[Samba] First Linux Machine Domain Join
John R. Graham
john at graham-family.org
Sun Nov 17 17:30:58 UTC 2024
On 11/16/24 16:15, Rowland Penny via samba wrote:
> It isn't really required to run nmbd now, it is the NetBIOS deamon and
> isn't really used. You just need to start the smbd and winbindd deamons.
Understood. I'm working on getting Gentoo's configuration defaults changed.
>> (Note that this machine uses dhcpcd to get its IP address and the
>> contents of /etc/resolv.conf.)
> If by 'dhcpcd' you mean dhcpdc5, then I could never get that to work, I
> always removed it, but you might.
It works very well "out of the box" here; a Gentoo developer is the
current maintainer. Then again, it's at version 10.1.0 now.
> What should work (well it does on Debian), 'hostname -s' should produce
> the computers short hostname, 'hostname -d' should produce the dns
> domain name, 'hostname -i' should produce the computers ipaddress (but
> could possibly give 127.0.0.1), 'hostname -I' should also produce the
> ipaddress (but could give more)
>
All of these produce the output you've described, except for the last
one because Gentoo's hostname (from the net-utils package) doesn't have
an -I option.
I've been working through the Testing Dynamic DNS Updates wiki page. I'm
getting a slew of "TSIG error with server: tsig verify failure" messages
from that:
ceres ~ # samba_dnsupdate --verbose --all-names --debuglevel=10
...
29 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 352
Received smb_krb5 packet of length 285
kinit for CERES$@SAMDOM.EXAMPLE.COM succeeded
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism gssapi_krb5_sasl
Ticket in credentials cache for CERES$@SAMDOM.EXAMPLE.COM will
expire in 36000 secs
gensec_update_send: gssapi_krb5_sasl[0x55641a320e90]: subreq:
0x5564186e3970
gensec_update_done: gssapi_krb5_sasl[0x55641a320e90]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x5564186e3b50)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
Successfully obtained Kerberos ticket to
DNS/ceres.samdom.example.com as CERES$
update(nsupdate): A ceres.samdom.example.com 192.168.123.250
Calling nsupdate for A ceres.samdom.example.com 192.168.123.250 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for CERES$@SAMDOM.EXAMPLE.COM will expire in
36000 secs
gensec_update_send: gssapi_krb5_sasl[0x55641a320e90]: subreq:
0x5564186e3970
gensec_update_done: gssapi_krb5_sasl[0x55641a320e90]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x5564186e3b50)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
Successfully obtained Kerberos ticket to
DNS/ceres.samdom.example.com as CERES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ceres.samdom.example.com. 900 IN A 192.168.123.250
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): CNAME
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com
ceres.samdom.example.com
Calling nsupdate for CNAME
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com
ceres.samdom.example.com (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for CERES$@SAMDOM.EXAMPLE.COM will expire in
36000 secs
gensec_update_send: gssapi_krb5_sasl[0x55641a4e9840]: subreq:
0x5564186e3970
gensec_update_done: gssapi_krb5_sasl[0x55641a4e9840]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x5564186e3970/../../source4/auth/gensec/gensec_gssapi.c:1059]:
state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
(0x5564186e3b50)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1070]
Successfully obtained Kerberos ticket to
DNS/ceres.samdom.example.com as CERES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
86845c01-74f5-4851-be8d-8efa6f3580c4._msdcs.samdom.example.com. 900 IN
CNAME ceres.samdom.example.com.
; TSIG error with server: tsig verify failure
...
I saw some earlier list posts about this error but didn't see a
definitive diagnosis.
- John
More information about the samba
mailing list