[Samba] Kerberos kinit not running
Maurizio Caloro
maurizio at caloro.ch
Wed Jul 20 21:18:03 UTC 2022
root at TestAD:/home/maurizio# samba-tool testparm
INFO 2022-07-20 22:05:23,177 pid:846
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb
config files from /etc/samba/smb.conf
INFO 2022-07-20 22:05:23,178 pid:846
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded
services file OK.
Press enter to see a dump of your service definitions
# Global parameters
[global]
netbios name = TESTAD
realm = CALORO.M
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
winbind expand groups = 2
workgroup = CALORO
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/testad.caloro.m/scripts
read only = No
root at TestAD:/home/maurizio#
--
root at TestAD:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses
replacing
// the all-0's placeholder.
forwarders {
8.8.8.8;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on { any; };
empty-zones-enable no;
// https://wiki.samba.org/index.php/Dns-backend_bind
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
minimal-responses yes;
};
--
root at TestAD:/etc/bind# vi /etc/krb5.conf
[libdefaults]
default_realm = CALORO.M
dns_lookup_kdc = yes
dns_lookup_realm = no
ticket_lifetime = 24h
Am 20.07.2022 um 22:50 schrieb Rowland Penny via samba:
> On Wed, 2022-07-20 at 22:32 +0200, Maurizio Caloro via samba wrote:
>> root at TestAD:/home/maurizio# cat /etc/bind/named.conf
>> // This is the primary configuration file for the BIND DNS server
>> named.
>> //
>> // Please read /usr/share/doc/bind9/README.Debian.gz for information
>> on the
>> // structure of BIND configuration files in Debian, *BEFORE* you
>> customize
>> // this configuration file.
>> //
>> // If you are just adding zones, please do that in
>> /etc/bind/named.conf.local
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/bind-dns/named.conf";
>>
>> root at TestAD:/home/maurizio# cat /etc/bind/named.conf.local
>> //
>> // Do any local configuration here
>> //
>>
>> // Consider adding the 1918 zones here, if they are not used in your
>> // organization
>> include "/etc/bind/zones.rfc1918";
>>
>> zone "caloro.m" {
>> type master;
>> file "/etc/bind/caloro.m";
>> };
>>
>> zone "10.168.192.in-addr.arpa" {
>> type master;
>> file "/etc/bind/reverse.caloro.m";
>> };
>>
>>
> Please remove the zones you added to named.conf.local, they are
> flatfiles and have no place in a DC's Bind9 conf files, they are stored
> in AD.
>
>> root at TestAD:/home/maurizio# cat /etc/bind/caloro.m
> Remove that as well.
>
> Please post the contents of /etc/bind/named.conf.options.
>
>> --
>>
>> root at TestAD:/home/maurizio# testparm -s
> Sorry, I should have said 'samba-tool testparm', but never mind, it has
> shown your major error.
>
>> Load smb config files from /etc/samba/smb.conf
>> Loaded services file OK.
>> Weak crypto is allowed
>>
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> # Global parameters
>> [global]
>> passdb backend = samba_dsdb
>> realm = TESTAD.CALORO.M
> You have 'default_realm = CALORO.M' in /etc/krb5.conf,
> 'TESTAD.CALORO.M' != 'CALORO.M', which is it ?
>
> Rowland
>
>
>
More information about the samba
mailing list