Matthias Busch
2015-Mar-12  14:00 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Hello List, I have a raspberry pi with raspbian. I am trying to get samba 4.1.17 to work as AD DC and have problems which seem to be dns related... What I did to get here: - I removed the preinstalled samba - installed prerequisites (build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user* docbook-xsl libcups2-dev acl libkrb5-dev) - installed optionals (acl, python-xattr, util-linux, gnutls-bin, readline-common, cups, python-setproctitle, slapd**) (some preqrequisites and optionals were already installed) (I initially did install xsltproc and docbook but got errors during make at the documentation. removed them and started at config again) -* krb5 wanted some kerberos data which I diddnt have yet, so i gave it some -** ldap wanted some stuff and possibly created DC entries which will not be correct for dc=my-domain, dc=local - got samba 4.1.17 as tar.gz via wget from samba.org - configure /(//--prefix=/usr/local/samba //--with-piddir=/usr/local/samba/var/run \//--with-syslog \//--with-quotas \//--with-acl-support//--enable-debug) - make - make install / -added /usr/local/samba/bin and .../sbin to %PATH (all users) - followed instructions for debain under https://wiki.samba.org/index.php/Samba4/InitScript for init.d script - setup network/name/etc -- network/interfaces: ip is static (192.168.7.254/24, gateway is router .1, dns-nameservers is 192.168.7.254, dns-search is my-domain.local) -- hostname is adserver.my-domain.local -- hosts is 127.0.0.1 localhost localhost.my-domain and 192.168.7.254 adserver, adserver.my-domain.local reboot... - samba -V shows 4.1.17, smbclient -V shows 4.1.17 - ran samba-tool domain provision --interactive --use-rfc230 (from memory) ---realm my-domain.local ---domain my-domain (I pressed enter and took the preset) --- internal dns --- forward dns: 192.168.7.1 --- gave admin pw output was looking good, no error... - copied the krb5.conf file provided by samba over /etc/krb5.conf (checked content, $(REALM) was replaced by my-domain.local) (reboot) tests --> and results names do not resolve (except the entries in hosts) smbclient -L localhost -U% --> session setup failed: NT_STATUS_CONNECTION_REFUSED kinitadministrator at MY-DOMAIN.LOCAL --> <mailto:administrator at OFFERLAMNET.LOCAL>kinit: Cannot contact any KDC for realm 'MY-DOMAIN.LOCAL' while getting initial credentials klist -e --> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) host -t SRV _ldap._tcp.my-domain.local --> ;; connection timed out. no server could be reached samba_dnsupdate --verbose --> gives a LOT of errors "failed to find dns entry..." obviously kerberos is having trouble. however, I feel like kerberos has problems because dns has problems. DNS itself seems not to work at all. Unfortunately I dont know anything about sambas internal dns. I expected it to work "out of the box". Is it a seperate service that needs to be started? or a special option for configure ? How do you propose I could fix my dns problem (except "use another dns daemon like bind")? Any help will be appreciated... Thanks M.
Peter Serbe
2015-Mar-12  14:56 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Matthias Busch schrieb am 12.03.2015 15:00:> -- hostname is adserver.my-domain.localDon't do that. .local is a poor choice. Use something different. https://wiki.samba.org/index.php/DNS#Avoid_.local_TLD> -- hosts is 127.0.0.1 localhost localhost.my-domain and 192.168.7.254 > adserver, adserver.my-domain.locallooks good. The first thing would be to check the configuration. Please post the krb5.conf, smb.conf and maybe nsswitch. Sometimes it happens that some keytabs are not in mode 600 - check the daemon.log for suspicous entries.> obviously kerberos is having trouble. however, I feel like kerberos has > problems because dns has problems. > DNS itself seems not to work at all.Yes, this is what it looks like. But You need to dig for more information. But the first step is to check the configuration. Regarding DNS: the bind backend for sure is pickier than the internal DNS... So starting with the internal one definitely is more convenient. Personally I prefer bind as I have years of experience with it (mainly under windows). But when I started with Samba 4.0 I had a very hard time, until the DNS updating process from Samba to Bind worked reliably. But the main point is this: I suspect Your issues stem from something not feeding DNS, i.e. they are located before DNS. Otherwise the internal DNS would work. So check the configuration and scan through daemon.log (and the samba logs, if something is logged here at all). Regards Peter
Matthias Busch
2015-Mar-12  15:43 UTC
[Samba] samba 4.1.17 on raspberry pi as ad dc - internal dns problems
Hey Peter, many thanks for your reply. --- regarding .local domains I know this is regarded by some as bad form, is actively being discouraged by the samba wiki and can cause problems with bonjour/zerobla configuration. I can say for certain that no apple devices will ever come anywhere near that network and the other drawbacks of .local like getting signed certs... should never be an issue in this case. I am hesitant to use .net (the domain I own) in fear of having dns issues. i do not control the NS for the internet accesible .net domain either. In the end, unless .local will not cause problems like software X will not work with .local I should be fine. --- DNS seems fixed I was further looking around and studying /var/log/syslog, looking for hints when I saw some signs of slapd causing taking ports and causing samba to throw errors (cant bind to port) I removed slapd and rebooted: - DNS works for internet domains - host -t SRV _ldap._tcp.my-domain.local --> looking good - samba_dnsupdate --verbose --> looking good - smbclient -L localhost -U% --> showing shares --- Kerberos still on the fritz kinit administrator at MY-DOMAIN.LOCAL --> kinit: Cannot contact any KDC for realm 'MY-DOMAIN.LOCAL' while getting initial credentials klist -e --> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) --- /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = MY-DOMAIN realm = MY-DOMAIN.LOCAL netbios name = ADSERVER server role = active directory domain controller dns forwarder = 192.168.7.1 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/fam-busch.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- /etc/krb5.conf [libdefaults] default_realm = MY-DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true --- nsswitch ??? whats that? where? find / -iname "nsswitch" shows 3 directories in my samba4.1.17 source directory --- checking daemon.log now and google abit about krb5. If anything strikes you as odd and/or you have ideas to try, I'll look forward to hearing about it. Thanks M.
Seemingly Similar Threads
- samba 4.1.17 on raspberry pi as ad dc - internal dns problems
- samba 4.1.17 on raspberry pi as ad dc - krb5 problem / ipv6?
- samba 4.1.17 on raspberry pi as ad dc - internal dns problems
- samba 4.1.17 on raspberry pi as ad dc - internal dns problems
- samba 4.1.17 on raspberry pi as ad dc - internal dns problems