sambalist.1.olol13 at spamgourmet.com
2015-Mar-19 07:48 UTC
[Samba] Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
Good morning! First of all thanks Rowland for the fast answer yesterday! I realized that samba-technical might have been the wrong mailing list and switched it to the normal samba users list (hopefully it worked, as it does get a bit confusing with spamgourmets sendto addresses!). Unfortunately the problem with samba_dnsupdate remains after the changes. I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty new to both samba and linux and added most lines that looked promising from other threads. Expected the DC itself to be able to join the domain (again), as I remembered it to be possible after a classicupgrade with the samba internal dns. Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not necessary to build it yourself and configure it with dlopen (see here <https://lists.samba.org/archive/samba/2015-January/188049.html>). The driver is supposedly included and also seems to load alright: named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz 19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver 19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen' 19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen' 19-Mar-2015 08:05:26.405 Loading SDLZ driver. 19-Mar-2015 08:05:26.646 samba_dlz: started for DN DC=intranet,DC=mayweg,DC=net 19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully. 19-Mar-2015 08:05:26.646 DLZ driver loaded successfully. 19-Mar-2015 08:05:26.646 samba_dlz: starting configure 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone '11.168.192.in-addr.arpa' 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone ' intranet.mayweg.net' 19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_ msdcs.intranet.mayweg.net' The error for samba_dnsupdate --all-names remains (btw, without --all-names it works): ldb: Destroying timer event 0x233f310 "ltdb_timeout" ldb: Ending timer event 0x1d2bb70 "ltdb_callback" Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 612, in <module> get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials raise e RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot contact any KDC for requested realm) Again, I'm very grateful for any hints where the problem could originate from. Greetings, Timo On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com < sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net> wrote:> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote: > >> Hello, >> >> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ >> backend on Debian Jessie. Before I was using tinydns on a different server >> and want to replace it with BIND. >> I'm trying this with copies of virtual machines in a different subnet (The >> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools >> administration, a debian squeezy file server that is part of the domain >> and >> an xp client). >> For the most part the new configuration is working, a lot thanks to >> exploration of the wiki and the mailing list archives, but I cannot >> resolve >> the hostnames of domain members and think it is because dynamic DNS >> updates >> through kerberos aren't working. >> >> When I try "samba_dnsupdate --verbose --all-names", I get the following >> error: >> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout" >> ldb: Ending timer event 0x1859f30 "ltdb_callback" >> Traceback (most recent call last): >> File "/usr/sbin/samba_dnsupdate", line 612, in <module> >> get_credentials(lp) >> File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials >> raise e >> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot >> contact any KDC for requested realm) >> >> I can join the domain with windows & linux machines and administer it and >> the dns server with RSAT tools. Neither SELinux nor Apparmor are present. >> >> The dns tests from the samba ad dc howto >> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend> >> were >> all successful: >> host -t SRV _ldap._tcp.intranet.mayweg.net. >> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389 >> server06.intranet.mayweg.net. >> host -t SRV _kerberos._udp.intranet.mayweg.net. >> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88 >> server06.intranet.mayweg.net. >> host -t A server06.intranet.mayweg.net. >> server06.intranet.mayweg.net has address 192.168.11.250 >> >> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net on >> all machines, but hostnames of machines I joined to the domain are not >> resolvable from other domain members. A linux machine that joined had the >> output: >> Joined 'SERVER13' to realm 'intranet.mayweg.net' >> DNS update failed! >> >> I can get kerberos tickets on all machines, and join the domain using net >> ads join from all of them but the ad dc itself. >> On server06 "net ads join -Uadministrator" returns >> Failed to join domain: This operation is only allowed for the PDC of the >> domain. Maybe this has something to do with the dns updates not working. >> > > You do not run 'net ads join' on a DC, the provision does it for you (or > as in your case, the upgrade procedure) > > >> >> I'll follow up with version info and configuration files (interfaces, >> resolv.conf, hosts, smb.conf, krb5.conf, named.conf). >> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT >> implementations of krb5-admin-server and krb5-kdc installed and configured >> until I realized Samba4 brings the heimdal implementation of kerberos with >> it. I uninstalled the MIT parts afterwards. Configuration files: >> >> >> /etc/network/interfaces: >> auto lo >> iface lo inet loopback >> >> auto eth0 >> iface eth0 inet static >> address 192.168.11.250 >> netmask 255.255.255.0 >> network 192.168.11.0 >> broadcast 192.168.11.255 >> >> >> /etc/resolv.conf: >> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error >> domain intranet.mayweg.net >> >> >> /etc/hosts: >> 127.0.0.1 localhost localhost.localdomain >> 192.168.11.250 server06.intranet.mayweg.net server06 >> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net >> > > Remove everything from the '192.168.11.250' line from 'krb' onwards, they > shouldn't be there. > > > >> # The following lines are desirable for IPv6 capable hosts >> ::1 localhost ip6-localhost ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> >> /etc/samba/smb.conf: >> [global] >> workgroup = MAYWEG.NET >> realm = INTRANET.MAYWEG.NET >> netbios name = SERVER06 >> interfaces = lo, eth0 >> bind interfaces only = Yes >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, >> ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> #added after classicupgrade >> kerberos method = system keytab >> client ldap sasl wrapping = sign >> allow dns updates = nonsecure and secure >> nsupdate command = /usr/bin/nsupdate -g >> domain logons = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> > remove everything you added to smb.conf > > /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf): >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> dns_lookup_realm = true #changed to true >> dns_lookup_kdc = true >> >> #added after classicupgrade >> >> [realms] >> INTRANET.MAYWEG.NET = { >> kdc = krb.intranet.mayweg.net >> admin_server = krb.intranet.mayweg.net >> default_domain = intranet.mayweg.net >> } >> >> [domain_realm] >> >> .intranet.mayweg.net = INTRANET.MAYWEG.NET >> intranet.mayweg.net = INTRANET.MAYWEG.NET >> >> [logging] >> kdc = FILE:/var/log/kerberos/krb5kdc.log >> admin_server = FILE:/var/log/kerberos/kadmin.log >> default = FILE:/var/log/kerberos/krb5lib.log >> >> > Change krb5.conf back to what it was. > > > /etc/bind/named.conf (copied together from the includes...): >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> // be authoritative for the localhost forward and reverse zones, and for >> // broadcast zones as per RFC 1912 >> >> zone "localhost" { >> type master; >> file "/etc/bind/db.local"; >> }; >> >> zone "127.in-addr.arpa" { >> type master; >> file "/etc/bind/db.127"; >> }; >> >> zone "0.in-addr.arpa" { >> type master; >> file "/etc/bind/db.0"; >> }; >> >> zone "255.in-addr.arpa" { >> type master; >> file "/etc/bind/db.255"; >> }; >> dlz "AD DNS Zone" { >> # For BIND 9.8.x >> # database "dlopen /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9.so"; >> >> # For BIND 9.9.x >> database "dlopen /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9_9.so"; >> >> # For BIND 9.10.x >> # database "dlopen >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; >> }; >> logging { >> channel update_debug { >> file "/var/log/update_debug.log" versions 3 size 100k; >> severity debug; >> print-severity yes; >> print-time yes; >> }; >> channel security_info { >> file "/var/log/security_info.log" versions 1 size 100k; >> severity info; >> print-severity yes; >> print-time yes; >> }; >> channel bind_log { >> file "/var/log/bind.log" versions 3 size 1m; >> severity info; >> print-category yes; >> print-severity yes; >> print-time yes; >> }; >> >> category default { bind_log; }; >> category lame-servers { null; }; >> category update { update_debug; }; >> category update-security { update_debug; }; >> category security { security_info; }; >> }; >> options { >> directory "/var/named"; >> recursion yes; >> dnssec-validation auto; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> auth-nxdomain yes; >> notify no; >> empty-zones-enable no; >> allow-query { >> 127.0.0.1; >> 192.168.11.0/24; >> # add other networks you want to allow to query your DNS >> }; >> allow-query-cache { >> 127.0.0.1; >> 192.168.11.0/24; >> # add other networks you want to allow to query your DNS >> }; >> allow-recursion { >> 192.168.11.0/24; >> 127.0.0.1; >> # add other networks you want to allow to do recursive queries >> }; >> forwarders { >> # Google public DNS server here - replace with your own if >> necessary >> }; >> allow-transfer { >> # this config is for a single master DNS server >> none; >> }; >> }; >> >> I hope I provided all the necessary information and am grateful for any >> hints on where to look for a fix to this problem. >> >> Greetings, >> Timo >> > > Finally, was the version of bind you are using configured with dlopen ? > > Rowland > > >
sambalist.1.olol13 at spamgourmet.com
2015-Mar-19 08:38 UTC
[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
Good morning! First of all thanks Rowland for the fast answer yesterday! I realized that samba-technical might have been the wrong mailing list and switched it to the normal samba users list (hopefully it worked, as it does get a bit confusing with spamgourmets addresses!). Unfortunately the problem with samba_dnsupdate remains after the changes. I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty new to both samba and linux and added most lines to the configs that looked promising. Expected the DC itself to be able to join the domain (again), as I remembered it to be possible after a classicupgrade with the samba internal dns. Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not necessary to build it yourself and configure it with dlopen (see here <https://lists.samba.org/archive/samba/2015-January/188049.html>). The driver is supposedly included and also seems to load alright: named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz 19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver 19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen' 19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen' 19-Mar-2015 08:05:26.405 Loading SDLZ driver. 19-Mar-2015 08:05:26.646 samba_dlz: started for DN DC=intranet,DC=mayweg,DC=net 19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully. 19-Mar-2015 08:05:26.646 DLZ driver loaded successfully. 19-Mar-2015 08:05:26.646 samba_dlz: starting configure 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone '11.168.192.in-addr.arpa' 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone ' intranet.mayweg.net' 19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_ msdcs.intranet.mayweg.net' The error for samba_dnsupdate --all-names remains (btw, without --all-names it works): ldb: Destroying timer event 0x233f310 "ltdb_timeout" ldb: Ending timer event 0x1d2bb70 "ltdb_callback" Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 612, in <module> get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials raise e RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot contact any KDC for requested realm) Again, I'm very grateful for any hints where the problem could originate from. Greetings, Timo On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com < sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net> wrote:> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote: > >> Hello, >> >> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ >> backend on Debian Jessie. Before I was using tinydns on a different server >> and want to replace it with BIND. >> I'm trying this with copies of virtual machines in a different subnet (The >> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools >> administration, a debian squeezy file server that is part of the domain >> and >> an xp client). >> For the most part the new configuration is working, a lot thanks to >> exploration of the wiki and the mailing list archives, but I cannot >> resolve >> the hostnames of domain members and think it is because dynamic DNS >> updates >> through kerberos aren't working. >> >> When I try "samba_dnsupdate --verbose --all-names", I get the following >> error: >> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout" >> ldb: Ending timer event 0x1859f30 "ltdb_callback" >> Traceback (most recent call last): >> File "/usr/sbin/samba_dnsupdate", line 612, in <module> >> get_credentials(lp) >> File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials >> raise e >> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot >> contact any KDC for requested realm) >> >> I can join the domain with windows & linux machines and administer it and >> the dns server with RSAT tools. Neither SELinux nor Apparmor are present. >> >> The dns tests from the samba ad dc howto >> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend> >> were >> all successful: >> host -t SRV _ldap._tcp.intranet.mayweg.net. >> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389 >> server06.intranet.mayweg.net. >> host -t SRV _kerberos._udp.intranet.mayweg.net. >> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88 >> server06.intranet.mayweg.net. >> host -t A server06.intranet.mayweg.net. >> server06.intranet.mayweg.net has address 192.168.11.250 >> >> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net on >> all machines, but hostnames of machines I joined to the domain are not >> resolvable from other domain members. A linux machine that joined had the >> output: >> Joined 'SERVER13' to realm 'intranet.mayweg.net' >> DNS update failed! >> >> I can get kerberos tickets on all machines, and join the domain using net >> ads join from all of them but the ad dc itself. >> On server06 "net ads join -Uadministrator" returns >> Failed to join domain: This operation is only allowed for the PDC of the >> domain. Maybe this has something to do with the dns updates not working. >> > > You do not run 'net ads join' on a DC, the provision does it for you (or > as in your case, the upgrade procedure) > > >> >> I'll follow up with version info and configuration files (interfaces, >> resolv.conf, hosts, smb.conf, krb5.conf, named.conf). >> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT >> implementations of krb5-admin-server and krb5-kdc installed and configured >> until I realized Samba4 brings the heimdal implementation of kerberos with >> it. I uninstalled the MIT parts afterwards. Configuration files: >> >> >> /etc/network/interfaces: >> auto lo >> iface lo inet loopback >> >> auto eth0 >> iface eth0 inet static >> address 192.168.11.250 >> netmask 255.255.255.0 >> network 192.168.11.0 >> broadcast 192.168.11.255 >> >> >> /etc/resolv.conf: >> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error >> domain intranet.mayweg.net >> >> >> /etc/hosts: >> 127.0.0.1 localhost localhost.localdomain >> 192.168.11.250 server06.intranet.mayweg.net server06 >> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net >> > > Remove everything from the '192.168.11.250' line from 'krb' onwards, they > shouldn't be there. > > > >> # The following lines are desirable for IPv6 capable hosts >> ::1 localhost ip6-localhost ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> >> /etc/samba/smb.conf: >> [global] >> workgroup = MAYWEG.NET >> realm = INTRANET.MAYWEG.NET >> netbios name = SERVER06 >> interfaces = lo, eth0 >> bind interfaces only = Yes >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, >> ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> #added after classicupgrade >> kerberos method = system keytab >> client ldap sasl wrapping = sign >> allow dns updates = nonsecure and secure >> nsupdate command = /usr/bin/nsupdate -g >> domain logons = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> > remove everything you added to smb.conf > > /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf): >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> dns_lookup_realm = true #changed to true >> dns_lookup_kdc = true >> >> #added after classicupgrade >> >> [realms] >> INTRANET.MAYWEG.NET = { >> kdc = krb.intranet.mayweg.net >> admin_server = krb.intranet.mayweg.net >> default_domain = intranet.mayweg.net >> } >> >> [domain_realm] >> >> .intranet.mayweg.net = INTRANET.MAYWEG.NET >> intranet.mayweg.net = INTRANET.MAYWEG.NET >> >> [logging] >> kdc = FILE:/var/log/kerberos/krb5kdc.log >> admin_server = FILE:/var/log/kerberos/kadmin.log >> default = FILE:/var/log/kerberos/krb5lib.log >> >> > Change krb5.conf back to what it was. > > > /etc/bind/named.conf (copied together from the includes...): >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> // be authoritative for the localhost forward and reverse zones, and for >> // broadcast zones as per RFC 1912 >> >> zone "localhost" { >> type master; >> file "/etc/bind/db.local"; >> }; >> >> zone "127.in-addr.arpa" { >> type master; >> file "/etc/bind/db.127"; >> }; >> >> zone "0.in-addr.arpa" { >> type master; >> file "/etc/bind/db.0"; >> }; >> >> zone "255.in-addr.arpa" { >> type master; >> file "/etc/bind/db.255"; >> }; >> dlz "AD DNS Zone" { >> # For BIND 9.8.x >> # database "dlopen /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9.so"; >> >> # For BIND 9.9.x >> database "dlopen /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9_9.so"; >> >> # For BIND 9.10.x >> # database "dlopen >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; >> }; >> logging { >> channel update_debug { >> file "/var/log/update_debug.log" versions 3 size 100k; >> severity debug; >> print-severity yes; >> print-time yes; >> }; >> channel security_info { >> file "/var/log/security_info.log" versions 1 size 100k; >> severity info; >> print-severity yes; >> print-time yes; >> }; >> channel bind_log { >> file "/var/log/bind.log" versions 3 size 1m; >> severity info; >> print-category yes; >> print-severity yes; >> print-time yes; >> }; >> >> category default { bind_log; }; >> category lame-servers { null; }; >> category update { update_debug; }; >> category update-security { update_debug; }; >> category security { security_info; }; >> }; >> options { >> directory "/var/named"; >> recursion yes; >> dnssec-validation auto; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> auth-nxdomain yes; >> notify no; >> empty-zones-enable no; >> allow-query { >> 127.0.0.1; >> 192.168.11.0/24; >> # add other networks you want to allow to query your DNS >> }; >> allow-query-cache { >> 127.0.0.1; >> 192.168.11.0/24; >> # add other networks you want to allow to query your DNS >> }; >> allow-recursion { >> 192.168.11.0/24; >> 127.0.0.1; >> # add other networks you want to allow to do recursive queries >> }; >> forwarders { >> # Google public DNS server here - replace with your own if >> necessary >> }; >> allow-transfer { >> # this config is for a single master DNS server >> none; >> }; >> }; >> >> I hope I provided all the necessary information and am grateful for any >> hints on where to look for a fix to this problem. >> >> Greetings, >> Timo >> > > Finally, was the version of bind you are using configured with dlopen ? > > Rowland > > >
sambalist.1.olol13 at spamgourmet.com schrieb am 19.03.2015 09:38:> The error for samba_dnsupdate --all-names remains (btw, without --all-names > it works): > ldb: Destroying timer event 0x233f310 "ltdb_timeout" > ldb: Ending timer event 0x1d2bb70 "ltdb_callback" > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 612, in <module> > get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials > raise e > RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot > contact any KDC for requested realm)Obviously the first thing to do is to get Kerberos working. See: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO Go to 'Testing Kerberos'. Check the hosts file, too, as it is needed to resolve the name of the KDC. HTH - Peter
Timo Altun
2015-Mar-19 09:30 UTC
[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
Thank you for the answers Peter and Rowland and sorry to everybody for the spam...switched to another e-mail address and hope my messages will arrive only once from now on. As I wrote in my first mail, Kerberos does work. I can successfully request and list a ticket on the AC DC. kinit administrator at INTRANET.MAYWEG.NET Password for administrator at INTRANET.MAYWEG.NET: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at INTRANET.MAYWEG.NET Valid starting Expires Service principal 19.03.2015 10:05:48 19.03.2015 20:05:48 krbtgt/ INTRANET.MAYWEG.NET at INTRANET.MAYWEG.NET renew until 20.03.2015 10:05:46 Rowland, I did not change the DNS-Server to bind, I removed smb.conf and /var/lib/samba/private and redid the classicupgrade with the --dns-backend=BIND9_DLZ option. Timo Good morning! First of all thanks Rowland for the fast answer yesterday! I realized that samba-technical might have been the wrong mailing list and switched it to the normal samba users list (hopefully it worked, as it does get a bit confusing with spamgourmets sendto addresses!). Unfortunately the problem with samba_dnsupdate remains after the changes. I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty new to both samba and linux and added most lines that looked promising from other threads. Expected the DC itself to be able to join the domain (again), as I remembered it to be possible after a classicupgrade with the samba internal dns. Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not necessary to build it yourself and configure it with dlopen (see here <https://lists.samba.org/archive/samba/2015-January/188049.html>). The driver is supposedly included and also seems to load alright: named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz 19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver 19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen' 19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen' 19-Mar-2015 08:05:26.405 Loading SDLZ driver. 19-Mar-2015 08:05:26.646 samba_dlz: started for DN DC=intranet,DC=mayweg,DC=net 19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully. 19-Mar-2015 08:05:26.646 DLZ driver loaded successfully. 19-Mar-2015 08:05:26.646 samba_dlz: starting configure 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone '11.168.192.in-addr.arpa' 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone ' intranet.mayweg.net' 19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_ msdcs.intranet.mayweg.net' The error for samba_dnsupdate --all-names remains (btw, without --all-names it works): ldb: Destroying timer event 0x233f310 "ltdb_timeout" ldb: Ending timer event 0x1d2bb70 "ltdb_callback" Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 612, in <module> get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials raise e RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot contact any KDC for requested realm) Again, I'm very grateful for any hints where the problem could originate from. Greetings, Timo On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com < sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net> wrote:> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote: > >> Hello, >> >> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ >> backend on Debian Jessie. Before I was using tinydns on a differentserver>> and want to replace it with BIND. >> I'm trying this with copies of virtual machines in a different subnet(The>> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools >> administration, a debian squeezy file server that is part of the domain >> and >> an xp client). >> For the most part the new configuration is working, a lot thanks to >> exploration of the wiki and the mailing list archives, but I cannot >> resolve >> the hostnames of domain members and think it is because dynamic DNS >> updates >> through kerberos aren't working. >> >> When I try "samba_dnsupdate --verbose --all-names", I get the following >> error: >> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout" >> ldb: Ending timer event 0x1859f30 "ltdb_callback" >> Traceback (most recent call last): >> File "/usr/sbin/samba_dnsupdate", line 612, in <module> >> get_credentials(lp) >> File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials >> raise e >> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot >> contact any KDC for requested realm) >> >> I can join the domain with windows & linux machines and administer it and >> the dns server with RSAT tools. Neither SELinux nor Apparmor are present. >> >> The dns tests from the samba ad dc howto >> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend> >> were >> all successful: >> host -t SRV _ldap._tcp.intranet.mayweg.net. >> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389 >> server06.intranet.mayweg.net. >> host -t SRV _kerberos._udp.intranet.mayweg.net. >> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88 >> server06.intranet.mayweg.net. >> host -t A server06.intranet.mayweg.net. >> server06.intranet.mayweg.net has address 192.168.11.250 >> >> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net on >> all machines, but hostnames of machines I joined to the domain are not >> resolvable from other domain members. A linux machine that joined had the >> output: >> Joined 'SERVER13' to realm 'intranet.mayweg.net' >> DNS update failed! >> >> I can get kerberos tickets on all machines, and join the domain using net >> ads join from all of them but the ad dc itself. >> On server06 "net ads join -Uadministrator" returns >> Failed to join domain: This operation is only allowed for the PDC of the >> domain. Maybe this has something to do with the dns updates not working. >> > > You do not run 'net ads join' on a DC, the provision does it for you (or > as in your case, the upgrade procedure) > > >> >> I'll follow up with version info and configuration files (interfaces, >> resolv.conf, hosts, smb.conf, krb5.conf, named.conf). >> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT >> implementations of krb5-admin-server and krb5-kdc installed andconfigured>> until I realized Samba4 brings the heimdal implementation of kerberoswith>> it. I uninstalled the MIT parts afterwards. Configuration files: >> >> >> /etc/network/interfaces: >> auto lo >> iface lo inet loopback >> >> auto eth0 >> iface eth0 inet static >> address 192.168.11.250 >> netmask 255.255.255.0 >> network 192.168.11.0 >> broadcast 192.168.11.255 >> >> >> /etc/resolv.conf: >> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error >> domain intranet.mayweg.net >> >> >> /etc/hosts: >> 127.0.0.1 localhost localhost.localdomain >> 192.168.11.250 server06.intranet.mayweg.net server06 >> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net >> > > Remove everything from the '192.168.11.250' line from 'krb' onwards, they > shouldn't be there. > > > >> # The following lines are desirable for IPv6 capable hosts >> ::1 localhost ip6-localhost ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> >> /etc/samba/smb.conf: >> [global] >> workgroup = MAYWEG.NET >> realm = INTRANET.MAYWEG.NET >> netbios name = SERVER06 >> interfaces = lo, eth0 >> bind interfaces only = Yes >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,winbind,>> ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> #added after classicupgrade >> kerberos method = system keytab >> client ldap sasl wrapping = sign >> allow dns updates = nonsecure and secure >> nsupdate command = /usr/bin/nsupdate -g >> domain logons = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> > remove everything you added to smb.conf > > /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf): >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> dns_lookup_realm = true #changed to true >> dns_lookup_kdc = true >> >> #added after classicupgrade >> >> [realms] >> INTRANET.MAYWEG.NET = { >> kdc = krb.intranet.mayweg.net >> admin_server = krb.intranet.mayweg.net >> default_domain = intranet.mayweg.net >> } >> >> [domain_realm] >> >> .intranet.mayweg.net = INTRANET.MAYWEG.NET >> intranet.mayweg.net = INTRANET.MAYWEG.NET >> >> [logging] >> kdc = FILE:/var/log/kerberos/krb5kdc.log >> admin_server = FILE:/var/log/kerberos/kadmin.log >> default = FILE:/var/log/kerberos/krb5lib.log >> >> > Change krb5.conf back to what it was. > > > /etc/bind/named.conf (copied together from the includes...): >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> // be authoritative for the localhost forward and reverse zones, and for >> // broadcast zones as per RFC 1912 >> >> zone "localhost" { >> type master; >> file "/etc/bind/db.local"; >> }; >> >> zone "127.in-addr.arpa" { >> type master; >> file "/etc/bind/db.127"; >> }; >> >> zone "0.in-addr.arpa" { >> type master; >> file "/etc/bind/db.0"; >> }; >> >> zone "255.in-addr.arpa" { >> type master; >> file "/etc/bind/db.255"; >> }; >> dlz "AD DNS Zone" { >> # For BIND 9.8.x >> # database "dlopen /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9.so"; >> >> # For BIND 9.9.x >> database "dlopen /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9_9.so"; >> >> # For BIND 9.10.x >> # database "dlopen >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; >> }; >> logging { >> channel update_debug { >> file "/var/log/update_debug.log" versions 3 size 100k; >> severity debug; >> print-severity yes; >> print-time yes; >> }; >> channel security_info { >> file "/var/log/security_info.log" versions 1 size 100k; >> severity info; >> print-severity yes; >> print-time yes; >> }; >> channel bind_log { >> file "/var/log/bind.log" versions 3 size 1m; >> severity info; >> print-category yes; >> print-severity yes; >> print-time yes; >> }; >> >> category default { bind_log; }; >> category lame-servers { null; }; >> category update { update_debug; }; >> category update-security { update_debug; }; >> category security { security_info; }; >> }; >> options { >> directory "/var/named"; >> recursion yes; >> dnssec-validation auto; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> auth-nxdomain yes; >> notify no; >> empty-zones-enable no; >> allow-query { >> 127.0.0.1; >> 192.168.11.0/24; >> # add other networks you want to allow to query your DNS >> }; >> allow-query-cache { >> 127.0.0.1; >> 192.168.11.0/24; >> # add other networks you want to allow to query your DNS >> }; >> allow-recursion { >> 192.168.11.0/24; >> 127.0.0.1; >> # add other networks you want to allow to do recursive queries >> }; >> forwarders { >> # Google public DNS server here - replace with your own if >> necessary >> }; >> allow-transfer { >> # this config is for a single master DNS server >> none; >> }; >> }; >> >> I hope I provided all the necessary information and am grateful for any >> hints on where to look for a fix to this problem. >> >> Greetings, >> Timo >> > > Finally, was the version of bind you are using configured with dlopen ? > > Rowland > > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Mar-19 09:51 UTC
[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
On 19/03/15 09:30, Timo Altun wrote:> Thank you for the answers Peter and Rowland and sorry to everybody for the > spam...switched to another e-mail address and hope my messages will arrive > only once from now on. > As I wrote in my first mail, Kerberos does work. I can successfully request > and list a ticket on the AC DC. > > kinit administrator at INTRANET.MAYWEG.NET > Password for administrator at INTRANET.MAYWEG.NET: > > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at INTRANET.MAYWEG.NET > Valid starting Expires Service principal > 19.03.2015 10:05:48 19.03.2015 20:05:48 krbtgt/ > INTRANET.MAYWEG.NET at INTRANET.MAYWEG.NET > renew until 20.03.2015 10:05:46 > > Rowland, I did not change the DNS-Server to bind, I removed smb.conf and > /var/lib/samba/private and redid the classicupgrade with the > --dns-backend=BIND9_DLZ > option. > > Timo > > > > Good morning! > > First of all thanks Rowland for the fast answer yesterday! I realized that > samba-technical might have been the wrong mailing list and switched it to > the normal samba users list (hopefully it worked, as it does get a bit > confusing with spamgourmets sendto addresses!). Unfortunately the problem > with samba_dnsupdate remains after the changes. > I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty > new to both samba and linux and added most lines that looked promising from > other threads. Expected the DC itself to be able to join the domain > (again), as I remembered it to be possible after a classicupgrade with the > samba internal dns. > > Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not > necessary to build it yourself and configure it with dlopen (see here > <https://lists.samba.org/archive/samba/2015-January/188049.html>). > The driver is supposedly included and also seems to load alright: > > named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz > 19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver > 19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen' > 19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen' > 19-Mar-2015 08:05:26.405 Loading SDLZ driver. > 19-Mar-2015 08:05:26.646 samba_dlz: started for DN > DC=intranet,DC=mayweg,DC=net > 19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully. > 19-Mar-2015 08:05:26.646 DLZ driver loaded successfully. > 19-Mar-2015 08:05:26.646 samba_dlz: starting configure > 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone > '11.168.192.in-addr.arpa' > 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone ' > intranet.mayweg.net' > 19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_ > msdcs.intranet.mayweg.net' > > > The error for samba_dnsupdate --all-names remains (btw, without --all-names > it works): > ldb: Destroying timer event 0x233f310 "ltdb_timeout" > ldb: Ending timer event 0x1d2bb70 "ltdb_callback" > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 612, in <module> > get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials > raise e > RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot > contact any KDC for requested realm) > > > Again, I'm very grateful for any hints where the problem could originate > from. > Greetings, > Timo > > > On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com < > sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net> wrote: > >> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote: >> >>> Hello, >>> >>> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ >>> backend on Debian Jessie. Before I was using tinydns on a different > server >>> and want to replace it with BIND. >>> I'm trying this with copies of virtual machines in a different subnet > (The >>> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools >>> administration, a debian squeezy file server that is part of the domain >>> and >>> an xp client). >>> For the most part the new configuration is working, a lot thanks to >>> exploration of the wiki and the mailing list archives, but I cannot >>> resolve >>> the hostnames of domain members and think it is because dynamic DNS >>> updates >>> through kerberos aren't working. >>> >>> When I try "samba_dnsupdate --verbose --all-names", I get the following >>> error: >>> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout" >>> ldb: Ending timer event 0x1859f30 "ltdb_callback" >>> Traceback (most recent call last): >>> File "/usr/sbin/samba_dnsupdate", line 612, in <module> >>> get_credentials(lp) >>> File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials >>> raise e >>> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot >>> contact any KDC for requested realm) >>> >>> I can join the domain with windows & linux machines and administer it and >>> the dns server with RSAT tools. Neither SELinux nor Apparmor are present. >>> >>> The dns tests from the samba ad dc howto >>> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend> >>> were >>> all successful: >>> host -t SRV _ldap._tcp.intranet.mayweg.net. >>> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389 >>> server06.intranet.mayweg.net. >>> host -t SRV _kerberos._udp.intranet.mayweg.net. >>> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88 >>> server06.intranet.mayweg.net. >>> host -t A server06.intranet.mayweg.net. >>> server06.intranet.mayweg.net has address 192.168.11.250 >>> >>> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net on >>> all machines, but hostnames of machines I joined to the domain are not >>> resolvable from other domain members. A linux machine that joined had the >>> output: >>> Joined 'SERVER13' to realm 'intranet.mayweg.net' >>> DNS update failed! >>> >>> I can get kerberos tickets on all machines, and join the domain using net >>> ads join from all of them but the ad dc itself. >>> On server06 "net ads join -Uadministrator" returns >>> Failed to join domain: This operation is only allowed for the PDC of the >>> domain. Maybe this has something to do with the dns updates not working. >>> >> You do not run 'net ads join' on a DC, the provision does it for you (or >> as in your case, the upgrade procedure) >> >> >>> I'll follow up with version info and configuration files (interfaces, >>> resolv.conf, hosts, smb.conf, krb5.conf, named.conf). >>> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT >>> implementations of krb5-admin-server and krb5-kdc installed and > configured >>> until I realized Samba4 brings the heimdal implementation of kerberos > with >>> it. I uninstalled the MIT parts afterwards. Configuration files: >>> >>> >>> /etc/network/interfaces: >>> auto lo >>> iface lo inet loopback >>> >>> auto eth0 >>> iface eth0 inet static >>> address 192.168.11.250 >>> netmask 255.255.255.0 >>> network 192.168.11.0 >>> broadcast 192.168.11.255 >>> >>> >>> /etc/resolv.conf: >>> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error >>> domain intranet.mayweg.net >>> >>> >>> /etc/hosts: >>> 127.0.0.1 localhost localhost.localdomain >>> 192.168.11.250 server06.intranet.mayweg.net server06 >>> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net >>> >> Remove everything from the '192.168.11.250' line from 'krb' onwards, they >> shouldn't be there. >> >> >> >>> # The following lines are desirable for IPv6 capable hosts >>> ::1 localhost ip6-localhost ip6-loopback >>> ff02::1 ip6-allnodes >>> ff02::2 ip6-allrouters >>> >>> >>> /etc/samba/smb.conf: >>> [global] >>> workgroup = MAYWEG.NET >>> realm = INTRANET.MAYWEG.NET >>> netbios name = SERVER06 >>> interfaces = lo, eth0 >>> bind interfaces only = Yes >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, >>> ntp_signd, kcc, dnsupdate >>> idmap_ldb:use rfc2307 = yes >>> #added after classicupgrade >>> kerberos method = system keytab >>> client ldap sasl wrapping = sign >>> allow dns updates = nonsecure and secure >>> nsupdate command = /usr/bin/nsupdate -g >>> domain logons = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> >> remove everything you added to smb.conf >> >> /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf): >>> [libdefaults] >>> default_realm = INTRANET.MAYWEG.NET >>> dns_lookup_realm = true #changed to true >>> dns_lookup_kdc = true >>> >>> #added after classicupgrade >>> >>> [realms] >>> INTRANET.MAYWEG.NET = { >>> kdc = krb.intranet.mayweg.net >>> admin_server = krb.intranet.mayweg.net >>> default_domain = intranet.mayweg.net >>> } >>> >>> [domain_realm] >>> >>> .intranet.mayweg.net = INTRANET.MAYWEG.NET >>> intranet.mayweg.net = INTRANET.MAYWEG.NET >>> >>> [logging] >>> kdc = FILE:/var/log/kerberos/krb5kdc.log >>> admin_server = FILE:/var/log/kerberos/kadmin.log >>> default = FILE:/var/log/kerberos/krb5lib.log >>> >>> >> Change krb5.conf back to what it was. >> >> >> /etc/bind/named.conf (copied together from the includes...): >>> zone "." { >>> type hint; >>> file "/etc/bind/db.root"; >>> }; >>> // be authoritative for the localhost forward and reverse zones, and for >>> // broadcast zones as per RFC 1912 >>> >>> zone "localhost" { >>> type master; >>> file "/etc/bind/db.local"; >>> }; >>> >>> zone "127.in-addr.arpa" { >>> type master; >>> file "/etc/bind/db.127"; >>> }; >>> >>> zone "0.in-addr.arpa" { >>> type master; >>> file "/etc/bind/db.0"; >>> }; >>> >>> zone "255.in-addr.arpa" { >>> type master; >>> file "/etc/bind/db.255"; >>> }; >>> dlz "AD DNS Zone" { >>> # For BIND 9.8.x >>> # database "dlopen /usr/lib/x86_64-linux-gnu/ >>> samba/bind9/dlz_bind9.so"; >>> >>> # For BIND 9.9.x >>> database "dlopen /usr/lib/x86_64-linux-gnu/ >>> samba/bind9/dlz_bind9_9.so"; >>> >>> # For BIND 9.10.x >>> # database "dlopen >>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; >>> }; >>> logging { >>> channel update_debug { >>> file "/var/log/update_debug.log" versions 3 size 100k; >>> severity debug; >>> print-severity yes; >>> print-time yes; >>> }; >>> channel security_info { >>> file "/var/log/security_info.log" versions 1 size 100k; >>> severity info; >>> print-severity yes; >>> print-time yes; >>> }; >>> channel bind_log { >>> file "/var/log/bind.log" versions 3 size 1m; >>> severity info; >>> print-category yes; >>> print-severity yes; >>> print-time yes; >>> }; >>> >>> category default { bind_log; }; >>> category lame-servers { null; }; >>> category update { update_debug; }; >>> category update-security { update_debug; }; >>> category security { security_info; }; >>> }; >>> options { >>> directory "/var/named"; >>> recursion yes; >>> dnssec-validation auto; >>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >>> auth-nxdomain yes; >>> notify no; >>> empty-zones-enable no; >>> allow-query { >>> 127.0.0.1; >>> 192.168.11.0/24; >>> # add other networks you want to allow to query your DNS >>> }; >>> allow-query-cache { >>> 127.0.0.1; >>> 192.168.11.0/24; >>> # add other networks you want to allow to query your DNS >>> }; >>> allow-recursion { >>> 192.168.11.0/24; >>> 127.0.0.1; >>> # add other networks you want to allow to do recursive queries >>> }; >>> forwarders { >>> # Google public DNS server here - replace with your own if >>> necessary >>> }; >>> allow-transfer { >>> # this config is for a single master DNS server >>> none; >>> }; >>> }; >>> >>> I hope I provided all the necessary information and am grateful for any >>> hints on where to look for a fix to this problem. >>> >>> Greetings, >>> Timo >>> >> Finally, was the version of bind you are using configured with dlopen ? >> >> Rowland >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaOK, I am using Debian wheezy with samba and bind9 from backports. These are the conf files I use (comments removed to save space) : /etc/resolv.conf search example.com nameserver 192.168.0.3 <-- this my second DC nameserver 127.0.0.1 /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true /etc/samba/smb.conf # Global parameters [global] workgroup = EXAMPLE realm = example.com netbios name = DC01 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; /etc/bind/named.conf.options options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; /var/lib/samba/private/named.conf dlz "AD DNS Zone" { # For BIND 9.9.0 database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; }; These work for me :-) Rowland
Peter Serbe
2015-Mar-19 14:31 UTC
[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
Timo Altun schrieb am 19.03.2015 10:30:> As I wrote in my first mail, Kerberos does work. I can successfully request > and list a ticket on the AC DC.OK, then next things, which come to my mind are: is the keytab, you set in named.conf.options readable for the user, under which bind is run. Then, is the /etc/bind/namedb writable for bind. And in the end, it might be a screwed up installation. I had troubles with dynamic updates a long time ago, when it turned out, that I screwed something up during the installation. HTH - Peter
Apparently Analagous Threads
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)