[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
Rowland Penny
rpenny at samba.org
Thu Jun 9 06:19:27 UTC 2022
On Wed, 2022-06-08 at 16:05 -0700, Matthew Schumacher via samba wrote:
> On 6/7/22 12:27 AM, Rowland Penny via samba wrote:
> > > Thanks for the reply.
> > >
> > > I looked for documentation on how to convert from MIT to Heimdal,
> > > but
> > > didn't see anything. Can I simply rebuild and re-deploy or do I
> > > need
> > > to
> > > demote each domain controller then add it back in again?
> > >
> > > Thanks,
> > > schu
> > >
> > Just add another DC that uses Heimdal and then demote one of your
> > existing DCs, repeat until you have no DCs running MIT.
> >
> > Rowland
> >
> >
>
> I took some time to recompile and test out. This page
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> suggests you call kinit before you you join the domain but kinit is
> from
> my OS now since kerberos is internal. I think this might have
> something
> to do with the next error which is I can't join the domain with
> "--dns-backend=BIND9_DLZ"
>
> I get the following:
>
> root at auth:/var/lib/samba/private# samba-tool domain join
> admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ
> --server masterdc
> Password for [ADMIN\administrator]:
> INFO 2022-06-08 21:58:18,008 pid:750
> /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is
> ADMIN
> INFO 2022-06-08 21:58:18,008 pid:750
> /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is
> admin.domain.net
> Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
> Adding
> CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> Adding CN=NTDS
> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> Adding SPNs to CN=AUTH,OU=Domain
> Controllers,DC=admin,DC=domain,DC=net
> Setting account password for AUTH$
> Enabling account
> Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net
> with
> dns/ SPN
> Join failed - cleaning up
> Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
> Deleted CN=NTDS
> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> Deleted
> CN=AUTH,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net
> ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER -
> <00000523:
> SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0
> > <>
> File "/usr/lib64/python3.9/site-
> packages/samba/netcmd/__init__.py",
> line 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py",
> line 702, in run
> join_DC(logger=logger, server=server, creds=creds, lp=lp,
> domain=domain,
> File "/usr/lib64/python3.9/site-packages/samba/join.py", line
> 1543,
> in join_DC
> ctx.do_join()
> File "/usr/lib64/python3.9/site-packages/samba/join.py", line
> 1431,
> in do_join
> ctx.join_add_objects()
> File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780,
> in
> join_add_objects
> ctx.samdb.add(msg)
>
> If I join the domain without BIND9, it works fine, but it appears to
> skip the DNS install:
>
> samba-tool domain join admin.domain.net DC -U"ADMIN\administrator"
> --server masterdc
>
> What is interesting is that I can demote this controller then
> immediatly
> add it back with bind9:
>
> samba-tool domain demote -U"ADMIN\administrator" --server masterdc
> samba-tool domain join admin.domain.net DC -U"ADMIN\administrator"
> --dns-backend=BIND9_DLZ --server masterdc
>
> It works, but samba binds it's own internal DNS to port 53 and bind9
> can't be started. I also figured out that if I add a krb5.conf file
> in
> my samba/private directory I can get it to join the domain even with
> "--dns-backend=BIND9_DLZ" but the result is the same in that samba
> appears to use it's own DNS server.
>
> Is there a way to use the internal kerberos and external DNS or
> should I
> try to setup bind as a caching forwarder to internal DNS bound to a
> different IP or port?
>
> I looked around in the documentation but didn't see anything obvious
> regarding how different DNS systems depend on different Kerberos
> systems.
>
> Thanks,
> Matt
>
It sounds like you are running Samba as an AD DC using the dns domain
'domain.net' and it also sounds like you are running a MIT kdc using
the same dns domain.
If this is the case, choose one (preferably the MIT kdc) and turn it
off.
Rowland
More information about the samba
mailing list