[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.

Rowland Penny rpenny at samba.org
Thu Jun 9 06:19:27 UTC 2022 

On Wed, 2022-06-08 at 16:05 -0700, Matthew Schumacher via samba wrote:
> On 6/7/22 12:27 AM, Rowland Penny via samba wrote:
> > > Thanks for the reply.
> > > 
> > > I looked for documentation on how to convert from MIT to Heimdal,
> > > but
> > > didn't see anything.  Can I simply rebuild and re-deploy or do I
> > > need
> > > to
> > > demote each domain controller then add it back in again?
> > > 
> > > Thanks,
> > > schu
> > > 
> > Just add another DC that uses Heimdal and then demote one of your
> > existing DCs, repeat until you have no DCs running MIT.
> > 
> > Rowland
> > 
> > 
> 
> I took some time to recompile and test out.  This page 
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
> suggests you call kinit before you you join the domain but kinit is
> from 
> my OS now since kerberos is internal.  I think this might have
> something 
> to do with the next error which is I can't join the domain with 
> "--dns-backend=BIND9_DLZ"
> 
> I get the following:
> 
> root at auth:/var/lib/samba/private# samba-tool domain join 
> admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ 
> --server masterdc
> Password for [ADMIN\administrator]:
> INFO 2022-06-08 21:58:18,008 pid:750 
> /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is
> ADMIN
> INFO 2022-06-08 21:58:18,008 pid:750 
> /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is 
> admin.domain.net
> Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
> Adding 
> CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> Adding CN=NTDS 
> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> Adding SPNs to CN=AUTH,OU=Domain
> Controllers,DC=admin,DC=domain,DC=net
> Setting account password for AUTH$
> Enabling account
> Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net
> with 
> dns/ SPN
> Join failed - cleaning up
> Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
> Deleted CN=NTDS 
> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> Deleted 
> CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER -
> <00000523: 
> SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0
>  > <>
>    File "/usr/lib64/python3.9/site-
> packages/samba/netcmd/__init__.py", 
> line 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py", 
> line 702, in run
>      join_DC(logger=logger, server=server, creds=creds, lp=lp, 
> domain=domain,
>    File "/usr/lib64/python3.9/site-packages/samba/join.py", line
> 1543, 
> in join_DC
>      ctx.do_join()
>    File "/usr/lib64/python3.9/site-packages/samba/join.py", line
> 1431, 
> in do_join
>      ctx.join_add_objects()
>    File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780,
> in 
> join_add_objects
>      ctx.samdb.add(msg)
> 
> If I join the domain without BIND9, it works fine, but it appears to 
> skip the DNS install:
> 
> samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" 
> --server masterdc
> 
> What is interesting is that I can demote this controller then
> immediatly 
> add it back with bind9:
> 
> samba-tool domain demote  -U"ADMIN\administrator" --server masterdc
> samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" 
> --dns-backend=BIND9_DLZ --server masterdc
> 
> It works, but samba binds it's own internal DNS to port 53 and bind9 
> can't be started.  I also figured out that if I add a krb5.conf file
> in 
> my samba/private directory I can get it to join the domain even with 
> "--dns-backend=BIND9_DLZ" but the result is the same in that samba 
> appears to use it's own DNS server.
> 
> Is there a way to use the internal kerberos and external DNS or
> should I 
> try to setup bind as a caching forwarder to internal DNS bound to a 
> different IP or port?
> 
> I looked around in the documentation but didn't see anything obvious 
> regarding how different DNS systems depend on different Kerberos
> systems.
> 
> Thanks,
> Matt
> 

It sounds like you are running Samba as an AD DC using the dns domain
'domain.net' and it also sounds like you are running a MIT kdc using
the same dns domain.

If this is the case, choose one (preferably the MIT kdc) and turn it
off.

Rowland

More information about the samba mailing list