Timo Altun
2015-Mar-20 15:47 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
I'm sorry it got confusing, changed the topic and I'll try to explain. I am using Jessie on the DC. Server13 is a linux file server and domain member, it is on squeeze. If possible, I do not want to upgrade it. The problem here is, that it does not seem to generate a DNS record when joining the domain and, after setting up the new smb.conf, the users aren't passed on from winbind to the local authentication tools. It also caused the single share I set up in the smb.conf to be unaccessible by user administrator. Maybe something with the keytab file is not working. Domain users have uidNumbers north of 10k, gidNumber are >20k. Doesn't the classicupgrade function check if these are in order? The errors in the /etc/hosts file were generated by my mail client. First line is as you said Rowland. The krb.conf was as long and ugly as the smb.conf, already cut most of it, but your 3 line example configuration did not work fully. With the following getting kerberos tickets and the domain join are still working. Thanks for the ongoing support! My krb5.conf: [libdefaults] default_realm = INTRANET.MAYWEG.NET dns_lookup_realm = false dns_lookup_kdc = true [realms] INTRANET.MAYWEG.NET = { kdc = 192.168.11.250 admin_server = 192.168.11.250 default_domain = INTRANET.MAYWEG.NET } [domain_realm] .intranet.mayweg.net = INTRANET.MAYWEG.NET intranet.mayweg.net = INTRANET.MAYWEG.NET On 20 March 2015 at 16:00, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 20/03/15 14:49, Timo Altun wrote: > >> Ok, I setup a new smb.conf and rebooted. Winbind doesn't seem to pass on >> the domain users anymore and the DNS Update during domain join still fails. >> For some reason, although I have all samba 3.5.6. packages installed on >> this debian squeeze samba -V or samba-tool are unknown commands. >> Maybe this is why the dns update fails, some missing tools or commands? >> > > Getting a bit lost now, I am sure that you were using Jessie ??> >> wbinfo -u and wbinfo -g return domain users and groups correctly, getent >> passwd and getent group do not (did before the smb.conf changes). >> > > Do your users in AD have a uidNumber that is inside the range > 10000-999999, also does Domain Users (at least) have a gidNumber inside the > same range ? >Yes, domain users have uidNumbers north of 10k, gidNumber are >20k. Doesn't the classicupgrade function check if these are in order?> > >> The bigger problem right now is the dns record for server13...for the >> user accounts I could always go back to the old and ugly smb.conf ;) >> Will try to add/exchange some lines to create a working minimal >> configuration. >> I added the rather simple hosts and resolv.conf files of server13 as well. >> >> The new smb.conf: >> [global] >> >> netbios name = server13 >> workgroup = MAYWEG.NET <http://MAYWEG.NET> >> security = ADS >> realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config MAYWEG.NET:backend = ad >> idmap config MAYWEG.NET:schema_mode = rfc2307 >> idmap config MAYWEG.NET:range = 10000-99999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> [sda1] >> comment = Laufwerk sda1 von Server13 >> path = / >> valid users = administrator >> admin users = administrator >> read list >> invalid users >> case sensitive = no >> ; msdfs proxy = no >> read only = no >> writable = yes >> create mask = 0775 >> directory mask = 0775 >> >> /etc/network/resolv.conf: >> search intranet.mayweg.net <http://intranet.mayweg.net> >> nameserver 192.168.11.250 >> >> /etc/hosts: >> 127.0.0.1localhost.intranet.mayweg.net < >> http://localhost.intranet.mayweg.net> localhost >> 192.168.11.141server13.intranet.mayweg.net <http://server13.intranet. >> mayweg.net>server13 >> > > The top line should be '127.0.0.1 localhost.localdomain localhost' > > What is in /etc/krb5.conf ? it should be: > > [libdefaults] > default_realm = INTRANET.MAYWEG.NET > dns_lookup_realm = false > dns_lookup_kdc = true > > > Rowland > > >> ::1 ip6-localhost ip6-loopback >> fe00::0 ip6-localnet >> ff00::0 ip6-mcastprefix >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> >> On 20 March 2015 at 12:23, Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 20/03/15 11:13, Timo Altun wrote: >> >> Hi guys, >> >> thanks again for the quick answers. First, the smb.conf on the >> linux >> fileserver. It is quite long, as I took the old file (working >> version from >> samba3 configuration) and only made adjustments, like adding >> the realm. >> >> /etc/samba/smb.conf: >> [global] >> ### Browsing/Identification ### >> >> workgroup = MAYWEG.NET <http://MAYWEG.NET> >> realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> >> netbios name = server13 >> smb ports = 139, 445 >> hosts allow = 127. 192.168.11. >> interfaces = eth0 lo >> server string = SAMBA Fileserver >> wins support = no >> wins server = 192.168.11.250 >> name resolve order = host wins lmhosts bcast >> >> idmap uid = 15000-25000 >> idmap gid = 15000-25000 >> winbind enum users = yes >> winbind enum groups = yes >> template homedir = /home/%U >> template shell = /bin/bash >> winbind use default domain = yes >> winbind offline logon = true >> winbind cache time = 15 >> >> #### Debugging/Accounting #### >> >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> >> ####### Authentication ####### >> >> security = domain >> encrypt passwords = true >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> *Retype\snew\sUNIX\spassword:* %n\n . >> pam password change = yes >> >> ########## Printing ########## >> >> load printers = yes >> printing = cups >> printcap name = cups >> >> ############ Misc ############ >> >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> restrict anonymous = no >> domain master = no >> local master = yes >> preferred master = no >> password server = 192.168.11.250 >> server signing = disabled >> display charset = ISO8859-15 >> unix charset = ISO8859-15 >> dos charset = CP1250 >> read raw = yes >> write raw = yes >> oplocks = yes >> level2oplocks = no >> fake oplocks = no >> debug level = 2 >> getwd cache = yes >> keepalive = 30 >> >> [sda1] >> comment = Laufwerk sda1 von Server13 >> path = / >> valid users = administrator >> admin users = administrator >> read list >> invalid users >> case sensitive = no >> ; msdfs proxy = no >> read only = no >> writable = yes >> create mask = 0775 >> directory mask = 0775 >> >> Thanks for the dnstest script Louis, the output on the DC is: >> ==========Test DNS Records ==============================>> Testing : dns entries >> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net >> <http://tcp.intranet.mayweg.net>. : ok >> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net >> <http://udp.intranet.mayweg.net>. : ok >> testing of : host -t A server06.intranet.mayweg.net >> <http://server06.intranet.mayweg.net>. : ok >> >> On server13, the linux client: >> ==========Test DNS Records ==============================>> Testing : dns entries >> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net >> <http://tcp.intranet.mayweg.net>. : ok >> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net >> <http://udp.intranet.mayweg.net>. : ok >> testing of : host -t A server13.intranet.mayweg.net >> <http://server13.intranet.mayweg.net>. : FAILED >> >> The fixing part does not work on server13, as samba-tools (and >> maybe other >> packages) are not installed. I'll try to install the missing >> parts and will >> try again. >> Am I right though, that as a domain member this should have worked >> automatically for the machine? When join the domain using net >> ads join on >> server13 it does still give me "DNS update failed!". >> >> Greetings, >> Timo >> >> >> >> >> On 20 March 2015 at 11:01, L.P.H. van Belle <belle at bazuin.nl >> <mailto:belle at bazuin.nl>> wrote: >> >> can you run these commands and tell us the output. >> ( copy past it. ) >> >> SETFQDN=`hostname -f` >> SETDNSDOMAIN=`hostname -d` >> SETHOSTNAME=`hostname -s` >> SETSERVERIP=`hostname -i` >> echo "==========Test DNS Records >> ===============================" >> echo "Testing : dns entries" >> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep >> 'not found'`" ]; >> then >> echo "testing of : host -t SRV >> _ldap._tcp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV >> _ldap._tcp.${SETDNSDOMAIN}. : FAILED" >> fi >> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | >> grep "not found" >> `" ]; then >> echo "testing of : host -t SRV >> _kerberos._udp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV >> _kerberos._udp.${SETDNSDOMAIN}. : >> FAILED" >> fi >> if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep >> "not found" `" >> ]; then >> echo "testing of : host -t A >> ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t A >> ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED" >> echo "trying to fix it now: " >> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN} >> ${SETDNSDOMAIN} >> ${SETHOSTNAME} A ${SETSERVERIP} >> fi >> >> >> >> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> [mailto:samba-bounces at lists.samba.org >> <mailto:samba-bounces at lists.samba.org>] Namens Rowland >> Penny >> Verzonden: vrijdag 20 maart 2015 10:21 >> Aan: samba at lists.samba.org <mailto:samba at lists.samba.org> >> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not >> working. >> samba_dnsupdate : (sambalist: message 3 of 20) >> RuntimeError: >> (sambalist: to exclusive) kinit for [DC at Realm] failed >> (Cannot >> contact any KDC for requested realm) >> >> On 20/03/15 09:02, Timo Altun wrote: >> >> Thank you Louis for that answer! Actually I did >> get kinit and >> samba_dnsupdate working, though I am unsure how. I >> tried >> >> some changes to >> >> krb5.conf in the [realms] and [domain_realm] >> sections, als well as >> setting dns_lookup_realm = false to true, but >> reverted it >> >> all back to the >> >> initial file: >> >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> After a reboot, both kinit and samba_dnsupdate >> worked on the >> >> host machine. >> >> Shares can be accessed, RSAT tools are working. >> From the >> >> linux fileserver >> >> nslookup and ping work for hostnames of >> domainmembers, dig >> >> command does not >> >> get an answer. The windows machines can nslookup >> and ping >> >> everything but >> >> the linux machine. Somehow it did not generate an >> entry in >> >> the DNS Server. >> >> Is this normal behavior for linux domain members >> and I need >> >> to create the >> >> DNS entry manually or is something still amiss? >> >> Greetings and thanks for the help so far, >> Timo >> >> >> On 20 March 2015 at 08:42, L.P.H. van Belle >> <belle at bazuin.nl <mailto:belle at bazuin.nl>> wrote: >> >> Try change your resolv.conf from : >> >> nameserver 127.0.0.1 >> domain intranet.mayweg.net >> <http://intranet.mayweg.net> >> >> to >> nameserver 192.168.11.250 >> search intranet.mayweg.net >> <http://intranet.mayweg.net> >> >> The only thing I was unsure about, was >> which hostname to enter >> for Kerberos >> Server and Kerberos admin server when >> asked during the >> installation of the >> packages.. >> >> Try these defealt settings for kerberos.. >> You didnt have to enter the hostname, Only the >> default >> >> kerberos Domain >> >> name is needed. >> >> a copy past for you. >> >> echo "krb5-config >> krb5-config/add_servers_realm string >> INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET>" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/read_conf boolean true" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/kerberos_servers string " | >> debconf-set-selections >> echo "krb5-config >> krb5-config/default_realm string >> INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET>" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/add_servers boolean false" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/admin_server string " | >> debconf-set-selections >> echo "krb5-config >> krb5-config/dns_for_default >> >> boolean true" | >> >> debconf-set-selections >> dpkg-reconfigure plow krb5-config >> >> and if you want to point to a kerberos server. >> echo "krb5-config >> krb5-config/kerberos_servers string >> server06.intranet.mayweg.net >> <http://server06.intranet.mayweg.net>" | >> debconf-set-selections >> >> but its not needed, man krb5.conf tells you >> enough. >> >> after the changes, type: >> host -t SRV _kerberos._udp.intranet.mayweg.net >> <http://udp.intranet.mayweg.net> >> >> if you get not found, then we need to analize >> more. >> >> >> >> If you want to start with a "Clean server" >> just have a look here. >> >> https://secure.bazuin.nl/scripts/ >> >> I added 2 simple scripts. a debian wheezy >> backported and >> >> debian jessie >> >> script. >> The Jessie script is basicly the wheezy >> backported version, >> >> but without >> >> the backports repo. >> Its a set with minimal changes to the system, >> and use the >> >> defaults there >> >> where possible. >> >> If you look in the script, >> these settings MUST be set. >> Settings you must change are : >> >> NTPD_SERVER1_EXTERNAL >> NTPD_RESTRICT_INTERFACE ( if you dont have a >> eth0 ) >> BIND9_NETWORKS >> SAMBA_DC1_IP >> SAMBA_NT_DOMAIN >> SAMBA_SITE_NAME >> >> optional: >> SAMBA_PASS_POLICY_CHANGE >> SAMBA_TEMPLATE_HOMEDIR >> SAMBA_TEMPLATE_SHELL >> >> >> and as last : >> CONFIGURED >> >> All other options are optional. >> If you have a different dns domain name and >> kerberos domain. >> you must change that.. etc.. >> >> Greetz, >> >> Louis >> >> >> >> -----Oorspronkelijk bericht----- >> Van: olol13.samba at the-1337.org >> <mailto:olol13.samba at the-1337.org> >> [mailto:samba-bounces at lists.samba.org >> <mailto:samba-bounces at lists.samba.org>] >> Namens Timo Altun >> Verzonden: vrijdag 20 maart 2015 0:04 >> Aan: Peter Serbe; samba at lists.samba.org >> <mailto:samba at lists.samba.org>; Rowland >> Penny - >> repenny241155 at gmail.com >> <mailto:repenny241155 at gmail.com> >> Onderwerp: Re: [Samba] Fwd: Dynamic DNS >> Updates not working. >> samba_dnsupdate : (sambalist: message 3 of >> 20) RuntimeError: >> (sambalist: to exclusive) kinit for >> [DC at Realm] failed (Cannot >> contact any KDC for requested realm) >> >> Ok, I setup a new machine with Debian >> Jessie and checked >> >> and installed >> >> everything from OS requirements in the wiki ( >> https://wiki.samba.org/index. >> php/OS_Requirements >> ). >> The only thing I was unsure about, was >> which hostname to enter >> for Kerberos >> Server and Kerberos admin server when >> asked during the >> installation of the >> packages...I used krb.intranet.mayweg.net >> <http://krb.intranet.mayweg.net>. >> Now, after the classicupgrade kinit isn't >> working anymore...I >> get the same >> error I get when trying samba_dnsupdate: >> kinit: Cannot contact any KDC for realm >> 'INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET>' >> >> while getting >> initial credentials. >> >> One step I did not do as stated in the >> wiki is configuring >> >> bind with >> >> --with-gssapi=/usr/include/gssapi >> --with-dlopen=yes. >> Once again the dlopen driver seems to work >> in this version, >> but I have no >> idea about the first part. Should I build >> bind myself with the >> first option? >> @Rowland, did you have a working bind >> installation before you >> upgraded/provisioned your domain? >> >> @Peter There is no file called namedb in >> /etc/bind, but the >> whole folder is >> writeable for user bind. >> >> My configs, now mostly adapted from >> Rowland's woking >> >> configuration are: >> >> /etc/network/interfaces: >> auto lo >> iface lo inet loopback >> >> auto eth0 >> iface eth0 inet static >> address 192.168.11.250 >> network 192.168.11.0 >> netmask 255.255.255.0 >> broadcast 192.168.11.255 >> >> /etc/hosts: >> 127.0.0.1 localhost >> 192.168.11.250 >> server06.intranet.mayweg.net >> <http://server06.intranet.mayweg.net> >> server06 krb >> >> # The following lines are desirable for >> IPv6 capable hosts >> ::1 localhost ip6-localhost ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> /etc/resolv.conf: >> nameserver 127.0.0.1 >> domain intranet.mayweg.net >> <http://intranet.mayweg.net> >> >> /etc/bind/named.conf: >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> /etc/bin/named.conf.options: >> options { >> directory "/var/cache/bind"; >> dnssec-validation no; >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { any; }; >> tkey-gssapi-keytab >> "/var/lib/samba/private/dns.keytab"; >> }; >> >> /var/lib/samba/private/named.conf: >> database "dlopen >> /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9_9.so"; >> >> /etc/krb5.conf: >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> /etc/samba/smb.conf: >> # Global parameters >> [global] >> workgroup = MAYWEG.NET <http://MAYWEG.NET> >> realm = INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> >> netbios name = SERVER06 >> interfaces = lo, eth0 >> bind interfaces only = Yes >> server role = active directory domain >> controller >> server services = s3fs, rpc, nbt, wrepl, >> ldap, cldap, kdc, >> drepl, winbind, >> ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> path >> /var/lib/samba/sysvol/intranet >> .mayweg.net/scripts >> <http://intranet.mayweg.net/scripts> >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> >> On 19 March 2015 at 15:31, Peter Serbe >> <peter at serbe.ch <mailto:peter at serbe.ch>> >> >> wrote: >> >> Timo Altun schrieb am 19.03.2015 10:30: >> >> As I wrote in my first mail, >> Kerberos does work. I can >> >> successfully >> >> request >> >> and list a ticket on the AC DC. >> >> OK, then next things, which come to my >> mind are: >> is the keytab, you set in >> named.conf.options readable >> for the user, under which bind is run. >> >> Then, is the /etc/bind/namedb writable >> for bind. >> >> And in the end, it might be a screwed >> up installation. >> I had troubles with dynamic updates a >> long time ago, >> when it turned out, that I screwed >> something up during >> the installation. >> >> HTH >> - Peter >> >> >> -- >> To unsubscribe from this list go to the >> following URL and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> >> -- >> To unsubscribe from this list go to the >> following URL and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> Can you post the smb.conf from the linux fileserver >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL >> and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> OK, too much wrong in that smb.conf to mention, go and have a look >> here: >> >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Mar-20 16:00 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
On 20/03/15 15:47, Timo Altun wrote:> I'm sorry it got confusing, changed the topic and I'll try to explain. > I am using Jessie on the DC. Server13 is a linux file server and > domain member, it is on squeeze. If possible, I do not want to upgrade > it. The problem here is, that it does not seem to generate a DNS > record when joining the domain and, after setting up the new smb.conf, > the users aren't passed on from winbind to the local authentication > tools. It also caused the single share I set up in the smb.conf to be > unaccessible by user administrator. Maybe something with the keytab > file is not working.You were confused :-D> > Domain users have uidNumbers north of 10k, gidNumber are >20k. Doesn't > the classicupgrade function check if these are in order? > The errors in the /etc/hosts file were generated by my mail client. > First line is as you said Rowland.As long as your uidNumbers and gidNumbers are inside '10000-999999', it should work, but there may be a problem because you are using squeeze with 3.5.6. As you do not want to upgrade squeeze, could you use backports, this will get you 3.6.6.> > The krb.conf was as long and ugly as the smb.conf, already cut most of > it, but your 3 line example configuration did not work fully. With the > following getting kerberos tickets and the domain join are still working. >It works for me on Linux Mint 17 (aka Ubuntu 14.04) What does 'pam-auth-update' show for authentication methods. Rowland> Thanks for the ongoing support! > > My krb5.conf: > [libdefaults] > default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> = { > kdc = 192.168.11.250 > admin_server = 192.168.11.250 > default_domain = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > } > > [domain_realm] > .intranet.mayweg.net <http://intranet.mayweg.net> = > INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > intranet.mayweg.net <http://intranet.mayweg.net> = INTRANET.MAYWEG.NET > <http://INTRANET.MAYWEG.NET> > > > > > On 20 March 2015 at 16:00, Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > > On 20/03/15 14:49, Timo Altun wrote: > > Ok, I setup a new smb.conf and rebooted. Winbind doesn't seem > to pass on the domain users anymore and the DNS Update during > domain join still fails. > For some reason, although I have all samba 3.5.6. packages > installed on this debian squeeze samba -V or samba-tool are > unknown commands. > Maybe this is why the dns update fails, some missing tools or > commands? > > > Getting a bit lost now, I am sure that you were using Jessie ?? > > > > wbinfo -u and wbinfo -g return domain users and groups > correctly, getent passwd and getent group do not (did before > the smb.conf changes). > > > Do your users in AD have a uidNumber that is inside the range > 10000-999999, also does Domain Users (at least) have a gidNumber > inside the same range ? > > Yes, domain users have uidNumbers north of 10k, gidNumber are >20k. > Doesn't the classicupgrade function check if these are in order? > > > > The bigger problem right now is the dns record for > server13...for the user accounts I could always go back to the > old and ugly smb.conf ;) > Will try to add/exchange some lines to create a working > minimal configuration. > I added the rather simple hosts and resolv.conf files of > server13 as well. > > The new smb.conf: > [global] > > netbios name = server13 > workgroup = MAYWEG.NET <http://MAYWEG.NET> <http://MAYWEG.NET> > security = ADS > realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > <http://INTRANET.MAYWEG.NET> > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config MAYWEG.NET:backend = ad > idmap config MAYWEG.NET:schema_mode = rfc2307 > idmap config MAYWEG.NET:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > [sda1] > comment = Laufwerk sda1 von Server13 > path = / > valid users = administrator > admin users = administrator > read list > invalid users > case sensitive = no > ; msdfs proxy = no > read only = no > writable = yes > create mask = 0775 > directory mask = 0775 > > /etc/network/resolv.conf: > search intranet.mayweg.net <http://intranet.mayweg.net> > <http://intranet.mayweg.net> > nameserver 192.168.11.250 > > /etc/hosts: > 127.0.0.1localhost.intranet.mayweg.net > <http://127.0.0.1localhost.intranet.mayweg.net> > <http://localhost.intranet.mayweg.net> localhost > 192.168.11.141server13.intranet.mayweg.net > <http://192.168.11.141server13.intranet.mayweg.net> > <http://server13.intranet.mayweg.net>server13 > > > The top line should be '127.0.0.1 localhost.localdomain localhost' > > What is in /etc/krb5.conf ? it should be: > > [libdefaults] > default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > dns_lookup_realm = false > dns_lookup_kdc = true > > > Rowland > > > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > > On 20 March 2015 at 12:23, Rowland Penny > <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>> wrote: > > On 20/03/15 11:13, Timo Altun wrote: > > Hi guys, > > thanks again for the quick answers. First, the > smb.conf on the > linux > fileserver. It is quite long, as I took the old file > (working > version from > samba3 configuration) and only made adjustments, like > adding > the realm. > > /etc/samba/smb.conf: > [global] > ### Browsing/Identification ### > > workgroup = MAYWEG.NET <http://MAYWEG.NET> > <http://MAYWEG.NET> > realm = INTRANET.MAYWEG.NET > <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET> > > netbios name = server13 > smb ports = 139, 445 > hosts allow = 127. 192.168.11. > interfaces = eth0 lo > server string = SAMBA Fileserver > wins support = no > wins server = 192.168.11.250 > name resolve order = host wins lmhosts bcast > > idmap uid = 15000-25000 > idmap gid = 15000-25000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%U > template shell = /bin/bash > winbind use default domain = yes > winbind offline logon = true > winbind cache time = 15 > > #### Debugging/Accounting #### > > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > > ####### Authentication ####### > > security = domain > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > pam password change = yes > > ########## Printing ########## > > load printers = yes > printing = cups > printcap name = cups > > ############ Misc ############ > > socket options = TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > restrict anonymous = no > domain master = no > local master = yes > preferred master = no > password server = 192.168.11.250 > server signing = disabled > display charset = ISO8859-15 > unix charset = ISO8859-15 > dos charset = CP1250 > read raw = yes > write raw = yes > oplocks = yes > level2oplocks = no > fake oplocks = no > debug level = 2 > getwd cache = yes > keepalive = 30 > > [sda1] > comment = Laufwerk sda1 von Server13 > path = / > valid users = administrator > admin users = administrator > read list > invalid users > case sensitive = no > ; msdfs proxy = no > read only = no > writable = yes > create mask = 0775 > directory mask = 0775 > > Thanks for the dnstest script Louis, the output on the > DC is: > ==========Test DNS Records ==============================> Testing : dns entries > testing of : host -t SRV > _ldap._tcp.intranet.mayweg.net <http://tcp.intranet.mayweg.net> > <http://tcp.intranet.mayweg.net>. : ok > testing of : host -t SRV > _kerberos._udp.intranet.mayweg.net > <http://udp.intranet.mayweg.net> > <http://udp.intranet.mayweg.net>. : ok > testing of : host -t A server06.intranet.mayweg.net > <http://server06.intranet.mayweg.net> > <http://server06.intranet.mayweg.net>. : ok > > On server13, the linux client: > ==========Test DNS Records ==============================> Testing : dns entries > testing of : host -t SRV > _ldap._tcp.intranet.mayweg.net <http://tcp.intranet.mayweg.net> > <http://tcp.intranet.mayweg.net>. : ok > testing of : host -t SRV > _kerberos._udp.intranet.mayweg.net > <http://udp.intranet.mayweg.net> > <http://udp.intranet.mayweg.net>. : ok > testing of : host -t A server13.intranet.mayweg.net > <http://server13.intranet.mayweg.net> > <http://server13.intranet.mayweg.net>. : FAILED > > The fixing part does not work on server13, as > samba-tools (and > maybe other > packages) are not installed. I'll try to install the > missing > parts and will > try again. > Am I right though, that as a domain member this should > have worked > automatically for the machine? When join the domain > using net > ads join on > server13 it does still give me "DNS update failed!". > > Greetings, > Timo > > > > > On 20 March 2015 at 11:01, L.P.H. van Belle > <belle at bazuin.nl <mailto:belle at bazuin.nl> > <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: > > can you run these commands and tell us the output. > ( copy past it. ) > > SETFQDN=`hostname -f` > SETDNSDOMAIN=`hostname -d` > SETHOSTNAME=`hostname -s` > SETSERVERIP=`hostname -i` > echo "==========Test DNS Records > ===============================" > echo "Testing : dns entries" > if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. > | grep > 'not found'`" ]; > then > echo "testing of : host -t SRV > _ldap._tcp.${SETDNSDOMAIN}. : ok" > else > echo "testing of : host -t SRV > _ldap._tcp.${SETDNSDOMAIN}. : FAILED" > fi > if [ -z "`host -t SRV > _kerberos._udp.${SETDNSDOMAIN}. | > grep "not found" > `" ]; then > echo "testing of : host -t SRV > _kerberos._udp.${SETDNSDOMAIN}. : ok" > else > echo "testing of : host -t SRV > _kerberos._udp.${SETDNSDOMAIN}. : > FAILED" > fi > if [ -z "`host -t A > ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep > "not found" `" > ]; then > echo "testing of : host -t A > ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok" > else > echo "testing of : host -t A > ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED" > echo "trying to fix it now: " > samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN} > ${SETDNSDOMAIN} > ${SETHOSTNAME} A ${SETSERVERIP} > fi > > > > -----Oorspronkelijk bericht----- > Van: rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> > [mailto:samba-bounces at lists.samba.org > <mailto:samba-bounces at lists.samba.org> > <mailto:samba-bounces at lists.samba.org > <mailto:samba-bounces at lists.samba.org>>] Namens Rowland > Penny > Verzonden: vrijdag 20 maart 2015 10:21 > Aan: samba at lists.samba.org > <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org > <mailto:samba at lists.samba.org>> > Onderwerp: Re: [Samba] Fwd: Dynamic DNS > Updates not > working. > samba_dnsupdate : (sambalist: message 3 of 20) > RuntimeError: > (sambalist: to exclusive) kinit for [DC at Realm] > failed > (Cannot > contact any KDC for requested realm) > > On 20/03/15 09:02, Timo Altun wrote: > > Thank you Louis for that answer! Actually > I did > get kinit and > samba_dnsupdate working, though I am > unsure how. I > tried > > some changes to > > krb5.conf in the [realms] and [domain_realm] > sections, als well as > setting dns_lookup_realm = false to true, but > reverted it > > all back to the > > initial file: > > [libdefaults] > default_realm = INTRANET.MAYWEG.NET > <http://INTRANET.MAYWEG.NET> > <http://INTRANET.MAYWEG.NET> > dns_lookup_realm = false > dns_lookup_kdc = true > > After a reboot, both kinit and samba_dnsupdate > worked on the > > host machine. > > Shares can be accessed, RSAT tools are > working. > From the > > linux fileserver > > nslookup and ping work for hostnames of > domainmembers, dig > > command does not > > get an answer. The windows machines can > nslookup > and ping > > everything but > > the linux machine. Somehow it did not > generate an > entry in > > the DNS Server. > > Is this normal behavior for linux domain > members > and I need > > to create the > > DNS entry manually or is something still > amiss? > > Greetings and thanks for the help so far, > Timo > > > On 20 March 2015 at 08:42, L.P.H. van Belle > <belle at bazuin.nl <mailto:belle at bazuin.nl> > <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: > > Try change your resolv.conf from : > > nameserver 127.0.0.1 > domain intranet.mayweg.net > <http://intranet.mayweg.net> > <http://intranet.mayweg.net> > > to > nameserver 192.168.11.250 > search intranet.mayweg.net > <http://intranet.mayweg.net> > <http://intranet.mayweg.net> > > The only thing I was unsure about, was > which hostname to enter > for Kerberos > Server and Kerberos admin server when > asked during the > installation of the > packages.. > > Try these defealt settings for kerberos.. > You didnt have to enter the hostname, > Only the > default > > kerberos Domain > > name is needed. > > a copy past for you. > > echo "krb5-config > krb5-config/add_servers_realm string > INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > <http://INTRANET.MAYWEG.NET>" | > debconf-set-selections > echo "krb5-config > krb5-config/read_conf boolean true" | > debconf-set-selections > echo "krb5-config > krb5-config/kerberos_servers string " | > debconf-set-selections > echo "krb5-config > krb5-config/default_realm string > INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > <http://INTRANET.MAYWEG.NET>" | > debconf-set-selections > echo "krb5-config > krb5-config/add_servers boolean false" | > debconf-set-selections > echo "krb5-config > krb5-config/admin_server string " | > debconf-set-selections > echo "krb5-config > krb5-config/dns_for_default > > boolean true" | > > debconf-set-selections > dpkg-reconfigure plow krb5-config > > and if you want to point to a kerberos > server. > echo "krb5-config > krb5-config/kerberos_servers string > server06.intranet.mayweg.net <http://server06.intranet.mayweg.net> > <http://server06.intranet.mayweg.net>" | > debconf-set-selections > > but its not needed, man krb5.conf > tells you > enough. > > after the changes, type: > host -t SRV > _kerberos._udp.intranet.mayweg.net > <http://udp.intranet.mayweg.net> > <http://udp.intranet.mayweg.net> > > if you get not found, then we need to > analize > more. > > > > If you want to start with a "Clean server" > just have a look here. > > https://secure.bazuin.nl/scripts/ > > I added 2 simple scripts. a debian wheezy > backported and > > debian jessie > > script. > The Jessie script is basicly the wheezy > backported version, > > but without > > the backports repo. > Its a set with minimal changes to the > system, > and use the > > defaults there > > where possible. > > If you look in the script, > these settings MUST be set. > Settings you must change are : > > NTPD_SERVER1_EXTERNAL > NTPD_RESTRICT_INTERFACE ( if you dont > have a > eth0 ) > BIND9_NETWORKS > SAMBA_DC1_IP > SAMBA_NT_DOMAIN > SAMBA_SITE_NAME > > optional: > SAMBA_PASS_POLICY_CHANGE > SAMBA_TEMPLATE_HOMEDIR > SAMBA_TEMPLATE_SHELL > > > and as last : > CONFIGURED > > All other options are optional. > If you have a different dns domain > name and > kerberos domain. > you must change that.. etc.. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > Van: olol13.samba at the-1337.org > <mailto:olol13.samba at the-1337.org> > <mailto:olol13.samba at the-1337.org > <mailto:olol13.samba at the-1337.org>> > > [mailto:samba-bounces at lists.samba.org > <mailto:samba-bounces at lists.samba.org> > > <mailto:samba-bounces at lists.samba.org > <mailto:samba-bounces at lists.samba.org>>] > Namens Timo Altun > Verzonden: vrijdag 20 maart 2015 0:04 > Aan: Peter Serbe; > samba at lists.samba.org <mailto:samba at lists.samba.org> > <mailto:samba at lists.samba.org > <mailto:samba at lists.samba.org>>; Rowland > Penny - > repenny241155 at gmail.com <mailto:repenny241155 at gmail.com> > <mailto:repenny241155 at gmail.com > <mailto:repenny241155 at gmail.com>> > Onderwerp: Re: [Samba] Fwd: > Dynamic DNS > Updates not working. > samba_dnsupdate : (sambalist: > message 3 of > 20) RuntimeError: > (sambalist: to exclusive) kinit for > [DC at Realm] failed (Cannot > contact any KDC for requested realm) > > Ok, I setup a new machine with Debian > Jessie and checked > > and installed > > everything from OS requirements in > the wiki ( > https://wiki.samba.org/index.php/OS_Requirements > ). > The only thing I was unsure about, was > which hostname to enter > for Kerberos > Server and Kerberos admin server when > asked during the > installation of the > packages...I used > krb.intranet.mayweg.net <http://krb.intranet.mayweg.net> > <http://krb.intranet.mayweg.net>. > Now, after the classicupgrade > kinit isn't > working anymore...I > get the same > error I get when trying > samba_dnsupdate: > kinit: Cannot contact any KDC for > realm > 'INTRANET.MAYWEG.NET > <http://INTRANET.MAYWEG.NET> > <http://INTRANET.MAYWEG.NET>' > > while getting > initial credentials. > > One step I did not do as stated in the > wiki is configuring > > bind with > > --with-gssapi=/usr/include/gssapi > --with-dlopen=yes. > Once again the dlopen driver seems > to work > in this version, > but I have no > idea about the first part. Should > I build > bind myself with the > first option? > @Rowland, did you have a working bind > installation before you > upgraded/provisioned your domain? > > @Peter There is no file called > namedb in > /etc/bind, but the > whole folder is > writeable for user bind. > > My configs, now mostly adapted from > Rowland's woking > > configuration are: > > /etc/network/interfaces: > auto lo > iface lo inet loopback > > auto eth0 > iface eth0 inet static > address 192.168.11.250 > network 192.168.11.0 > netmask 255.255.255.0 > broadcast 192.168.11.255 > > /etc/hosts: > 127.0.0.1 localhost > 192.168.11.250 > server06.intranet.mayweg.net <http://server06.intranet.mayweg.net> > > <http://server06.intranet.mayweg.net> > server06 krb > > # The following lines are > desirable for > IPv6 capable hosts > ::1 localhost ip6-localhost > ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > /etc/resolv.conf: > nameserver 127.0.0.1 > domain intranet.mayweg.net > <http://intranet.mayweg.net> > <http://intranet.mayweg.net> > > /etc/bind/named.conf: > include > "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include > "/etc/bind/named.conf.default-zones"; > include > "/var/lib/samba/private/named.conf"; > > /etc/bin/named.conf.options: > options { > directory "/var/cache/bind"; > dnssec-validation no; > auth-nxdomain no; # conform to > RFC1035 > listen-on-v6 { any; }; > tkey-gssapi-keytab > "/var/lib/samba/private/dns.keytab"; > }; > > /var/lib/samba/private/named.conf: > database "dlopen > > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > > /etc/krb5.conf: > [libdefaults] > default_realm > INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > <http://INTRANET.MAYWEG.NET> > dns_lookup_realm = false > dns_lookup_kdc = true > > /etc/samba/smb.conf: > # Global parameters > [global] > workgroup = MAYWEG.NET > <http://MAYWEG.NET> <http://MAYWEG.NET> > realm = INTRANET.MAYWEG.NET > <http://INTRANET.MAYWEG.NET> > <http://INTRANET.MAYWEG.NET> > netbios name = SERVER06 > interfaces = lo, eth0 > bind interfaces only = Yes > server role = active directory domain > controller > server services = s3fs, rpc, nbt, > wrepl, > ldap, cldap, kdc, > drepl, winbind, > ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > [netlogon] > path > > /var/lib/samba/sysvol/intranet.mayweg.net/scripts > <http://intranet.mayweg.net/scripts> > <http://intranet.mayweg.net/scripts> > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > On 19 March 2015 at 15:31, Peter Serbe > <peter at serbe.ch > <mailto:peter at serbe.ch> <mailto:peter at serbe.ch > <mailto:peter at serbe.ch>>> > > wrote: > > Timo Altun schrieb am > 19.03.2015 10:30: > > As I wrote in my first mail, > Kerberos does work. I can > > successfully > > request > > and list a ticket on the > AC DC. > > OK, then next things, which > come to my > mind are: > is the keytab, you set in > named.conf.options readable > for the user, under which bind > is run. > > Then, is the /etc/bind/namedb > writable > for bind. > > And in the end, it might be a > screwed > up installation. > I had troubles with dynamic > updates a > long time ago, > when it turned out, that I screwed > something up during > the installation. > > HTH > - Peter > > > -- > To unsubscribe from this list go > to the > following URL and read the > instructions: > https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the > following URL and read the > instructions: > https://lists.samba.org/mailman/options/samba > > Can you post the smb.conf from the linux > fileserver > > Rowland > > -- > To unsubscribe from this list go to the > following URL > and read the > instructions: > https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following > URL and > read the > instructions: > https://lists.samba.org/mailman/options/samba > > > OK, too much wrong in that smb.conf to mention, go and > have a look > here: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > > Rowland > > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)