[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
Matthew Schumacher
matt.s at aptalaska.net
Wed Jun 8 23:05:49 UTC 2022
On 6/7/22 12:27 AM, Rowland Penny via samba wrote:
>> Thanks for the reply.
>>
>> I looked for documentation on how to convert from MIT to Heimdal,
>> but
>> didn't see anything. Can I simply rebuild and re-deploy or do I need
>> to
>> demote each domain controller then add it back in again?
>>
>> Thanks,
>> schu
>>
> Just add another DC that uses Heimdal and then demote one of your
> existing DCs, repeat until you have no DCs running MIT.
>
> Rowland
>
>
I took some time to recompile and test out. This page
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
suggests you call kinit before you you join the domain but kinit is from
my OS now since kerberos is internal. I think this might have something
to do with the next error which is I can't join the domain with
"--dns-backend=BIND9_DLZ"
I get the following:
root at auth:/var/lib/samba/private# samba-tool domain join
admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ
--server masterdc
Password for [ADMIN\administrator]:
INFO 2022-06-08 21:58:18,008 pid:750
/usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is ADMIN
INFO 2022-06-08 21:58:18,008 pid:750
/usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is
admin.domain.net
Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
Adding
CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
Adding CN=NTDS
Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
Adding SPNs to CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
Setting account password for AUTH$
Enabling account
Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net with
dns/ SPN
Join failed - cleaning up
Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
Deleted CN=NTDS
Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
Deleted
CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - <00000523:
SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0
> <>
File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py",
line 186, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py",
line 702, in run
join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1543,
in join_DC
ctx.do_join()
File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1431,
in do_join
ctx.join_add_objects()
File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780, in
join_add_objects
ctx.samdb.add(msg)
If I join the domain without BIND9, it works fine, but it appears to
skip the DNS install:
samba-tool domain join admin.domain.net DC -U"ADMIN\administrator"
--server masterdc
What is interesting is that I can demote this controller then immediatly
add it back with bind9:
samba-tool domain demote -U"ADMIN\administrator" --server masterdc
samba-tool domain join admin.domain.net DC -U"ADMIN\administrator"
--dns-backend=BIND9_DLZ --server masterdc
It works, but samba binds it's own internal DNS to port 53 and bind9
can't be started. I also figured out that if I add a krb5.conf file in
my samba/private directory I can get it to join the domain even with
"--dns-backend=BIND9_DLZ" but the result is the same in that samba
appears to use it's own DNS server.
Is there a way to use the internal kerberos and external DNS or should I
try to setup bind as a caching forwarder to internal DNS bound to a
different IP or port?
I looked around in the documentation but didn't see anything obvious
regarding how different DNS systems depend on different Kerberos systems.
Thanks,
Matt
More information about the samba
mailing list