[Samba] Problems runing kinit on a (wannabe) secondary DC

Rowland Penny rpenny at samba.org
Thu Jul 14 15:10:56 UTC 2022 

On Thu, 2022-07-14 at 14:36 +0200, Lorenzo Milesi wrote:
> > > Primary smb.conf:
> > > # Global parameters
> > > [global]
> > >         dns forwarder = 1.1.1.1
> > >         netbios name = DC-CONTABO
> > >         realm = WDC.DOMAIN.IT
> > >         server role = active directory domain controller
> > >         workgroup = DOMAIN
> > >         allow dns updates = disabled
> > 
> > Why have you disabled dns updates ?
> 
> Possibly unintentionally while trying to debug...
> > >         interfaces = eth1
> > >         bind interfaces only = yes
> > >         server services = -dns
> > 
> > As you seem to be using Bind9, why is a dns forwarder set ?
> 
> Leftover during the upgrade phase
> 
> > Can you ping the first DC from the second DC ?
> 
> Yes, I can ping back and forth, I can telnet from second to first on
> port 88.
> Also, from what I could get in the server log, the second does
> correctly authenticate as Administrator, during kinit.
> Something I forgot to add, after I enter the password, the command
> remains on hold for something like 20 or 30s, after that time prints
> the error.
> 
> > Download the script and run it on both your DC's and post the
> > output
> > into a reply to this.
> 
> Here they are, thanks:#### FIRST DC #####
> Config collected --- 2022-07-14-13:50 -----------
> 
> Hostname:   dc-contabo
> DNS Domain: wdc.domain.it
> Realm:      WDC.DOMAIN.IT
> FQDN:       dc-contabo.wdc.domain.it
> ipaddress:  75.119.x.y 192.168.8.1 10.8.0.1 

It would be better if your DC only used one IP address.

> 
> -----------
> 
> 
> 
> Checking file: /etc/hosts
> 
> 127.0.0.1	localhost
> #127.0.1.1	vmi.contaboserver.net	vmi
> 
> # The following lines are desirable for IPv6 capable hosts
> #::1     localhost ip6-localhost ip6-loopback
> #ff02::1 ip6-allnodes
> #ff02::2 ip6-allrouters
> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo 
> 192.168.1.206 dclan.wdc.domain.it dclan
> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> search wdc.domain.it
> nameserver 127.0.0.1

Do not use 127.0.0.1, use the DC's ipaddress

> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
> sample output:
> Server:		127.0.0.1
> Address:	127.0.0.1#53
> 
> _kerberos._tcp.wdc.domain.it	service = 0 100 88 dc-
> contabo.wdc.domain.it.
> 
> -----------
> 
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.

This is possibly because you are using 127.0.0.1 in /etc/resolv.conf

> 
> -----------
> 
> 
> Checking file: /etc/krb5.conf
> 
> [libdefaults]
> 	default_realm = WDC.DOMAIN.IT
>         dns_lookup_kdc = true
>         dns_lookup_realm = false

That is all you need, nothing else.

> # TEST
> udp_preference_limit=1
> 
> -----------
> 
> 
> Detected bind DLZ enabled..
> 
> 
> Checking file: /etc/bind/named.conf.local
> 
> //
> // Do any local configuration here
> //
> 
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> dlz "domain.it" {
> # For BIND 9.9.0
> database "dlopen /usr/lib/x86_64-linux-
> gnu/samba/bind9/dlz_bind9_10.so";

I feel sure that last line isn't correct, check your bind9 version.

> 
> 
> Samba DNS zone list check : 
> wdc.domain.it
> _msdcs.wdc.domain.it

You do not seem to have a reverse zone, whilst this isn't strictly
required, it does help.

> 
> -----------
> 
> #### SECOND DC #####
> Config collected --- 2022-07-14-13:52 -----------
> 
> Hostname:   dc-lan
> DNS Domain: wdc.domain.it
> Realm:      WDC.DOMAIN.IT
> FQDN:       dc-lan.wdc.domain.it
> ipaddress:  192.168.1.206 
> 
> -----------
> 
> Checking file: /etc/hosts
> 
> 127.0.0.1 localhost
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> 
> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
> 192.168.1.206 dc-lan.wdc.domain.it dclan

You should only have this DC's data in /etc/hosts , dns should supply
everything else.

> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting local clients to
> the
> # internal DNS stub resolver of systemd-resolved. This file lists all
> # configured search domains.
> #
> # Run "resolvectl status" to see details about the uplink DNS servers
> # currently in use.
> #
> # Third party programs must not access this file directly, but only
> through the
> # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
> different way,
> # replace this symlink by a static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about the supported
> modes of
> # operation for /etc/resolv.conf.
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search wdc.domain.it domain

I normally remove systemd-resolved but if it is set up correctly, it
will work.

> 
> -----------
> 
> systemd stub resolver detected, running command : systemd-resolve --
> status
> 
> -----------
> 
> Global
>        LLMNR setting: no                     
> MulticastDNS setting: no                     
>   DNSOverTLS setting: no                     
>       DNSSEC setting: no                     
>     DNSSEC supported: no                     
>   Current DNS Server: 192.168.8.1            
>          DNS Servers: 192.168.8.1            
>           DNS Domain: wdc.domain.it
>           DNSSEC NTA: 10.in-addr.arpa        
>                       16.172.in-addr.arpa    
>                       168.192.in-addr.arpa   
>                       17.172.in-addr.arpa    
>                       18.172.in-addr.arpa    
>                       19.172.in-addr.arpa    
>                       20.172.in-addr.arpa    
>                       21.172.in-addr.arpa    
>                       22.172.in-addr.arpa    
>                       23.172.in-addr.arpa    
>                       24.172.in-addr.arpa    
>                       25.172.in-addr.arpa    
>                       26.172.in-addr.arpa    
>                       27.172.in-addr.arpa    
>                       28.172.in-addr.arpa    
>                       29.172.in-addr.arpa    
>                       30.172.in-addr.arpa    
>                       31.172.in-addr.arpa    
>                       corp                   
>                       d.f.ip6.arpa           
>                       home                   
>                       internal               
>                       intranet               
>                       lan                    
>                       local                  
>                       private                
>                       test                   
> 
> Link 2 (ens18)
>       Current Scopes: DNS                    
> DefaultRoute setting: yes                    
>        LLMNR setting: yes                    
> MulticastDNS setting: no                     
>   DNSOverTLS setting: no                     
>       DNSSEC setting: no                     
>     DNSSEC supported: no                     
>   Current DNS Server: 192.168.8.1            
>          DNS Servers: 192.168.8.1            
>           DNS Domain: wdc.domain.it
>                       domain             
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
> sample output:
> Server:		127.0.0.53
> Address:	127.0.0.53#53

It should be using the ipaddress of the first DC, until it has joined,
then it should use its own ipaddress.
 
> 
> Non-authoritative answer:
> _kerberos._tcp.wdc.domain.it	service = 0 100 88 dc-
> contabo.wdc.domain.it.
> 
> Authoritative answers can be found from:
> 
> -----------
> 
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.
> 
> -----------

Rowland

More information about the samba mailing list