2 Samba4-DCs with OpenLDAP 2.4.8 in Multi-Master-Replication
Oliver Liebel
oliver at itc.li
Mon Apr 7 10:51:24 GMT 2008
Andrew Bartlett schrieb:
> On Sat, 2008-04-05 at 15:50 +0200, Oliver Liebel wrote:
>
>> Used Versions:
>> OpenLDAP 2.4.8
>> Samba4 from git (Fri Apr 4 16:03:54 2008 +0200)
>> Rev-Info
>> 7fccd85
>> 1207317834
>> 7fccd85cc673c139bc1d57915e0fccd22316998c
>>
>>
>> Setup First DC1 (hostname samba4) with OL as Backend.
>> Backend-Provisioning with:
>> #> bin/smbpython setup/provision-backend --realm=LDAP.LOCAL.SITE
>> --domain=LDAP --ldap-manager-pass=linux --ldap-backend-type=openldap
>> --simple-bind-dn="cn=Manager,dc=ldap,dc=local,dc=site"
>>
>> - slapd.conf creation only works correct if an smb.conf with the wanted
>> settings exist, otherwise the hostname [cn=samba4] is used as Base-DN,
>> tested it several times
>>
>
> You need to include the --server-role parameter. We provision as a
> standalone server by default (because even while everyone wants Samba4
> as a DC at this point, I don't want to ever get back to 'samba4 broke my
> network' because someone didn't actually want a DC).
>
>
Works fine now with the additional parameter, thanks for the Tip.
> I'm adding some output to make clear how it has been configured.
>
>
>> after that, same procedure on DC2 (samba4dc2),
>> using the domain-sid from DC1 for provision,
>> with second slapd listening on DC2 on port 9000, everything ok.
>> after that, stopped smbd an slapd on DC2, then tried to join DC1, where
>> the following error occurs:
>>
>> /#> net join LDAP BDC -U administrator -d 4
>>
I took a look over the debug-output again, and found some additional
messages. Looks like
DC2 cant find the KDC of DC1 (samba4.ldap.local.site) during the join
operation:
/Server claims it's principal name is SAMBA4$@LDAP.LOCAL.SITE
Starting GENSEC submechanism gssapi_krb5
kinit for Administrator at LDAP.LOCAL.SITE failed (Cannot contact any KDC
for requested realm: unable to reach any KDC in realm LDAP.LOCAL.SITE)
Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
requested realm
Cannot reach a KDC we require to contact cifs at SAMBA4
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
/
although KDC on DC1 is up and running ( nmap on DC1 shows that Ports 88
and 464 are open).
I left the krb-related settings in smb.conf on both DCs unchanged, so
they should point to the correct ports.
Then i tried to point DC2 (the DC on which i start the join operation)
explicit to the KDC of DC1:
/password server = samba4.ldap.local.site/
but seems to make no difference (i guess the default value "*" looks
for all existing KDCs).
After creating a small krb5.conf on DC2 pointing to the KDC of DC1, the
KDC is found and the above listed errors disappear, but the error
messages from update_keytab.so
still remains (as you already mentioned below) and the host- and
service-principals for DC2 are not created.
smbd-debug ouput from DC1 during the join:
/Kerberos: AS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
Administrator at LDAP.LOCAL.SITE
Kerberos: AS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- Administrator at LDAP.LOCAL.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at LDAP.LOCAL.SITE
Kerberos: ENC-TS Pre-authentication succeeded --
Administrator at LDAP.LOCAL.SITE using arcfour-hmac-md5
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc
Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2008-04-07T12:41:09 starttime: unset endtime:
2008-04-07T22:41:08 renew till: unset
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for
cifs/samba4 at LDAP.LOCAL.SITE
Kerberos: TGS-REQ authtime: 2008-04-07T12:41:09 starttime:
2008-04-07T12:41:09 endtime: 2008-04-07T22:41:08 renew till: unset
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE [forwarded, forwardable]
Kerberos: Bad request for forwardable ticket
Kerberos: Failed building TGS-REP to 192.168.198.134
Found account name from PAC: Administrator []
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for
ldap/samba4 at LDAP.LOCAL.SITE
Kerberos: TGS-REQ authtime: 2008-04-07T12:41:09 starttime:
2008-04-07T12:41:09 endtime: 2008-04-07T22:41:08 renew till: unset
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE [forwarded, forwardable]
Kerberos: Bad request for forwardable ticket
Kerberos: Failed building TGS-REP to 192.168.198.134
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Found account name from PAC: Administrator []
Kerberos: TGS-REQ Administrator at LDAP.LOCAL.SITE from 192.168.198.134 for
krbtgt/LDAP.LOCAL.SITE at LDAP.LOCAL.SITE [forwarded, forwardable]
Kerberos: Bad request for forwardable ticket
Kerberos: Failed building TGS-REP to 192.168.198.134
/
> Once the segfault in the keytab module is resolved, this should work.
>
> Thankyou very much for your patience with this.
>
> Andrew Bartlett
>
Greetings,
Oliver
____________
Virus checked by G DATA AntiVirusKit
Version: AVK 18.3342 from 07.04.2008
Virus news: www.antiviruslab.com
More information about the samba-technical
mailing list