[Samba] Problems runing kinit on a (wannabe) secondary DC

Lorenzo Milesi lorenzo.milesi at yetopen.com
Thu Jul 14 12:36:10 UTC 2022


>> Primary smb.conf:
>> # Global parameters
>> [global]
>>         dns forwarder = 1.1.1.1
>>         netbios name = DC-CONTABO
>>         realm = WDC.DOMAIN.IT
>>         server role = active directory domain controller
>>         workgroup = DOMAIN
>>         allow dns updates = disabled
> 
> Why have you disabled dns updates ?

Possibly unintentionally while trying to debug...
> 
>>         interfaces = eth1
>>         bind interfaces only = yes
>>         server services = -dns
> 
> As you seem to be using Bind9, why is a dns forwarder set ?

Leftover during the upgrade phase

> Can you ping the first DC from the second DC ?

Yes, I can ping back and forth, I can telnet from second to first on port 88.
Also, from what I could get in the server log, the second does correctly authenticate as Administrator, during kinit.
Something I forgot to add, after I enter the password, the command remains on hold for something like 20 or 30s, after that time prints the error.

> Download the script and run it on both your DC's and post the output
> into a reply to this.

Here they are, thanks:
#### FIRST DC #####
Config collected --- 2022-07-14-13:50 -----------

Hostname:   dc-contabo
DNS Domain: wdc.domain.it
Realm:      WDC.DOMAIN.IT
FQDN:       dc-contabo.wdc.domain.it
ipaddress:  75.119.x.y 192.168.8.1 10.8.0.1 

-----------

This computer is running Ubuntu 20.04.4 LTS x86_64

-----------

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:46:2e:11 brd ff:ff:ff:ff:ff:ff
    inet 75.119.x.y/19 brd 75.119.255.255 scope global eth0
    inet6 fe80::250:56ff:fe46:2e11/64 scope link 
3: eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether ba:25:80:99:69:d3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.1/24 brd 192.168.8.255 scope global eth1
    inet6 fe80::b825:80ff:fe99:69d3/64 scope link 
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0

-----------

Checking file: /etc/hosts

127.0.0.1	localhost
#127.0.1.1	vmi.contaboserver.net	vmi

# The following lines are desirable for IPv6 capable hosts
#::1     localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
192.168.8.1 dc-contabo.wdc.domain.it dc-contabo 
192.168.1.206 dclan.wdc.domain.it dclan

-----------

Checking file: /etc/resolv.conf

search wdc.domain.it
nameserver 127.0.0.1

-----------

Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output:
Server:		127.0.0.1
Address:	127.0.0.1#53

_kerberos._tcp.wdc.domain.it	service = 0 100 88 dc-contabo.wdc.domain.it.

-----------

'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.

-----------

Samba is running as an AD DC

-----------

Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = WDC.DOMAIN.IT
        dns_lookup_kdc = true
        dns_lookup_realm = false
# TEST
udp_preference_limit=1

-----------

Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

Checking file: /etc/samba/smb.conf

# Global parameters
[global]
	dns forwarder = 1.1.1.1
	netbios name = DC-CONTABO
	realm = WDC.DOMAIN.IT
	server role = active directory domain controller
	workgroup = WORKGROUP
	allow dns updates = disabled
	interfaces = eth1 
	bind interfaces only = yes
	server services = -dns
        log level = 1 auth_audit:3 auth_json_audit:3 kerberos:10
	tls enabled  = yes
	tls keyfile  = tls/key.pem
	tls certfile = tls/cert.pem
	tls cafile   = tls/ca.pem

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/wdc.domain.it/scripts
	read only = No

-----------

This DC is not being used as a fileserver

Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

-----------

Checking file: /etc/bind/named.conf.options

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	 forwarders {
	 	1.1.1.1;
	 };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
      
        allow-query {  any;};

	dnssec-validation no;
        auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
        minimal-responses yes;
};

-----------

Checking file: /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "domain.it" {
# For BIND 9.9.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};

-----------

Checking file: /etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

-----------

Samba DNS zone list check : 
wdc.domain.it
_msdcs.wdc.domain.it

-----------


-----------


This is the DC with the PDC Emulator role and time is: 2022-07-14T13:50:27

-----------

Installed packages:
ii  attr                                  1:2.4.48-5                        amd64        utilities for manipulating filesystem extended attributes
ii  bind9                                 1:9.16.1-0ubuntu2.10              amd64        Internet Domain Name Server
ii  bind9-dnsutils                        1:9.16.1-0ubuntu2.10              amd64        Clients provided with BIND 9
ii  bind9-host                            1:9.16.1-0ubuntu2.10              amd64        DNS Lookup Utility
ii  bind9-libs:amd64                      1:9.16.1-0ubuntu2.10              amd64        Shared Libraries used by BIND 9
ii  bind9-utils                           1:9.16.1-0ubuntu2.10              amd64        Utilities for BIND 9
ii  dnsutils                              1:9.16.1-0ubuntu2.10              all          Transitional package for bind9-dnsutils
ii  krb5-config                           2.6ubuntu1                        all          Configuration files for Kerberos Version 5
ii  krb5-locales                          1.17-6ubuntu4.1                   all          internationalization support for MIT Kerberos
ii  krb5-user                             1.17-6ubuntu4.1                   amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.53-6                          amd64        access control list - shared library
ii  libattr1:amd64                        1:2.4.48-5                        amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64                1.17-6ubuntu4.1                   amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64              7.7.0+dfsg-1ubuntu1               amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                       1.17-6ubuntu4.1                   amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.17-6ubuntu4.1                   amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64                  2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba nameservice integration plugins
ii  libsmbclient:amd64                    2:4.15.7~dfsg-0ubuntu0~20.04      amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                    2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba winbind client library
ii  python3-nacl                          1.3.0-5                           amd64        Python bindings to libsodium (Python 3)
ii  python3-samba                         2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Python 3 bindings for Samba
ii  samba                                 2:4.15.7~dfsg-0ubuntu0~20.04      amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.15.7~dfsg-0ubuntu0~20.04      all          common files used by both the Samba server and client
ii  samba-common-bin                      2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba core libraries
ii  samba-vfs-modules:amd64               2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba Virtual FileSystem plugins
ii  smbclient                             2:4.15.7~dfsg-0ubuntu0~20.04      amd64        command-line SMB/CIFS clients for Unix
ii  winbind                               2:4.15.7~dfsg-0ubuntu0~20.04      amd64        service to resolve user and group information from Windows NT servers

-----------

#### SECOND DC #####
Config collected --- 2022-07-14-13:52 -----------

Hostname:   dc-lan
DNS Domain: wdc.domain.it
Realm:      WDC.DOMAIN.IT
FQDN:       dc-lan.wdc.domain.it
ipaddress:  192.168.1.206 

-----------

This computer is running Ubuntu 20.04.4 LTS x86_64

-----------

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 6e:03:dc:d8:bb:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.206/24 brd 192.168.1.255 scope global ens18
    inet6 fe80::6c03:dcff:fed8:bb0f/64 scope link 

-----------

Checking file: /etc/hosts

127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
192.168.1.206 dc-lan.wdc.domain.it dclan

-----------

Checking file: /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search wdc.domain.it domain

-----------

systemd stub resolver detected, running command : systemd-resolve --status

-----------

Global
       LLMNR setting: no                     
MulticastDNS setting: no                     
  DNSOverTLS setting: no                     
      DNSSEC setting: no                     
    DNSSEC supported: no                     
  Current DNS Server: 192.168.8.1            
         DNS Servers: 192.168.8.1            
          DNS Domain: wdc.domain.it
          DNSSEC NTA: 10.in-addr.arpa        
                      16.172.in-addr.arpa    
                      168.192.in-addr.arpa   
                      17.172.in-addr.arpa    
                      18.172.in-addr.arpa    
                      19.172.in-addr.arpa    
                      20.172.in-addr.arpa    
                      21.172.in-addr.arpa    
                      22.172.in-addr.arpa    
                      23.172.in-addr.arpa    
                      24.172.in-addr.arpa    
                      25.172.in-addr.arpa    
                      26.172.in-addr.arpa    
                      27.172.in-addr.arpa    
                      28.172.in-addr.arpa    
                      29.172.in-addr.arpa    
                      30.172.in-addr.arpa    
                      31.172.in-addr.arpa    
                      corp                   
                      d.f.ip6.arpa           
                      home                   
                      internal               
                      intranet               
                      lan                    
                      local                  
                      private                
                      test                   

Link 2 (ens18)
      Current Scopes: DNS                    
DefaultRoute setting: yes                    
       LLMNR setting: yes                    
MulticastDNS setting: no                     
  DNSOverTLS setting: no                     
      DNSSEC setting: no                     
    DNSSEC supported: no                     
  Current DNS Server: 192.168.8.1            
         DNS Servers: 192.168.8.1            
          DNS Domain: wdc.domain.it
                      domain             

-----------

Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output:
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
_kerberos._tcp.wdc.domain.it	service = 0 100 88 dc-contabo.wdc.domain.it.

Authoritative answers can be found from:

-----------

'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.

-----------

Samba is not being run as a DC or a Unix domain member.

-----------

Checking file: /etc/krb5.conf

[libdefaults]
	default_realm = WDC.DOMAIN.IT
	dns_lookup_kdc = false
	dns_lookup_realm = false
[realms]
	WDC.DOMAIN.IT = {
		kdc = 127.0.0.1
		kdc = 192.168.8.1
	}

-----------

Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------


Time on the DC with PDC Emulator role is: 2022-07-14T13:52:42


Time on this computer is:                 2022-07-14T13:52:42


Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds

-----------

Installed packages:
ii  attr                                  1:2.4.48-5                        amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                           2.6ubuntu1                        all          Configuration files for Kerberos Version 5
ii  krb5-locales                          1.17-6ubuntu4.1                   all          internationalization support for MIT Kerberos
ii  krb5-user                             1.17-6ubuntu4.1                   amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.53-6                          amd64        access control list - shared library
ii  libattr1:amd64                        1:2.4.48-5                        amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64                1.17-6ubuntu4.1                   amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64              7.7.0+dfsg-1ubuntu1               amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                       1.17-6ubuntu4.1                   amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.17-6ubuntu4.1                   amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64                  2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba nameservice integration plugins
ii  libsmbclient:amd64                    2:4.15.7~dfsg-0ubuntu0~20.04      amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                    2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba winbind client library
ii  python3-attr                          19.3.0-2                          all          Attributes without boilerplate (Python 3)
ii  python3-nacl                          1.3.0-5                           amd64        Python bindings to libsodium (Python 3)
ii  python3-samba                         2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Python 3 bindings for Samba
ii  samba                                 2:4.15.7~dfsg-0ubuntu0~20.04      amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                          2:4.15.7~dfsg-0ubuntu0~20.04      all          common files used by both the Samba server and client
ii  samba-common-bin                      2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64              2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba Directory Services Database
ii  samba-libs:amd64                      2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba core libraries
ii  samba-vfs-modules:amd64               2:4.15.7~dfsg-0ubuntu0~20.04      amd64        Samba Virtual FileSystem plugins
ii  smbclient                             2:4.15.7~dfsg-0ubuntu0~20.04      amd64        command-line SMB/CIFS clients for Unix
ii  winbind                               2:4.15.7~dfsg-0ubuntu0~20.04      amd64        service to resolve user and group information from Windows NT servers

-----------




-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/

Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.




More information about the samba mailing list