[Samba] Kerberos kinit not running
Maurizio Caloro
maurizio at caloro.ch
Wed Jul 20 20:32:58 UTC 2022
yes i'am use this command with root
root at TestAD:/home/maurizio# samba-tool dns zonecreate 192.168.10.254
10.168.192.in-addr.arpa
Password for [CALORO\maurizio]:
ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 881,
in run
res = dns_conn.DnssrvOperation2(client_version, 0, server, None,
root at TestAD:/home/maurizio#
--
root at TestAD:/home/maurizio# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
root at TestAD:/home/maurizio# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
zone "caloro.m" {
type master;
file "/etc/bind/caloro.m";
};
zone "10.168.192.in-addr.arpa" {
type master;
file "/etc/bind/reverse.caloro.m";
};
root at TestAD:/home/maurizio# cat /etc/bind/caloro.m
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA caloro.m. root.caloro.m. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS caloro.m.
@ IN A 192.168.10.254
@ IN AAAA ::1
testad IN A 192.168.10.254
hpelite830 IN A 192.168.10.88
--
root at TestAD:/home/maurizio# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
passdb backend = samba_dsdb
realm = TESTAD.CALORO.M
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
winbind expand groups = 2
workgroup = CALORO
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/testad.caloro.m/scripts
read only = No
root at TestAD:/home/maurizio#
thanks
Am 20.07.2022 um 22:16 schrieb Rowland Penny via samba:
> On Wed, 2022-07-20 at 21:53 +0200, Maurizio Caloro via samba wrote:
>> hello Louis
>>
>> Thanks first for your answer and your Script to implement Samba !!
>> i have now installed from scratch debian 11 installation, but the
>> same
>> result.
>>
>> the Samba 4.15.7 setup are build with BIND
>>
>> samba-tool dns zonecreate 192.168.10.254 10.168.192.in-addr.arpa
>> Password for [CALORO\maurizio]:
>> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
> Did you run the samba-tool command as root ?
>
>> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line
>> 186, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
>> 881,
>> in run
>> res = dns_conn.DnssrvOperation2(client_version, 0, server, None,
>>
>> --
>>
>> # cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = CALORO.M
>> dns_lookup_kdc = yes
>> dns_lookup_realm = no
>> ticket_lifetime = 24h
>>
>> --
>>
>> # cat /etc/bind/named.conf
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/bind-dns/named.conf";
> Please post the contents of files above.
>
>> # cat /etc/resolv.conf
>> domain CALORO.M
>> search CALORO.M
>> nameserver 192.168.10.254
>>
>> # dpkg -l | grep krb5
>> ii krb5-config 2.6+nmu1 all
>> Configuration
>> files for Kerberos Version 5
>> ii krb5-locales 1.18.3-6+deb11u1 all
>> internationalization support for MIT Kerberos
>> ii krb5-user 1.18.3-6+deb11u1 amd64
>> basic
>> programs to authenticate using MIT Kerberos
>> ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT
>> Kerberos runtime libraries - krb5 GSS-API Mechanism
>> ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT
>> Kerberos runtime libraries
>> ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT
>> Kerberos runtime libraries - Support library
>>
>> bind running
>> ul 20 20:41:17 TestAD named[536]: zone 10.168.192.in-addr.arpa/IN:
>> loaded serial 1
>> Jul 20 20:41:17 TestAD named[536]: zone 255.in-addr.arpa/IN: loaded
>> serial 1
>> Jul 20 20:41:17 TestAD named[536]: zone caloro.m/IN: loaded serial 2
>> Jul 20 20:41:17 TestAD named[536]: all zones loaded
>> Jul 20 20:41:17 TestAD named[536]: running
>> Jul 20 20:41:18 TestAD named[536]: timed out resolving
>> './DNSKEY/IN':
>> 8.8.8.8#53
>> Jul 20 20:41:19 TestAD named[536]: timed out resolving
>> '0.debian.pool.ntp.org/A/IN': 8.8.8.8#53
>> Jul 20 20:41:19 TestAD named[536]: timed out resolving
>> '0.debian.pool.ntp.org/AAAA/IN': 8.8.8.8#53
>> Jul 20 20:41:20 TestAD named[536]: resolver priming query complete
>> Jul 20 20:41:21 TestAD named[536]: managed-keys-zone: Key 20326 for
>> zone
>> . is now trusted (acceptance timer complete)
> If that is the total shown in the logs when Bind9 starts, if it is,
> then there isn't enough.
>
> It may help if you post the output of 'testparm -s'
>
> Rowland
>
>
>
More information about the samba
mailing list