samba - Mar 2015 - Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)

Timo Altun schrieb am 19.03.2015 10:30:
> As I wrote in my first mail, Kerberos does work. I can successfully request
> and list a ticket on the AC DC.
OK, then next things, which come to my mind are: 
is the keytab, you set in named.conf.options readable 
for the user, under which bind is run. 

Then, is the /etc/bind/namedb writable for bind. 

And in the end, it might be a screwed up installation. 
I had troubles with dynamic updates a long time ago, 
when it turned out, that I screwed something up during 
the installation. 

HTH
- Peter

Ok, I setup a new machine with Debian Jessie and checked and installed
everything from OS requirements in the wiki (
https://wiki.samba.org/index.php/OS_Requirements ).
The only thing I was unsure about, was which hostname to enter for Kerberos
Server and Kerberos admin server when asked during the installation of the
packages...I used krb.intranet.mayweg.net.
Now, after the classicupgrade kinit isn't working anymore...I get the same
error I get when trying samba_dnsupdate:
kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET' while
getting
initial credentials.

One step I did not do as stated in the wiki is configuring bind with
--with-gssapi=/usr/include/gssapi
--with-dlopen=yes.
Once again the dlopen driver seems to work in this version, but I have no
idea about the first part. Should I build bind myself with the first option?
@Rowland, did you have a working bind installation before you
upgraded/provisioned your domain?

@Peter There is no file called namedb in /etc/bind, but the whole folder is
writeable for user bind.

My configs, now mostly adapted from Rowland's woking configuration are:

/etc/network/interfaces:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address         192.168.11.250
        network         192.168.11.0
        netmask         255.255.255.0
        broadcast       192.168.11.255

/etc/hosts:
127.0.0.1       localhost
192.168.11.250  server06.intranet.mayweg.net    server06  krb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/resolv.conf:
nameserver 127.0.0.1
domain intranet.mayweg.net

/etc/bind/named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bin/named.conf.options:
options {
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

/var/lib/samba/private/named.conf:
    database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

/etc/krb5.conf:
[libdefaults]
default_realm = INTRANET.MAYWEG.NET
dns_lookup_realm = false
dns_lookup_kdc = true

/etc/samba/smb.conf:
# Global parameters
[global]
workgroup = MAYWEG.NET
realm = INTRANET.MAYWEG.NET
netbios name = SERVER06
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>
>
> Timo Altun schrieb am 19.03.2015 10:30:
>
> > As I wrote in my first mail, Kerberos does work. I can successfully
> request
> > and list a ticket on the AC DC.
>
> OK, then next things, which come to my mind are:
> is the keytab, you set in named.conf.options readable
> for the user, under which bind is run.
>
> Then, is the /etc/bind/namedb writable for bind.
>
> And in the end, it might be a screwed up installation.
> I had troubles with dynamic updates a long time ago,
> when it turned out, that I screwed something up during
> the installation.
>
> HTH
> - Peter
>
>

Try change your resolv.conf from :
>nameserver 127.0.0.1
>domain intranet.mayweg.net
to 
nameserver 192.168.11.250
search intranet.mayweg.net 
>The only thing I was unsure about, was which hostname to enter 
>for Kerberos
>Server and Kerberos admin server when asked during the 
>installation of the
>packages..
Try these defealt settings for kerberos..
You didnt have to enter the hostname, Only the default kerberos Domain name is
needed.

a copy past for you. 

    echo "krb5-config     krb5-config/add_servers_realm     string
INTRANET.MAYWEG.NET" | debconf-set-selections
    echo "krb5-config     krb5-config/read_conf   boolean true" |
debconf-set-selections
    echo "krb5-config     krb5-config/kerberos_servers string " |
debconf-set-selections
    echo "krb5-config     krb5-config/default_realm string
INTRANET.MAYWEG.NET" | debconf-set-selections
    echo "krb5-config     krb5-config/add_servers boolean false" |
debconf-set-selections
    echo "krb5-config     krb5-config/admin_server string " |
debconf-set-selections
    echo "krb5-config     krb5-config/dns_for_default boolean true" |
debconf-set-selections
    dpkg-reconfigure plow krb5-config

and if you want to point to a kerberos server. 
    echo "krb5-config     krb5-config/kerberos_servers string
server06.intranet.mayweg.net" | debconf-set-selections

but its not needed, man krb5.conf tells you enough. 

after the changes, type: 
host -t SRV _kerberos._udp.intranet.mayweg.net 
if you get not found, then we need to analize more. 



If you want to start with a "Clean server" 
just have a look here. 

https://secure.bazuin.nl/scripts/  

I added 2 simple scripts. a debian wheezy backported and debian jessie script.
The Jessie script is basicly the wheezy backported version, but without the
backports repo.
Its a set with minimal changes to the system, and use the defaults there where
possible.

If you look in the script, 
these settings MUST be set.
Settings you must change are :  

NTPD_SERVER1_EXTERNAL
NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 ) 
BIND9_NETWORKS
SAMBA_DC1_IP
SAMBA_NT_DOMAIN
SAMBA_SITE_NAME

optional: 
SAMBA_PASS_POLICY_CHANGE
SAMBA_TEMPLATE_HOMEDIR
SAMBA_TEMPLATE_SHELL


and as last : 
CONFIGURED   

All other options are optional. 
If you have a different dns domain name and kerberos domain. 
you must change that.. etc.. 

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: olol13.samba at the-1337.org 
>[mailto:samba-bounces at lists.samba.org] Namens Timo Altun
>Verzonden: vrijdag 20 maart 2015 0:04
>Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny - 
>repenny241155 at gmail.com
>Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working. 
>samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: 
>(sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot 
>contact any KDC for requested realm)
>
>Ok, I setup a new machine with Debian Jessie and checked and installed
>everything from OS requirements in the wiki (
>https://wiki.samba.org/index.php/OS_Requirements ).
>The only thing I was unsure about, was which hostname to enter 
>for Kerberos
>Server and Kerberos admin server when asked during the 
>installation of the
>packages...I used krb.intranet.mayweg.net.
>Now, after the classicupgrade kinit isn't working anymore...I 
>get the same
>error I get when trying samba_dnsupdate:
>kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET' 
>while getting
>initial credentials.
>
>One step I did not do as stated in the wiki is configuring bind with
>--with-gssapi=/usr/include/gssapi
>--with-dlopen=yes.
>Once again the dlopen driver seems to work in this version, 
>but I have no
>idea about the first part. Should I build bind myself with the 
>first option?
>@Rowland, did you have a working bind installation before you
>upgraded/provisioned your domain?
>
>@Peter There is no file called namedb in /etc/bind, but the 
>whole folder is
>writeable for user bind.
>
>My configs, now mostly adapted from Rowland's woking configuration are:
>
>/etc/network/interfaces:
>auto lo
>iface lo inet loopback
>
>auto eth0
>iface eth0 inet static
>        address         192.168.11.250
>        network         192.168.11.0
>        netmask         255.255.255.0
>        broadcast       192.168.11.255
>
>/etc/hosts:
>127.0.0.1       localhost
>192.168.11.250  server06.intranet.mayweg.net    server06  krb
>
># The following lines are desirable for IPv6 capable hosts
>::1     localhost ip6-localhost ip6-loopback
>ff02::1 ip6-allnodes
>ff02::2 ip6-allrouters
>
>/etc/resolv.conf:
>nameserver 127.0.0.1
>domain intranet.mayweg.net
>
>/etc/bind/named.conf:
>include "/etc/bind/named.conf.options";
>include "/etc/bind/named.conf.local";
>include "/etc/bind/named.conf.default-zones";
>include "/var/lib/samba/private/named.conf";
>
>/etc/bin/named.conf.options:
>options {
>directory "/var/cache/bind";
>dnssec-validation no;
>auth-nxdomain no;    # conform to RFC1035
>listen-on-v6 { any; };
>tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>};
>
>/var/lib/samba/private/named.conf:
>    database "dlopen 
>/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>
>/etc/krb5.conf:
>[libdefaults]
>default_realm = INTRANET.MAYWEG.NET
>dns_lookup_realm = false
>dns_lookup_kdc = true
>
>/etc/samba/smb.conf:
># Global parameters
>[global]
>workgroup = MAYWEG.NET
>realm = INTRANET.MAYWEG.NET
>netbios name = SERVER06
>interfaces = lo, eth0
>bind interfaces only = Yes
>server role = active directory domain controller
>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>drepl, winbind,
>ntp_signd, kcc, dnsupdate
>idmap_ldb:use rfc2307 = yes
>
>[netlogon]
>path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>read only = No
>
>[sysvol]
>path = /var/lib/samba/sysvol
>read only = No
>
>
>On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
>
>>
>>
>> Timo Altun schrieb am 19.03.2015 10:30:
>>
>> > As I wrote in my first mail, Kerberos does work. I can
successfully
>> request
>> > and list a ticket on the AC DC.
>>
>> OK, then next things, which come to my mind are:
>> is the keytab, you set in named.conf.options readable
>> for the user, under which bind is run.
>>
>> Then, is the /etc/bind/namedb writable for bind.
>>
>> And in the end, it might be a screwed up installation.
>> I had troubles with dynamic updates a long time ago,
>> when it turned out, that I screwed something up during
>> the installation.
>>
>> HTH
>> - Peter
>>
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Thank you Louis for that answer! Actually I did get kinit and
samba_dnsupdate working, though I am unsure how. I tried some changes to
krb5.conf in the [realms] and [domain_realm] sections, als well as
setting dns_lookup_realm = false to true, but reverted it all back to the
initial file:

[libdefaults]
default_realm = INTRANET.MAYWEG.NET
dns_lookup_realm = false
dns_lookup_kdc = true

After a reboot, both kinit and samba_dnsupdate worked on the host machine.
Shares can be accessed, RSAT tools are working. From the linux fileserver
nslookup and ping work for hostnames of domainmembers, dig command does not
get an answer. The windows machines can nslookup and ping everything but
the linux machine. Somehow it did not generate an entry in the DNS Server.
Is this normal behavior for linux domain members and I need to create the
DNS entry manually or is something still amiss?

Greetings and thanks for the help so far,
Timo


On 20 March 2015 at 08:42, L.P.H. van Belle <belle at bazuin.nl> wrote:
> Try change your resolv.conf from :
> >nameserver 127.0.0.1
> >domain intranet.mayweg.net
>
> to
> nameserver 192.168.11.250
> search intranet.mayweg.net
>
> >The only thing I was unsure about, was which hostname to enter
> >for Kerberos
> >Server and Kerberos admin server when asked during the
> >installation of the
> >packages..
>
> Try these defealt settings for kerberos..
> You didnt have to enter the hostname, Only the default kerberos Domain
> name is needed.
>
> a copy past for you.
>
>     echo "krb5-config     krb5-config/add_servers_realm     string
> INTRANET.MAYWEG.NET" | debconf-set-selections
>     echo "krb5-config     krb5-config/read_conf   boolean true" |
> debconf-set-selections
>     echo "krb5-config     krb5-config/kerberos_servers string " |
> debconf-set-selections
>     echo "krb5-config     krb5-config/default_realm string
> INTRANET.MAYWEG.NET" | debconf-set-selections
>     echo "krb5-config     krb5-config/add_servers boolean false"
|
> debconf-set-selections
>     echo "krb5-config     krb5-config/admin_server string " |
> debconf-set-selections
>     echo "krb5-config     krb5-config/dns_for_default boolean
true" |
> debconf-set-selections
>     dpkg-reconfigure plow krb5-config
>
> and if you want to point to a kerberos server.
>     echo "krb5-config     krb5-config/kerberos_servers string
> server06.intranet.mayweg.net" | debconf-set-selections
>
> but its not needed, man krb5.conf tells you enough.
>
> after the changes, type:
> host -t SRV _kerberos._udp.intranet.mayweg.net
> if you get not found, then we need to analize more.
>
>
>
> If you want to start with a "Clean server"
> just have a look here.
>
> https://secure.bazuin.nl/scripts/
>
> I added 2 simple scripts. a debian wheezy backported and debian jessie
> script.
> The Jessie script is basicly the wheezy backported version, but without
> the backports repo.
> Its a set with minimal changes to the system, and use the defaults there
> where possible.
>
> If you look in the script,
> these settings MUST be set.
> Settings you must change are :
>
> NTPD_SERVER1_EXTERNAL
> NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 )
> BIND9_NETWORKS
> SAMBA_DC1_IP
> SAMBA_NT_DOMAIN
> SAMBA_SITE_NAME
>
> optional:
> SAMBA_PASS_POLICY_CHANGE
> SAMBA_TEMPLATE_HOMEDIR
> SAMBA_TEMPLATE_SHELL
>
>
> and as last :
> CONFIGURED
>
> All other options are optional.
> If you have a different dns domain name and kerberos domain.
> you must change that.. etc..
>
> Greetz,
>
> Louis
>
>
>
> >-----Oorspronkelijk bericht-----
> >Van: olol13.samba at the-1337.org
> >[mailto:samba-bounces at lists.samba.org] Namens Timo Altun
> >Verzonden: vrijdag 20 maart 2015 0:04
> >Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny -
> >repenny241155 at gmail.com
> >Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
> >samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
> >(sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot
> >contact any KDC for requested realm)
> >
> >Ok, I setup a new machine with Debian Jessie and checked and installed
> >everything from OS requirements in the wiki (
> >https://wiki.samba.org/index.php/OS_Requirements ).
> >The only thing I was unsure about, was which hostname to enter
> >for Kerberos
> >Server and Kerberos admin server when asked during the
> >installation of the
> >packages...I used krb.intranet.mayweg.net.
> >Now, after the classicupgrade kinit isn't working anymore...I
> >get the same
> >error I get when trying samba_dnsupdate:
> >kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET'
> >while getting
> >initial credentials.
> >
> >One step I did not do as stated in the wiki is configuring bind with
> >--with-gssapi=/usr/include/gssapi
> >--with-dlopen=yes.
> >Once again the dlopen driver seems to work in this version,
> >but I have no
> >idea about the first part. Should I build bind myself with the
> >first option?
> >@Rowland, did you have a working bind installation before you
> >upgraded/provisioned your domain?
> >
> >@Peter There is no file called namedb in /etc/bind, but the
> >whole folder is
> >writeable for user bind.
> >
> >My configs, now mostly adapted from Rowland's woking configuration
are:
> >
> >/etc/network/interfaces:
> >auto lo
> >iface lo inet loopback
> >
> >auto eth0
> >iface eth0 inet static
> >        address         192.168.11.250
> >        network         192.168.11.0
> >        netmask         255.255.255.0
> >        broadcast       192.168.11.255
> >
> >/etc/hosts:
> >127.0.0.1       localhost
> >192.168.11.250  server06.intranet.mayweg.net    server06  krb
> >
> ># The following lines are desirable for IPv6 capable hosts
> >::1     localhost ip6-localhost ip6-loopback
> >ff02::1 ip6-allnodes
> >ff02::2 ip6-allrouters
> >
> >/etc/resolv.conf:
> >nameserver 127.0.0.1
> >domain intranet.mayweg.net
> >
> >/etc/bind/named.conf:
> >include "/etc/bind/named.conf.options";
> >include "/etc/bind/named.conf.local";
> >include "/etc/bind/named.conf.default-zones";
> >include "/var/lib/samba/private/named.conf";
> >
> >/etc/bin/named.conf.options:
> >options {
> >directory "/var/cache/bind";
> >dnssec-validation no;
> >auth-nxdomain no;    # conform to RFC1035
> >listen-on-v6 { any; };
> >tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >};
> >
> >/var/lib/samba/private/named.conf:
> >    database "dlopen
> >/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> >
> >/etc/krb5.conf:
> >[libdefaults]
> >default_realm = INTRANET.MAYWEG.NET
> >dns_lookup_realm = false
> >dns_lookup_kdc = true
> >
> >/etc/samba/smb.conf:
> ># Global parameters
> >[global]
> >workgroup = MAYWEG.NET
> >realm = INTRANET.MAYWEG.NET
> >netbios name = SERVER06
> >interfaces = lo, eth0
> >bind interfaces only = Yes
> >server role = active directory domain controller
> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >drepl, winbind,
> >ntp_signd, kcc, dnsupdate
> >idmap_ldb:use rfc2307 = yes
> >
> >[netlogon]
> >path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
> >read only = No
> >
> >[sysvol]
> >path = /var/lib/samba/sysvol
> >read only = No
> >
> >
> >On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote:
> >
> >>
> >>
> >> Timo Altun schrieb am 19.03.2015 10:30:
> >>
> >> > As I wrote in my first mail, Kerberos does work. I can
successfully
> >> request
> >> > and list a ticket on the AC DC.
> >>
> >> OK, then next things, which come to my mind are:
> >> is the keytab, you set in named.conf.options readable
> >> for the user, under which bind is run.
> >>
> >> Then, is the /etc/bind/namedb writable for bind.
> >>
> >> And in the end, it might be a screwed up installation.
> >> I had troubles with dynamic updates a long time ago,
> >> when it turned out, that I screwed something up during
> >> the installation.
> >>
> >> HTH
> >> - Peter
> >>
> >>
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>