[Samba] Kerberos kinit not running

Maurizio Caloro maurizio at caloro.ch
Wed Jul 20 19:53:29 UTC 2022 

hello Louis

Thanks first for your answer and your Script to implement Samba !!
i have now installed from scratch debian 11 installation, but the same 
result.

the Samba 4.15.7 setup are build with BIND

samba-tool dns zonecreate 192.168.10.254 10.168.192.in-addr.arpa
Password for [CALORO\maurizio]:
ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 881, 
in run
     res = dns_conn.DnssrvOperation2(client_version, 0, server, None,

--

# cat /etc/krb5.conf
[libdefaults]
         default_realm = CALORO.M
         dns_lookup_kdc = yes
         dns_lookup_realm = no
         ticket_lifetime = 24h

--

# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";

# cat /etc/resolv.conf
domain CALORO.M
search CALORO.M
nameserver 192.168.10.254

# dpkg -l | grep krb5
ii  krb5-config                    2.6+nmu1 all          Configuration 
files for Kerberos Version 5
ii  krb5-locales                   1.18.3-6+deb11u1 all          
internationalization support for MIT Kerberos
ii  krb5-user                      1.18.3-6+deb11u1 amd64        basic 
programs to authenticate using MIT Kerberos
ii  libgssapi-krb5-2:amd64         1.18.3-6+deb11u1 amd64        MIT 
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.18.3-6+deb11u1 amd64        MIT 
Kerberos runtime libraries
ii  libkrb5support0:amd64          1.18.3-6+deb11u1 amd64        MIT 
Kerberos runtime libraries - Support library

bind running
ul 20 20:41:17 TestAD named[536]: zone 10.168.192.in-addr.arpa/IN: 
loaded serial 1
Jul 20 20:41:17 TestAD named[536]: zone 255.in-addr.arpa/IN: loaded serial 1
Jul 20 20:41:17 TestAD named[536]: zone caloro.m/IN: loaded serial 2
Jul 20 20:41:17 TestAD named[536]: all zones loaded
Jul 20 20:41:17 TestAD named[536]: running
Jul 20 20:41:18 TestAD named[536]: timed out resolving './DNSKEY/IN': 
8.8.8.8#53
Jul 20 20:41:19 TestAD named[536]: timed out resolving 
'0.debian.pool.ntp.org/A/IN': 8.8.8.8#53
Jul 20 20:41:19 TestAD named[536]: timed out resolving 
'0.debian.pool.ntp.org/AAAA/IN': 8.8.8.8#53
Jul 20 20:41:20 TestAD named[536]: resolver priming query complete
Jul 20 20:41:21 TestAD named[536]: managed-keys-zone: Key 20326 for zone 
. is now trusted (acceptance timer complete)

Samba-ad-dc running
Jul 20 20:41:17 TestAD samba[538]:   binary_smbd_main: samba: using 
'prefork' process model
Jul 20 20:41:17 TestAD systemd[1]: Started Samba AD Daemon.
Jul 20 20:41:17 TestAD winbindd[661]: [2022/07/20 20:41:17.476249,  0] 
../../source3/winbindd/winbindd.c:1722(main)
Jul 20 20:41:17 TestAD winbindd[661]:   winbindd version 4.15.7-Debian 
started.
Jul 20 20:41:17 TestAD winbindd[661]:   Copyright Andrew Tridgell and 
the Samba Team 1992-2021
Jul 20 20:41:17 TestAD smbd[633]: [2022/07/20 20:41:17.523870,  0] 
../../source3/smbd/server.c:1734(main)
Jul 20 20:41:17 TestAD smbd[633]:   smbd version 4.15.7-Debian started.
Jul 20 20:41:17 TestAD smbd[633]:   Copyright Andrew Tridgell and the 
Samba Team 1992-2021
Jul 20 20:41:17 TestAD winbindd[661]: [2022/07/20 20:41:17.586761,  0] 
../../source3/winbindd/winbindd_cache.c:3085(initialize_winbin>
Jul 20 20:41:17 TestAD winbindd[661]:   initialize_winbindd_cache: 
clearing cache and re-creating with version number 2
--

# kinit maurizio
kinit: Client 'maurizio at CALORO.M' not found in Kerberos database while 
getting initial credentials

# kinit maurizio at CALORO.M
kinit: Client 'maurizio at CALORO.M' not found in Kerberos database while 
getting initial credentials

# kinit administrator at CALORO.M
kinit: Client 'administrator at CALORO.M' not found in Kerberos database 
while getting initial credentials

--


Am 20.07.2022 um 09:56 schrieb L. van Belle via samba:
> 3 points..
>
> Did you set a PTR record for the servers? if not do so.
>
> In krb5.conf
> Restore the debian default, its suffient.
> This is all you need for a normal AD-AD/Kerberos domain basicly.
>
> [libdefaults]
>          default_realm = CALORO.M
>          dns_lookup_kdc = yes
>          dns_lookup_realm = no
>          ticket_lifetime = 24h
>
> And show /etc/resolv.conf
> is the primary DNSDomain the first resolving domain?
>
> Run these.
> apt remove --autoremove --purge krb5-kdc
> apt satisfy winbind samba
>
> that should do it.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba <samba-bounces at lists.samba.org> Namens Maurizio Caloro via
>> samba
>> Verzonden: dinsdag 19 juli 2022 22:56
>> Aan: Rowland Penny via samba <samba at lists.samba.org>
>> Onderwerp: Re: [Samba] Kerberos kinit not running
>>
>>
>> Am 19.07.2022 um 22:32 schrieb Rowland Penny via samba:
>>> On Tue, 2022-07-19 at 22:09 +0200, Maurizio Caloro via samba wrote:
>>>> ● krb5-kdc.service - Kerberos 5 Key Distribution Center
>>>>         Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled;
>>>> vendor preset: enabled)
>>> Turn this off and remove it, you are running two kdc's, the Heimdal one
>>> built into Samba and the MIT kdc.
>>>
>>> Rowland
>> thanks for quick help, krb5-kdc are gone
>>     -->rc  krb5-kdc    1.18.3-6+deb11u1    amd64    MIT Kerberos key
>> server (KDC)
>>
>> or i need to delete all this?
>>
>> # dpkg -l | grep krb5*
>> ii  krb5-config    2.6+nmu1    all    Configuration files for Kerberos
>> Version 5
>> rc  krb5-kdc    1.18.3-6+deb11u1    amd64    MIT Kerberos key server (KDC)
>> ii  krb5-locales    1.18.3-6+deb11u1    all internationalization support
>> for MIT Kerberos
>> ii  krb5-multidev:amd64    1.18.3-6+deb11u1    amd64 development files
>> for MIT Kerberos without Heimdal conflict
>> ii  krb5-user    1.18.3-6+deb11u1    amd64    basic programs to
>> authenticate using MIT Kerberos
>> ii  libgssapi-krb5-2:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos
>> runtime libraries - krb5 GSS-API Mechanism
>> ii  libkrb5-26-heimdal:amd64    7.7.0+dfsg-2    amd64    Heimdal
>> Kerberos - libraries
>> ii  libkrb5-3:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos runtime
>> libraries
>> ii  libkrb5-dev:amd64    1.18.3-6+deb11u1    amd64    headers and
>> development libraries for MIT Kerberos
>> ii  libkrb5support0:amd64    1.18.3-6+deb11u1    amd64    MIT Kerberos
>> runtime libraries - Support library
>>
>> but styl the same
>>
>> # kinit Administrator at CALORO.M
>> kinit: Client 'Administrator at CALORO.M' not found in Kerberos database
>> while getting initial credentials
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list