[Samba] Kerberos not working after moving Samba AD DC to new server

Sebastian Arcus s.arcus at open-t.co.uk
Fri Mar 9 11:41:56 UTC 2018 

On 09/03/18 11:22, Rob Thoman wrote:
> Check the kr5b.conf and confirm DNS is working

After taking the entire server apart, upgrading all the packages, 
re-compiling Bind several times over against MIT Kerberos and then 
against Heimdal Kerberos, transferring over the Samba configs and 
databases again from the old server and running line by line through 
every single test in the Samba wiki I could find, it turns out that it 
was simply the interface option in smb.conf. The old server was using 
eth1 for the internal lan, while the new one was using a bridge on br0 
(which ties eth1 as well), because there are some virtual machines there 
as well. So the new server was trying to bind Samba to eth1, which 
didn't have its own IP.

It is strange though that I have not seen a single error message in 8 
hours of troubleshooting to hint at the interface configuration being 
the problem. Samba is setup to listen on the loop interface as well, but 
I guess the Kerberos dns entries were pointing specifically to the LAN 
IP of the server.

Oh well, just another day at the office :-)



> 
> On Fri, Mar 9, 2018 at 9:20 PM, Sebastian Arcus via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> 
> 
>     On 09/03/18 10:52, Sebastian Arcus via samba wrote:
> 
>         I am moving a Samba AD DC to a new server (I am merging two
>         different hardware servers serving different functions). The new
>         server has the same name as the old one, and same IP addresses
>         on the network interfaces. I have moved the following directories:
> 
>         /var/lib/samba
>         /var/cache/samba
>         /etc/samba/
>         /var/named/
> 
>         Samba will start, Bind starts (I'm using the Bind backend), the
>         dns tests from Samba wiki work fine, but the following doesn't
>         work and I can't figure out why:
> 
>         # kinit Administrator
>         kinit: Cannot contact any KDC for realm 'MYDOMAIN.LAN' while
>         getting initial credentials
> 
>         The domain name above is correct, but for some reason Kerberos
>         doesn't seem to be working. Does the Kerberos side of things
>         need any other files which I should have copied from the old server?
> 
> 
>     Sorry for the confusion - I just checked the old server and I get
>     the same error. Is there any way of troubleshooting Kerberos further?
> 
> 
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
> 
>

More information about the samba mailing list