[Samba] Problems runing kinit on a (wannabe) secondary DC
Rowland Penny
rpenny at samba.org
Thu Jul 14 15:10:56 UTC 2022
On Thu, 2022-07-14 at 14:36 +0200, Lorenzo Milesi wrote:
> > > Primary smb.conf:
> > > # Global parameters
> > > [global]
> > > dns forwarder = 1.1.1.1
> > > netbios name = DC-CONTABO
> > > realm = WDC.DOMAIN.IT
> > > server role = active directory domain controller
> > > workgroup = DOMAIN
> > > allow dns updates = disabled
> >
> > Why have you disabled dns updates ?
>
> Possibly unintentionally while trying to debug...
> > > interfaces = eth1
> > > bind interfaces only = yes
> > > server services = -dns
> >
> > As you seem to be using Bind9, why is a dns forwarder set ?
>
> Leftover during the upgrade phase
>
> > Can you ping the first DC from the second DC ?
>
> Yes, I can ping back and forth, I can telnet from second to first on
> port 88.
> Also, from what I could get in the server log, the second does
> correctly authenticate as Administrator, during kinit.
> Something I forgot to add, after I enter the password, the command
> remains on hold for something like 20 or 30s, after that time prints
> the error.
>
> > Download the script and run it on both your DC's and post the
> > output
> > into a reply to this.
>
> Here they are, thanks:#### FIRST DC #####
> Config collected --- 2022-07-14-13:50 -----------
>
> Hostname: dc-contabo
> DNS Domain: wdc.domain.it
> Realm: WDC.DOMAIN.IT
> FQDN: dc-contabo.wdc.domain.it
> ipaddress: 75.119.x.y 192.168.8.1 10.8.0.1
It would be better if your DC only used one IP address.
>
> -----------
>
>
>
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> #127.0.1.1 vmi.contaboserver.net vmi
>
> # The following lines are desirable for IPv6 capable hosts
> #::1 localhost ip6-localhost ip6-loopback
> #ff02::1 ip6-allnodes
> #ff02::2 ip6-allrouters
> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
> 192.168.1.206 dclan.wdc.domain.it dclan
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> search wdc.domain.it
> nameserver 127.0.0.1
Do not use 127.0.0.1, use the DC's ipaddress
>
> -----------
>
> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
> sample output:
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> _kerberos._tcp.wdc.domain.it service = 0 100 88 dc-
> contabo.wdc.domain.it.
>
> -----------
>
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.
This is possibly because you are using 127.0.0.1 in /etc/resolv.conf
>
> -----------
>
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = WDC.DOMAIN.IT
> dns_lookup_kdc = true
> dns_lookup_realm = false
That is all you need, nothing else.
> # TEST
> udp_preference_limit=1
>
> -----------
>
>
> Detected bind DLZ enabled..
>
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> dlz "domain.it" {
> # For BIND 9.9.0
> database "dlopen /usr/lib/x86_64-linux-
> gnu/samba/bind9/dlz_bind9_10.so";
I feel sure that last line isn't correct, check your bind9 version.
>
>
> Samba DNS zone list check :
> wdc.domain.it
> _msdcs.wdc.domain.it
You do not seem to have a reverse zone, whilst this isn't strictly
required, it does help.
>
> -----------
>
> #### SECOND DC #####
> Config collected --- 2022-07-14-13:52 -----------
>
> Hostname: dc-lan
> DNS Domain: wdc.domain.it
> Realm: WDC.DOMAIN.IT
> FQDN: dc-lan.wdc.domain.it
> ipaddress: 192.168.1.206
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
> 192.168.1.206 dc-lan.wdc.domain.it dclan
You should only have this DC's data in /etc/hosts , dns should supply
everything else.
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting local clients to
> the
> # internal DNS stub resolver of systemd-resolved. This file lists all
> # configured search domains.
> #
> # Run "resolvectl status" to see details about the uplink DNS servers
> # currently in use.
> #
> # Third party programs must not access this file directly, but only
> through the
> # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
> different way,
> # replace this symlink by a static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about the supported
> modes of
> # operation for /etc/resolv.conf.
>
> nameserver 127.0.0.53
> options edns0 trust-ad
> search wdc.domain.it domain
I normally remove systemd-resolved but if it is set up correctly, it
will work.
>
> -----------
>
> systemd stub resolver detected, running command : systemd-resolve --
> status
>
> -----------
>
> Global
> LLMNR setting: no
> MulticastDNS setting: no
> DNSOverTLS setting: no
> DNSSEC setting: no
> DNSSEC supported: no
> Current DNS Server: 192.168.8.1
> DNS Servers: 192.168.8.1
> DNS Domain: wdc.domain.it
> DNSSEC NTA: 10.in-addr.arpa
> 16.172.in-addr.arpa
> 168.192.in-addr.arpa
> 17.172.in-addr.arpa
> 18.172.in-addr.arpa
> 19.172.in-addr.arpa
> 20.172.in-addr.arpa
> 21.172.in-addr.arpa
> 22.172.in-addr.arpa
> 23.172.in-addr.arpa
> 24.172.in-addr.arpa
> 25.172.in-addr.arpa
> 26.172.in-addr.arpa
> 27.172.in-addr.arpa
> 28.172.in-addr.arpa
> 29.172.in-addr.arpa
> 30.172.in-addr.arpa
> 31.172.in-addr.arpa
> corp
> d.f.ip6.arpa
> home
> internal
> intranet
> lan
> local
> private
> test
>
> Link 2 (ens18)
> Current Scopes: DNS
> DefaultRoute setting: yes
> LLMNR setting: yes
> MulticastDNS setting: no
> DNSOverTLS setting: no
> DNSSEC setting: no
> DNSSEC supported: no
> Current DNS Server: 192.168.8.1
> DNS Servers: 192.168.8.1
> DNS Domain: wdc.domain.it
> domain
>
> -----------
>
> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
> sample output:
> Server: 127.0.0.53
> Address: 127.0.0.53#53
It should be using the ipaddress of the first DC, until it has joined,
then it should use its own ipaddress.
>
> Non-authoritative answer:
> _kerberos._tcp.wdc.domain.it service = 0 100 88 dc-
> contabo.wdc.domain.it.
>
> Authoritative answers can be found from:
>
> -----------
>
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.
>
> -----------
Rowland
More information about the samba
mailing list