[Samba] win2003 AD migration to SAMBA 4.6 - dnsupdate problem
Tomáš Havlín
thavlin at spel.cz
Wed Feb 21 14:16:41 UTC 2018
Hello Denis,
1. KRB - I tried kinit from local terminal and got answer about troubles
with encryption, so I findout win 2003 ciphers, and put to krb5.conf
2. from wiki - Verifying the DNS Entries, If you join a Samba DC that
runs Samba 4.7 and later, samba-tool created all required DNS entries
automatically. To manually create the records on an earlier version, see
Verifying and Creating a DC DNS Record -
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
3. yes, resolv.conf is poiting to 127.0.0.1
4. you are right, krb5.conf are not identical, I forgot move it to
/var/lib/samba/private
now the situation is with identical krb5.conf files not contenting
rc4-hmac and weak cipher enabled, I got error like before, it means
troubles with ciphers. If I put lines to both files I got a new error -
dns_tkey_negotiategss: TKEY is unacceptable
I have tried to push dns updates, how you wrote - samba_dnsupdate
--use-samba-tool - 18 records synchronized, 2 failed with error
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR'),
samba_dnsupdate ends with dns_tkey_negotiategss: TKEY is unacceptable,
Failed nsupdate: 1, Failed update of 2 entries
I hope I wrote everything important
regards
bB
>
>>I want to migrate old 2003 domain to Samba - join SAMBA 4.6(DC2) to
>>win
>>2003 domain like DC, move sysvol, FSMO, demote old server(DC1), etc.,
>>etc. -
>>https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>
>>
>>My problem are DNS Updates, I have kerberos working (added enctypes =
>>rc4-hmac for compatibility),
>
>May I ask you where did you add that? Where did you read that you had
>to do that? Could you try to just remove it?
>
> > SAMBA join without errors, I have created
>>DNS records,
>
>how did you create the records? Could you try the following on your two
>DCs to force the update without going through the authenticated DNS
>process
>samba_dnsupdate --use-samba-tool
>
>By the way, is your /etc/resolv.conf pointing to yourself? Is your
>/etc/krb5.conf and /var/lib/samba/private/krb5.conf identical?
>
>Denis
>
> > can move FSMO. But DNS if working only on DC1, not on DC2,
>>I have found in logs troubles with dnsupdates. DC1 thinks it is only
>>one
>>DC in domain.
>>
>>_ldap._tcp.Default-First-Site._sites.gc._msdcs.test.local. 900 IN SRV
>>0
>>100 3268 dc2.test.local.
>>tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
>>Minor
>>code may provide more information, Minor = KDC has no support for
>>encryption type.
>>Failed nsupdate: 1
>>Failed update of 20 entries
>>
>>bB
>
>-- Denis Cardon
>Tranquil IT Systems
>Les Espaces Jules Verne, bâtiment A
>12 avenue Jules Verne
>44230 Saint Sébastien sur Loire
>tel : +33 (0) 2.40.97.57.55
>http://www.tranquil.it
>
>Samba install wiki for Frenchies : https://dev.tranquil.it
>WAPT, software deployment made easy : https://wapt.fr
>
>-- To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list