[Samba] Kerberos kinit not running

Rowland Penny rpenny at samba.org
Wed Jul 20 20:16:22 UTC 2022 

On Wed, 2022-07-20 at 21:53 +0200, Maurizio Caloro via samba wrote:
> hello Louis
> 
> Thanks first for your answer and your Script to implement Samba !!
> i have now installed from scratch debian 11 installation, but the
> same 
> result.
> 
> the Samba 4.15.7 setup are build with BIND
> 
> samba-tool dns zonecreate 192.168.10.254 10.168.192.in-addr.arpa
> Password for [CALORO\maurizio]:
> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')

Did you run the samba-tool command as root ?

>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 
> 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
> 881, 
> in run
>      res = dns_conn.DnssrvOperation2(client_version, 0, server, None,
> 
> --
> 
> # cat /etc/krb5.conf
> [libdefaults]
>          default_realm = CALORO.M
>          dns_lookup_kdc = yes
>          dns_lookup_realm = no
>          ticket_lifetime = 24h
> 
> --
> 
> # cat /etc/bind/named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/bind-dns/named.conf";

Please post the contents of files above.
 
> 
> # cat /etc/resolv.conf
> domain CALORO.M
> search CALORO.M
> nameserver 192.168.10.254
> 
> # dpkg -l | grep krb5
> ii  krb5-config                    2.6+nmu1 all         
> Configuration 
> files for Kerberos Version 5
> ii  krb5-locales                   1.18.3-6+deb11u1 all          
> internationalization support for MIT Kerberos
> ii  krb5-user                      1.18.3-6+deb11u1 amd64       
> basic 
> programs to authenticate using MIT Kerberos
> ii  libgssapi-krb5-2:amd64         1.18.3-6+deb11u1 amd64        MIT 
> Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                1.18.3-6+deb11u1 amd64        MIT 
> Kerberos runtime libraries
> ii  libkrb5support0:amd64          1.18.3-6+deb11u1 amd64        MIT 
> Kerberos runtime libraries - Support library
> 
> bind running
> ul 20 20:41:17 TestAD named[536]: zone 10.168.192.in-addr.arpa/IN: 
> loaded serial 1
> Jul 20 20:41:17 TestAD named[536]: zone 255.in-addr.arpa/IN: loaded
> serial 1
> Jul 20 20:41:17 TestAD named[536]: zone caloro.m/IN: loaded serial 2
> Jul 20 20:41:17 TestAD named[536]: all zones loaded
> Jul 20 20:41:17 TestAD named[536]: running
> Jul 20 20:41:18 TestAD named[536]: timed out resolving
> './DNSKEY/IN': 
> 8.8.8.8#53
> Jul 20 20:41:19 TestAD named[536]: timed out resolving 
> '0.debian.pool.ntp.org/A/IN': 8.8.8.8#53
> Jul 20 20:41:19 TestAD named[536]: timed out resolving 
> '0.debian.pool.ntp.org/AAAA/IN': 8.8.8.8#53
> Jul 20 20:41:20 TestAD named[536]: resolver priming query complete
> Jul 20 20:41:21 TestAD named[536]: managed-keys-zone: Key 20326 for
> zone 
> . is now trusted (acceptance timer complete)

If that is the total shown in the logs when Bind9 starts, if it is,
then there isn't enough.

It may help if you post the output of 'testparm -s'

Rowland

More information about the samba mailing list