[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Mon Jul 24 12:37:55 UTC 2023 

On Mon Jul 24 02:42:33 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 23/07/2023 23:12, Mark Foley via samba wrote:

[deleted]

> >>> Question 2: After setting krb5.conf per the wiki, the kerberos test commands do not work:
> >>>
> >>> # kinit Administrator
> >>> Password for Administrator at hprs.local:
> >>> kinit: KDC reply did not match expectations while getting initial credentials
> > 
> >> I really hope that '.local' is placeholder for the real TLD, '.local' is
> >> reserved for Bonjour and Avahi and, as such, shouldn't be used.
> > 
> > Unfortunately, .local is the name. This whole domain started as a Windows Small
> > Business Server back in 2010 and I replaced the SBS AD/DC with Samba.
> > I did not change original the domain name (hprs.local) as I was very new at this and
> > wasn't sure how that would affect the other Windows workstation in the domain.
> > The other Windows AD domain I'm working on also has .local, so maybe that's a
> > thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from Windows
> > and Linux workstations when present.
>
> Microsoft used to recommend '.local', they now do not, because if you 
> use it, you have to do what you have done, turn off Bonjour and Avahi.

Yes, I inherited this domain name from the pre-2010 Windows AD.  I'll pass this
info on to the fellow admin'ing the Windows DC.  Apparently he still names the
numerous Windows AD/DCs he admin's with .local. 

I suppose it's too late to change on my setup?

> >> Provided that kerberos and dns are setup correctly, that should work.
> > 
> > I think they are. I followed the wiki instructs for krb5.conf, and I can see the
> > DC and all domain members via 'host'.
> > 
> >>> # klist
> >>> klist: No credentials cache found (filename: /tmp/krb5cc_0)
> >>>
> >>> Does something have to be running first? Note that samba is installed, but not
> >>> running.

[deleted]

> > I can contact the DC and DNS seems to be working. If I run these command
> > on the DC I get:
> > 
> >> kinit
> > Password for Administrator at HPRS.LOCAL:
> > (nothing returned, 0 return status)
> > 
> >> klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrator at HPRS.LOCAL
> > 
> > Valid starting       Expires              Service principal
> > 07/23/2023 17:56:29  07/24/2023 03:56:29  krbtgt/HPRS.LOCAL at HPRS.LOCAL
> >          renew until 07/24/2023 17:56:23
> > 
> > So, what do you suggest I do to get kerberos working on this wannbe-DC?
>
> It is working, you have got a ticket for Administrator from your 
> existing DC.

No, those kerberos commands were run *on* the current/old 4.8.2 AD/DC, not on
this new one.  As mentioned in another message, I do have another domain member
Samba version 4.6.16, and the kerberos tests work on that one as well; just not
on this new one. 

> > It is not yet joined to the domain, but I don't think I can do the join until
> > kerberos is working.  Samba is not running. 

> If everything else is set up, it looks like you now need to run the 
> samba-tool command to join your computer as another DC.

I believe I tried that. I documented that in a follow-up email. I see that you
replied to that message, so I'll look at that response.

> > Perhaps there is an issue with which Kerberos is running on the DC versus what's
> > on this new machine?
>
> Until you join the computer as a DC and start Samba, there isn't a KDC 
> running on the computer.

Ah ha! That's what I was thinking and that's why I tried doing the join (but
apparently did not join as a DC. The Joining_a_Samba_DC_to_an_Existing_Active_Directory 
wiki does not say to start Samba before trying the Kerberos test.
The join instructions come after the Kerberos and Time Sync steps.

> > On the DC have have kerberos version Kerberos 5 version 1.11.6

> Is it possible that you are using the OS's MIT kdc rather than the 
> Heimdal built into Samba ?

I have no idea. How would I determine that? 'klist -V' only gives the version
number as shown below, not MIT versus Heimdal.

> > On this new machine I have kerberos version Kerberos 5 version 1.19.2
> > 
> > The version numbers seem to indicate the same kerberos package, but it doesn't
> > say whether it's Heimdal or MIT.
>
> It sounds to me that you are using MIT and if so, that is yet another 
> reason to update. Using a Samba AD DC with a MIT KDC was very 
> experimental at 4.8.x (a lot of things just didn't work, or if they did 
> work, they had missing components), now, whilst there are still minor 
> problems, using MIT doesn't seem to be regarded as experimental.
>
> Rowland

This "new" someday-DC is running Samba 4.15.13 - the most recent available on my
distro.  Would this not be running Heimdal? Its Kerberos version number 1.19.2 is
suspiciously close to the ancient DC's kerberos version 1.11.6, so maybe they're
both running the same, and I going to guess it's Heimdal since the new machine
is much more recent -- but if there were a way to tell which version that would
clinch the question.

Thanks --Mark

More information about the samba mailing list