[Samba] Problems runing kinit on a (wannabe) secondary DC
Lorenzo Milesi
lorenzo.milesi at yetopen.com
Thu Jul 14 12:36:10 UTC 2022
>> Primary smb.conf:
>> # Global parameters
>> [global]
>> dns forwarder = 1.1.1.1
>> netbios name = DC-CONTABO
>> realm = WDC.DOMAIN.IT
>> server role = active directory domain controller
>> workgroup = DOMAIN
>> allow dns updates = disabled
>
> Why have you disabled dns updates ?
Possibly unintentionally while trying to debug...
>
>> interfaces = eth1
>> bind interfaces only = yes
>> server services = -dns
>
> As you seem to be using Bind9, why is a dns forwarder set ?
Leftover during the upgrade phase
> Can you ping the first DC from the second DC ?
Yes, I can ping back and forth, I can telnet from second to first on port 88.
Also, from what I could get in the server log, the second does correctly authenticate as Administrator, during kinit.
Something I forgot to add, after I enter the password, the command remains on hold for something like 20 or 30s, after that time prints the error.
> Download the script and run it on both your DC's and post the output
> into a reply to this.
Here they are, thanks:
#### FIRST DC #####
Config collected --- 2022-07-14-13:50 -----------
Hostname: dc-contabo
DNS Domain: wdc.domain.it
Realm: WDC.DOMAIN.IT
FQDN: dc-contabo.wdc.domain.it
ipaddress: 75.119.x.y 192.168.8.1 10.8.0.1
-----------
This computer is running Ubuntu 20.04.4 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:46:2e:11 brd ff:ff:ff:ff:ff:ff
inet 75.119.x.y/19 brd 75.119.255.255 scope global eth0
inet6 fe80::250:56ff:fe46:2e11/64 scope link
3: eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether ba:25:80:99:69:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.1/24 brd 192.168.8.255 scope global eth1
inet6 fe80::b825:80ff:fe99:69d3/64 scope link
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
#127.0.1.1 vmi.contaboserver.net vmi
# The following lines are desirable for IPv6 capable hosts
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
192.168.1.206 dclan.wdc.domain.it dclan
-----------
Checking file: /etc/resolv.conf
search wdc.domain.it
nameserver 127.0.0.1
-----------
Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output:
Server: 127.0.0.1
Address: 127.0.0.1#53
_kerberos._tcp.wdc.domain.it service = 0 100 88 dc-contabo.wdc.domain.it.
-----------
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WDC.DOMAIN.IT
dns_lookup_kdc = true
dns_lookup_realm = false
# TEST
udp_preference_limit=1
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 1.1.1.1
netbios name = DC-CONTABO
realm = WDC.DOMAIN.IT
server role = active directory domain controller
workgroup = WORKGROUP
allow dns updates = disabled
interfaces = eth1
bind interfaces only = yes
server services = -dns
log level = 1 auth_audit:3 auth_json_audit:3 kerberos:10
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/wdc.domain.it/scripts
read only = No
-----------
This DC is not being used as a fileserver
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
1.1.1.1;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "domain.it" {
# For BIND 9.9.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list check :
wdc.domain.it
_msdcs.wdc.domain.it
-----------
-----------
This is the DC with the PDC Emulator role and time is: 2022-07-14T13:50:27
-----------
Installed packages:
ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem extended attributes
ii bind9 1:9.16.1-0ubuntu2.10 amd64 Internet Domain Name Server
ii bind9-dnsutils 1:9.16.1-0ubuntu2.10 amd64 Clients provided with BIND 9
ii bind9-host 1:9.16.1-0ubuntu2.10 amd64 DNS Lookup Utility
ii bind9-libs:amd64 1:9.16.1-0ubuntu2.10 amd64 Shared Libraries used by BIND 9
ii bind9-utils 1:9.16.1-0ubuntu2.10 amd64 Utilities for BIND 9
ii dnsutils 1:9.16.1-0ubuntu2.10 all Transitional package for bind9-dnsutils
ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1 all internationalization support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba nameservice integration plugins
ii libsmbclient:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba winbind client library
ii python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Python 3 bindings for Samba
ii samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.7~dfsg-0ubuntu0~20.04 all common files used by both the Samba server and client
ii samba-common-bin 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 service to resolve user and group information from Windows NT servers
-----------
#### SECOND DC #####
Config collected --- 2022-07-14-13:52 -----------
Hostname: dc-lan
DNS Domain: wdc.domain.it
Realm: WDC.DOMAIN.IT
FQDN: dc-lan.wdc.domain.it
ipaddress: 192.168.1.206
-----------
This computer is running Ubuntu 20.04.4 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 6e:03:dc:d8:bb:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.206/24 brd 192.168.1.255 scope global ens18
inet6 fe80::6c03:dcff:fed8:bb0f/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
192.168.1.206 dc-lan.wdc.domain.it dclan
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search wdc.domain.it domain
-----------
systemd stub resolver detected, running command : systemd-resolve --status
-----------
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.8.1
DNS Servers: 192.168.8.1
DNS Domain: wdc.domain.it
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (ens18)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.8.1
DNS Servers: 192.168.8.1
DNS Domain: wdc.domain.it
domain
-----------
Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kerberos._tcp.wdc.domain.it service = 0 100 88 dc-contabo.wdc.domain.it.
Authoritative answers can be found from:
-----------
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
-----------
Samba is not being run as a DC or a Unix domain member.
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WDC.DOMAIN.IT
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
WDC.DOMAIN.IT = {
kdc = 127.0.0.1
kdc = 192.168.8.1
}
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Time on the DC with PDC Emulator role is: 2022-07-14T13:52:42
Time on this computer is: 2022-07-14T13:52:42
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1 all internationalization support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba nameservice integration plugins
ii libsmbclient:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba winbind client library
ii python3-attr 19.3.0-2 all Attributes without boilerplate (Python 3)
ii python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Python 3 bindings for Samba
ii samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.7~dfsg-0ubuntu0~20.04 all common files used by both the Samba server and client
ii samba-common-bin 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 service to resolve user and group information from Windows NT servers
-----------
--
Lorenzo Milesi - lorenzo.milesi at yetopen.com
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/
Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
More information about the samba
mailing list