years without problem.

> The configs are static, no dynamic updates, and I generate the dhcp
> config and the zones per script, if something changes.

Why not just get DHCP to do the updates for you.

> In all the complexity you mean it exists in my unsupported
> configuration you will laugh, but I try to keep things simple and
> stupid, so I can grasp all the little I do :)

I don't think your setup is simple.

> - First I wish to stay with a single dns name space with only a part
> of it in the AD, but BIND_DLZ should serve a separate sub-zone for
> the AD.

This will probably never work correctly, you should setup your AD as a
subdomain of your main domain i.e. if your main domain is example.com,
you would use samdom.example.com for your AD domain.

> - Doing dns and dns-updates trough samba could be a source of error
> and frustration, as I read sometimes in questions here in the mail
> list or other places in forums.

I have never had any errors.

> So I say to my clients to not do dns-updates, because I have already
> all possible in DNS.

Quite right your windows clients shouldn't be allowed to update their
own records, DHCP should do it for them ;-)

> Equally positive I feel that no service is trying to modify
> configurations of another service. I simply avoid this and the need
> to handle with special kerberos user-services and keys, or to temper
> with apparmor is gone too.

You need to learn about kerberos, this is another of those things that
AD relies on and kerberos relies on DNS and time, just a thought, you
are running an ntp server on the DC, aren't you ?

> - I sniffed at the beginning with dns_update, which records and SOA
> samba supplementary needs on this machine, and this is an one time
> addition to the zones in bind.

I will say it again, using bind9 with flatfiles is NOT supported.

> - I learned afterward, which DNS records should be added, if I join a
> second DC to the AD.
> - It seemed to me (reading different postings), that samba still has
> a bug with doing this automatically, so one has anyway to add the
> _ldap.. , objectGUIDs addresses and the other records of the new DC
> himself.

Well yes and no, the records aren't created by the join, but they are
created when Samba is restarted on the joined DC, but they wouldn't be
on any Samba set up your way, because you have turned of dnsupdate!

> So, I see it really simpler this way.

No, it isn't

> I'm sorry, that this will be always a source of discordance here by
> any other question, related or unrelated to DNS.
> I still do not think that the original problem was caused by the
> program which DNS serves, otherwise it would have disturbed all other
> test-clients.

I am fairly convinced it is a DNS problem and as you are using an
unsupported DNS, well, it is your domain and you can do as you like.


More information about the samba mailing list