[Samba] win2003 AD migration to SAMBA 4.6 - dnsupdate problem

Tomáš Havlín thavlin at spel.cz
Wed Feb 21 14:16:41 UTC 2018 

Hello Denis,

1. KRB - I tried kinit from local terminal and got answer about troubles 
with encryption, so I findout win 2003 ciphers, and put to krb5.conf
2. from wiki - Verifying the DNS Entries, If you join a Samba DC that 
runs Samba 4.7 and later, samba-tool created all required DNS entries 
automatically. To manually create the records on an earlier version, see 
Verifying and Creating a DC DNS Record - 
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

3. yes, resolv.conf is poiting to 127.0.0.1
4. you are right, krb5.conf are not identical, I forgot move it to 
/var/lib/samba/private

now the situation is with identical krb5.conf files not contenting 
rc4-hmac and weak cipher enabled, I got error like before, it means 
troubles with ciphers. If I put lines to both files I got a new error - 
dns_tkey_negotiategss: TKEY is unacceptable

I have tried to push dns updates, how you wrote - samba_dnsupdate 
--use-samba-tool - 18 records synchronized, 2 failed with error 
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR'), 
samba_dnsupdate ends with dns_tkey_negotiategss: TKEY is unacceptable, 
Failed nsupdate: 1, Failed update of 2 entries



I hope I wrote everything important

regards
bB






>
>>I want to migrate old 2003 domain to Samba - join SAMBA 4.6(DC2) to 
>>win
>>2003 domain like DC, move sysvol, FSMO, demote old server(DC1), etc.,
>>etc. -
>>https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>
>>
>>My problem are DNS Updates, I have kerberos working (added enctypes =
>>rc4-hmac for compatibility),
>
>May I ask you where did you add that? Where did you read that you had 
>to do that? Could you try to just remove it?
>
> > SAMBA join without errors, I have created
>>DNS records,
>
>how did you create the records? Could you try the following on your two 
>DCs to force the update without going through the authenticated DNS 
>process
>samba_dnsupdate --use-samba-tool
>
>By the way, is your /etc/resolv.conf pointing to yourself? Is your 
>/etc/krb5.conf and /var/lib/samba/private/krb5.conf identical?
>
>Denis
>
> > can move FSMO. But DNS if working only on DC1,  not on DC2,
>>I have found in logs troubles with dnsupdates. DC1 thinks it is only 
>>one
>>DC in domain.
>>
>>_ldap._tcp.Default-First-Site._sites.gc._msdcs.test.local. 900 IN SRV 
>>0
>>100 3268 dc2.test.local.
>>tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  
>>Minor
>>code may provide more information, Minor = KDC has no support for
>>encryption type.
>>Failed nsupdate: 1
>>Failed update of 20 entries
>>
>>bB
>
>-- Denis Cardon
>Tranquil IT Systems
>Les Espaces Jules Verne, bâtiment A
>12 avenue Jules Verne
>44230 Saint Sébastien sur Loire
>tel : +33 (0) 2.40.97.57.55
>http://www.tranquil.it
>
>Samba install wiki for Frenchies : https://dev.tranquil.it
>WAPT, software deployment made easy : https://wapt.fr
>
>-- To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list