[Samba] Problems runing kinit on a (wannabe) secondary DC
Rowland Penny
rpenny at samba.org
Thu Jul 14 07:23:13 UTC 2022
On Thu, 2022-07-14 at 08:43 +0200, Lorenzo Milesi via samba wrote:
> I've installed a DC on Ubuntu 20.04 with Samba 4.15 using Van Belle's
> repos.
> The DC is used for LDAP auth and working fine. It hasn't been tested
> for Windows clients auth, yet.
>
> I'm attempting to configure a secondary DC, on a remote VPS withe
> same specs as above, but I'm unable to initialize kerberos
> communications. On the client I get the "classic" 'Cannot contact any
> KDC for realm ... while getting initial credentials', while from
> debug I'm unable to figure out what's going bad.
>
> Active DC: 192.168.8.1 Samba 4.15.7-Ubuntu (dc-contabo)
> Secondary DC: 192.168.1.206 Samba 4.15.7-Ubuntu (dc-lan)
No, that is: first DC and another DC, all DC's are equal except for the
FSMO roles.
>
>
> root at dc-lan:~# KRB5_TRACE=/dev/stdout kinit Administrator
> [987] 1657780070.241479: Getting initial credentials for
> Administrator at WDC.DOMAIN.IT
> kinit: Cannot contact any KDC for realm 'WDC.DOMAIN.IT' while getting
> initial credentials
Obviously your prospective second DC cannot contact your first DC.
> Primary smb.conf:
> # Global parameters
> [global]
> dns forwarder = 1.1.1.1
> netbios name = DC-CONTABO
> realm = WDC.DOMAIN.IT
> server role = active directory domain controller
> workgroup = DOMAIN
> allow dns updates = disabled
Why have you disabled dns updates ?
> interfaces = eth1
> bind interfaces only = yes
> server services = -dns
As you seem to be using Bind9, why is a dns forwarder set ?
Can you ping the first DC from the second DC ?
I suggest you go here:
https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
Download the script and run it on both your DC's and post the output
into a reply to this.
Rowland
More information about the samba
mailing list