[Samba] Problems runing kinit on a (wannabe) secondary DC

Lorenzo Milesi lorenzo.milesi at yetopen.com
Fri Jul 15 14:47:55 UTC 2022


We cannot even join clients to the domain, on the Win10 client I see error code 64 - event id 4097.

The client uses 192.168.8.1 as only DNS, and has wdc.domain.it as dns suffix.
On the server I see a successful krb auth as Administrator, and no errors. 

It looks like there's something wrong on the DC... Can this be related to the wrong Bind9 .so used?
If so, can I deactivate Bind9 and try with the builtin Samba4 DNS? Is the DNS "db" stored into Samba or in Bind?

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Friday, July 15, 2022 7:24:59 AM
> Subject: Re: [Samba] Problems runing kinit on a (wannabe) secondary DC

> I forgot to add, if relevant, that the two DCs are remote and connected via
> IPSec VPN (from dc-contabo itself and the lan firewall). As said ping works in
> both direction, we can telnet from dc-lan to dc-contabo on port 88 and ssh
> works perfectly in the same direction.
> At this time there are no firewall resrtictions, so all ports are open.
> When I saw the UDP to TCP message in kinit debug I thought it could be a
> connection problem, but being that ssh works and is stable, I assume it's not
> that.
> 
> thanks again
> 
> ----- Original Message -----
>> From: "samba" <samba at lists.samba.org>
>> To: "samba" <samba at lists.samba.org>
>> Sent: Thursday, July 14, 2022 9:16:37 PM
>> Subject: Re: [Samba] Problems runing kinit on a (wannabe) secondary DC
> 
>>>> Hostname:   dc-contabo
>>>> DNS Domain: wdc.domain.it
>>>> Realm:      WDC.DOMAIN.IT
>>>> FQDN:       dc-contabo.wdc.domain.it
>>>> ipaddress:  75.119.x.y 192.168.8.1 10.8.0.1
>>> 
>>> It would be better if your DC only used one IP address.
>> 
>> Unfortunately it's not possible, that's why we added:
>>	interfaces = eth1
>>	bind interfaces only = yes
>> 
>>>> Checking file: /etc/resolv.conf
>>>> 
>>>> search wdc.domain.it
>>>> nameserver 127.0.0.1
>>> 
>>> Do not use 127.0.0.1, use the DC's ipaddress
>> 
>> fixed
>> 
>> 
>> 
>>>> dlz "domain.it" {
>>>> # For BIND 9.9.0
>>>> database "dlopen /usr/lib/x86_64-linux-
>>>> gnu/samba/bind9/dlz_bind9_10.so";
>>> 
>>> I feel sure that last line isn't correct, check your bind9 version.
>> 
>> You are right, Ubuntu 20 runs Bind 9.16. Fixed and ran again
>> samba_dnsupdate --verbose --use-samba-tool
>> 
>> 
>>>> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo
>>>> 192.168.1.206 dc-lan.wdc.domain.it dclan
>>> 
>>> You should only have this DC's data in /etc/hosts , dns should supply
>>> everything else.
>> 
>> Fixed
>> 
>> 
>>>> # operation for /etc/resolv.conf.
>>>> 
>>>> nameserver 127.0.0.53
>>>> options edns0 trust-ad
>>>> search wdc.domain.it domain
>>> 
>>> I normally remove systemd-resolved but if it is set up correctly, it
>>> will work.
>> 
>> Removed, now it's:
>> nameserver 192.168.8.1
>> search wdc.domain.it
>> 
>>>> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
>>>> sample output:
>>>> Server:		127.0.0.53
>>>> Address:	127.0.0.53#53
>>> 
>>> It should be using the ipaddress of the first DC, until it has joined,
>>> then it should use its own ipaddress.
>> 
>> root at dc-lan:~# nslookup -type=SRV _kerberos._tcp.wdc.domain.it
>> Server:         192.168.8.1
>> Address:        192.168.8.1#53
>> 
>> _kerberos._tcp.wdc.domain.it  service = 0 100 88 dc-contabo.wdc.domain.it.
>> 
>> Is this better?
>> 
>> 
>> Despite of the changes, kinit still fails.
>> On the first DC, the kerberos auth seems to be successful:
>> 
>> [2022/07/14 21:11:21.070280,  3, pid=111396, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:54947 for
>>  krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.143807,  3, pid=111396, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Client sent patypes: 150, 149
>> [2022/07/14 21:11:21.144053,  3, pid=111396, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.144143,  3, pid=111396, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.144239,  3, pid=111396, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>>  administrator at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.457699,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:46237 for
>>  krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.464820,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
>> [2022/07/14 21:11:21.464880,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.464889,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.464970,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: ENC-TS Pre-authentication succeeded -- administrator at WDC.DOMAIN.IT
>>  using aes256-cts-hmac-sha1-96
>> [2022/07/14 21:11:21.465052,  3]
>> ../../auth/auth_log.c:647(log_authentication_event_human_readable)
>>  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
>>  [(null)]\[administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 21:11:21.465035
>>  CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
>>  remote host [ipv4:192.168.1.206:46237] became [WORKGROUPNAME]\[Administrator]
>>  [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
>>  {"timestamp": "2022-07-14T21:11:21.465191+0200", "type": "Authentication",
>>  "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624,
>>  "logonId": "25e4c2f5e696d0a9", "logonType": 3, "status": "NT_STATUS_OK",
>>  "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:46237",
>>  "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS
>>  Pre-authentication", "clientDomain": null, "clientAccount":
>>  "administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount":
>>  "Administrator", "becameDomain": "WORKGROUPNAME", "becameSid":
>>  "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount":
>>  "Administrator", "mappedDomain": "WORKGROUPNAME", "netlogonComputer": null,
>>  "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
>>  "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
>>  "passwordType": "aes256-cts-hmac-sha1-96", "duration": 8034}}
>> [2022/07/14 21:11:21.478771,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: AS-REQ authtime: 2022-07-14T21:11:21 starttime: unset endtime:
>>  2022-07-15T07:11:21 renew till: 2022-07-15T21:11:21
>> [2022/07/14 21:11:21.478896,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>>  aes128-cts-hmac-sha1-96, 20, 19, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
>>  aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
>> [2022/07/14 21:11:21.478927,  3, pid=111405, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Requested flags: renewable-ok
>> [2022/07/14 21:11:21.544275,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: AS-REQ administrator at WDC.DOMAIN.IT from ipv4:192.168.1.206:34060 for
>>  krbtgt/WDC.DOMAIN.IT at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.556692,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
>> [2022/07/14 21:11:21.556794,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Looking for PKINIT pa-data -- administrator at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.556972,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Looking for ENC-TS pa-data -- administrator at WDC.DOMAIN.IT
>> [2022/07/14 21:11:21.557093,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: ENC-TS Pre-authentication succeeded -- administrator at WDC.DOMAIN.IT
>>  using aes256-cts-hmac-sha1-96
>> [2022/07/14 21:11:21.557150,  3]
>> ../../auth/auth_log.c:647(log_authentication_event_human_readable)
>>  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
>>  [(null)]\[administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 21:11:21.557135
>>  CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
>>  remote host [ipv4:192.168.1.206:34060] became [WORKGROUPNAME]\[Administrator]
>>  [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
>>  {"timestamp": "2022-07-14T21:11:21.557303+0200", "type": "Authentication",
>>  "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624,
>>  "logonId": "905d4d6e8a570428", "logonType": 3, "status": "NT_STATUS_OK",
>>  "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:34060",
>>  "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS
>>  Pre-authentication", "clientDomain": null, "clientAccount":
>>  "administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount":
>>  "Administrator", "becameDomain": "WORKGROUPNAME", "becameSid":
>>  "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount":
>>  "Administrator", "mappedDomain": "WORKGROUPNAME", "netlogonComputer": null,
>>  "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
>>  "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
>>  "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13429}}
>> [2022/07/14 21:11:21.571677,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: AS-REQ authtime: 2022-07-14T21:11:21 starttime: unset endtime:
>>  2022-07-15T07:11:21 renew till: 2022-07-15T21:11:21
>> [2022/07/14 21:11:21.571873,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>>  aes128-cts-hmac-sha1-96, 20, 19, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
>>  aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
>> [2022/07/14 21:11:21.571936,  3, pid=111409, effective(0, 0), real(0, 0),
>> class=kerberos]
>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>  Kerberos: Requested flags: renewable-ok
>> 
>> --
>> Lorenzo Milesi - lorenzo.milesi at yetopen.com
>> CTO @ YetOpen Srl
>> YetOpen - https://www.yetopen.com/
>> 
>> Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
>> Avenue - Suite 200 - Raleigh, NC 27612 - USA -
>> Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 -
>> info.us at yetopen.com
>> 
>> Think green - Non stampare questa e-mail se non necessario / Don't print this
>> email unless necessary
>> 
>> -------- D.Lgs. 196/2003 e GDPR 679/2016 --------
>> Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
>> esclusivo del destinatario.
>> Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
>> ritenere confidenziali e riservate secondo i termini
>> del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
>> 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
>> autorizzata.
>> Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
>> eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
>> non appena possibile.
>> Grazie.
>> 
>> Confidentiality notice: this email message including any attachment is for the
>> sole use of the intended recipient and may contain confidential and privileged
>> information;
>> pursuant to Legislative Decree 196/2003 and the European General Data Protection
>> Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
>> distribution
>> is prohibited. If you are not the intended recepient please delete this message
>> without copying, printing or forwarding it to others, and alert us as soon as
>> possible.
>> Thank you.
>> 
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> Lorenzo Milesi - lorenzo.milesi at yetopen.com
> CTO @ YetOpen Srl
> YetOpen - https://www.yetopen.com/
> 
> Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
> Avenue - Suite 200 - Raleigh, NC 27612 - USA -
> Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 -
> info.us at yetopen.com
> 
> Think green - Non stampare questa e-mail se non necessario / Don't print this
> email unless necessary
> 
> -------- D.Lgs. 196/2003 e GDPR 679/2016 --------
> Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
> esclusivo del destinatario.
> Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
> ritenere confidenziali e riservate secondo i termini
> del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
> 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
> autorizzata.
> Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
> eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
> non appena possibile.
> Grazie.
> 
> Confidentiality notice: this email message including any attachment is for the
> sole use of the intended recipient and may contain confidential and privileged
> information;
> pursuant to Legislative Decree 196/2003 and the European General Data Protection
> Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
> distribution
> is prohibited. If you are not the intended recepient please delete this message
> without copying, printing or forwarding it to others, and alert us as soon as
> possible.
> Thank you.
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/

Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.




More information about the samba mailing list