Julian Timm
2017-Jun-12 10:32 UTC
[Samba] Changing the IP Address of a Samba AD DC doesn't work - samba_dnsupdate crashes
Hello! I've followed your tutorial to change the IP Address of our Samba AD DC: https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC But the samba_dnsupdate tool always crashes with this output: samba_dnsupdate --verbose Unknown parameter encountered: "ks" Ignoring unknown parameter "ks" IPs: ['192.168.68.201'] Looking for DNS entry A mydomain.lan 192.168.68.201 as mydomain.lan. Failed to find matching DNS entry A mydomain.lan 192.168.68.201 Looking for DNS entry A PDC.mydomain.lan 192.168.68.201 as PDC.mydomain.lan. Failed to find matching DNS entry A PDC.mydomain.lan 192.168.68.201 Looking for DNS entry A gc._msdcs.mydomain.lan 192.168.68.201 as gc._msdcs.mydomain.lan. Failed to find matching DNS entry A gc._msdcs.mydomain.lan 192.168.68.201 Looking for DNS entry CNAME 43bd4564-2ae5-4e61-a5ee-f1c2e80e9c37._msdcs.mydomain.lan PDC.mydomain.lan as 43bd4564-2ae5-4e61-a5ee-f1c2e80e9c37._msdcs.mydomain.lan. Looking for DNS entry SRV _kpasswd._tcp.mydomain.lan PDC.mydomain.lan 464 as _kpasswd._tcp.mydomain.lan. Checking 0 100 464 PDC.mydomain.lan. against SRV _kpasswd._tcp.mydomain.lan PDC.mydomain.lan 464 Looking for DNS entry SRV _kpasswd._udp.mydomain.lan PDC.mydomain.lan 464 as _kpasswd._udp.mydomain.lan. Checking 0 100 464 PDC.mydomain.lan. against SRV _kpasswd._udp.mydomain.lan PDC.mydomain.lan 464 Looking for DNS entry SRV _kerberos._tcp.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.mydomain.lan. Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.mydomain.lan PDC.mydomain.lan 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.dc._msdcs.mydomain.lan. Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.mydomain.lan. Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 88 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan. Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 Looking for DNS entry SRV _kerberos._udp.mydomain.lan PDC.mydomain.lan 88 as _kerberos._udp.mydomain.lan. Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._udp.mydomain.lan PDC.mydomain.lan 88 Looking for DNS entry SRV _ldap._tcp.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.mydomain.lan. Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.mydomain.lan PDC.mydomain.lan 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.dc._msdcs.mydomain.lan. Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 as _ldap._tcp.gc._msdcs.mydomain.lan. Checking 0 100 3268 PDC.mydomain.lan. against SRV _ldap._tcp.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.pdc._msdcs.mydomain.lan. Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.pdc._msdcs.mydomain.lan PDC.mydomain.lan 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.mydomain.lan. Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan. Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.lan. Checking 0 100 3268 PDC.mydomain.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 Looking for DNS entry SRV _ldap._tcp.61911020-60b6-42e6-8e50-6addd34584df.domains._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.61911020-60b6-42e6-8e50-6addd34584df.domains._msdcs.mydomain.lan. Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.61911020-60b6-42e6-8e50-6addd34584df.domains._msdcs.mydomain.lan PDC.mydomain.lan 389 Looking for DNS entry SRV _gc._tcp.mydomain.lan PDC.mydomain.lan 3268 as _gc._tcp.mydomain.lan. Checking 0 100 3268 PDC.mydomain.lan. against SRV _gc._tcp.mydomain.lan PDC.mydomain.lan 3268 Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 3268 as _gc._tcp.Default-First-Site-Name._sites.mydomain.lan. Checking 0 100 3268 PDC.mydomain.lan. against SRV _gc._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 3268 Looking for DNS entry A mydomain.lan 192.168.18.201 as mydomain.lan. Looking for DNS entry A PDC.mydomain.lan 192.168.18.201 as PDC.mydomain.lan. Looking for DNS entry A gc._msdcs.mydomain.lan 192.168.18.201 as gc._msdcs.mydomain.lan. Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 621, in <module> get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials raise e RuntimeError: kinit for PDC$@mydomain.LAN failed (Cannot contact any KDC for requested realm) -> Old IP: 192.168.18.201 -> New IP: 192.168.18.201 Kinit failed because it still uses the old address. We are using Ubuntu 14.04.5 with Samba 4.3.11. How can i fix this problem? Thanks for help! Julian
Rowland Penny
2017-Jun-12 11:12 UTC
[Samba] Changing the IP Address of a Samba AD DC doesn't work - samba_dnsupdate crashes
On Mon, 12 Jun 2017 12:32:34 +0200 Julian Timm via samba <samba at lists.samba.org> wrote:> Hello! > > I've followed your tutorial to change the IP Address of our Samba AD > DC: > https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC > > But the samba_dnsupdate tool always crashes with this output: > > samba_dnsupdate --verbose > Unknown parameter encountered: "ks" > Ignoring unknown parameter "ks" > IPs: ['192.168.68.201']Can you post your smb.conf, this way we can see what 'ks' is and if it is part of your problem.> Looking for DNS entry A mydomain.lan 192.168.68.201 as mydomain.lan. > Failed to find matching DNS entry A mydomain.lan 192.168.68.201 > Looking for DNS entry A PDC.mydomain.lan 192.168.68.201 as > PDC.mydomain.lan. Failed to find matching DNS entry A > PDC.mydomain.lan 192.168.68.201 Looking for DNS entry A > gc._msdcs.mydomain.lan 192.168.68.201 as gc._msdcs.mydomain.lan. > Failed to find matching DNS entry A gc._msdcs.mydomain.lan > 192.168.68.201 > as PDC.mydomain.lan. Looking for DNS entry A gc._msdcs.mydomain.lan > 192.168.18.201 as gc._msdcs.mydomain.lan. Traceback (most recent call > last): File "/usr/sbin/samba_dnsupdate", line 621, in <module> > get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 125, in > get_credentials raise e RuntimeError: kinit for PDC$@mydomain.LAN > failed (Cannot contact any KDC for requested realm) > > -> Old IP: 192.168.18.201 > -> New IP: 192.168.18.201Those IPs match> > Kinit failed because it still uses the old address. > > We are using Ubuntu 14.04.5 with Samba 4.3.11. >Is this a domain with only one DC ? Is there any way you can upgrade Samba ? Rowland
Julian Timm
2017-Jun-12 12:33 UTC
[Samba] Changing the IP Address of a Samba AD DC doesn't work - samba_dnsupdate crashes
Thanks for your reply Rowland! 1. Here is my smb.conf --- # Global parameters [global] interfaces = eth0 workgroup = MYDOMAIN realm = mydomain.lan netbios name = PDC server string = PDC server role = active directory domain controller passdb backend = samba4 server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes # Kerberos Ticket Lifetime Einstellungen kdc:service ticket lifetime = 24 kdc:user ticket lifetime = 24 kdc:renewal lifetime = 120 # Sonstige Optionen hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/$RECYCLE.BIN reset on zero vc = yes # Druckserver Optionen load printers = yes spoolss: architecture = Windows x64 rpc_server:spoolss = external rpc_daemon:spoolssd = fork # System-Freigaben [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No # Benutzer-Freigaben, Programme und Daten [Benutzer] path = /volumes/HDD1/Benutzer read only = No oplocks = No level2 oplocks = No [Profile] path = /volumes/HDD1/Profile read only = No oplocks = No level2 oplocks = No [Programme] path = /volumes/HDD1/Programme read only = No ks = No [Datenaustausch] path = /volumes/HDD1/Datenaustausch read only = No [Install] path = /volumes/HDD1/Install read only = No ;; map = Z: () (Domain Admins) () # Drucker-Freigaben [printers] comment = All Printers path = /var/spool/samba browseable = Yes read only = No printable = Yes printing = CUPS [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printers writeable = yes --- 1. I mean: Old IP: 192.168.18.201 - New IP: 192.168.68.201 (i did just copy and paste and forget to change the ip) 2. I see that "ks" is a typo in my smb.conf! It should be "oplocks = no"! I'will change that! 3. Yes this is a domain with only one DC 4. At the moment i've no time to update the server to a newer Ubuntu/Samba version, so i hope we can get this work with Ubuntu 14.04.5> Gesendet: Montag, 12. Juni 2017 um 13:12 Uhr > Von: "Rowland Penny via samba" <samba at lists.samba.org> > An: samba at lists.samba.org > Betreff: Re: [Samba] Changing the IP Address of a Samba AD DC doesn't work - samba_dnsupdate crashes > > On Mon, 12 Jun 2017 12:32:34 +0200 > Julian Timm via samba <samba at lists.samba.org> wrote: > > > Hello! > > > > I've followed your tutorial to change the IP Address of our Samba AD > > DC: > > https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC > > > > But the samba_dnsupdate tool always crashes with this output: > > > > samba_dnsupdate --verbose > > Unknown parameter encountered: "ks" > > Ignoring unknown parameter "ks" > > IPs: ['192.168.68.201'] > > Can you post your smb.conf, this way we can see what 'ks' is and if it > is part of your problem. > > > Looking for DNS entry A mydomain.lan 192.168.68.201 as mydomain.lan. > > Failed to find matching DNS entry A mydomain.lan 192.168.68.201 > > Looking for DNS entry A PDC.mydomain.lan 192.168.68.201 as > > PDC.mydomain.lan. Failed to find matching DNS entry A > > PDC.mydomain.lan 192.168.68.201 Looking for DNS entry A > > gc._msdcs.mydomain.lan 192.168.68.201 as gc._msdcs.mydomain.lan. > > Failed to find matching DNS entry A gc._msdcs.mydomain.lan > > 192.168.68.201 > > as PDC.mydomain.lan. Looking for DNS entry A gc._msdcs.mydomain.lan > > 192.168.18.201 as gc._msdcs.mydomain.lan. Traceback (most recent call > > last): File "/usr/sbin/samba_dnsupdate", line 621, in <module> > > get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 125, in > > get_credentials raise e RuntimeError: kinit for PDC$@mydomain.LAN > > failed (Cannot contact any KDC for requested realm) > > > > -> Old IP: 192.168.18.201 > > -> New IP: 192.168.18.201 > > Those IPs match > > > > > Kinit failed because it still uses the old address. > > > > We are using Ubuntu 14.04.5 with Samba 4.3.11. > > > > Is this a domain with only one DC ? > > Is there any way you can upgrade Samba ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Garming Sam
2017-Jun-12 23:32 UTC
[Samba] Changing the IP Address of a Samba AD DC doesn't work - samba_dnsupdate crashes
Hi, It seems like hardcoding the new address in your /etc/krb5.conf might work. Upgrading should make this more reliable, but a conf change might be all you need for now. Cheers, Garming On 12/06/17 22:32, Julian Timm via samba wrote:> Hello! > > I've followed your tutorial to change the IP Address of our Samba AD DC: > https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC > > But the samba_dnsupdate tool always crashes with this output: > > samba_dnsupdate --verbose > Unknown parameter encountered: "ks" > Ignoring unknown parameter "ks" > IPs: ['192.168.68.201'] > Looking for DNS entry A mydomain.lan 192.168.68.201 as mydomain.lan. > Failed to find matching DNS entry A mydomain.lan 192.168.68.201 > Looking for DNS entry A PDC.mydomain.lan 192.168.68.201 as PDC.mydomain.lan. > Failed to find matching DNS entry A PDC.mydomain.lan 192.168.68.201 > Looking for DNS entry A gc._msdcs.mydomain.lan 192.168.68.201 as gc._msdcs.mydomain.lan. > Failed to find matching DNS entry A gc._msdcs.mydomain.lan 192.168.68.201 > Looking for DNS entry CNAME 43bd4564-2ae5-4e61-a5ee-f1c2e80e9c37._msdcs.mydomain.lan PDC.mydomain.lan as 43bd4564-2ae5-4e61-a5ee-f1c2e80e9c37._msdcs.mydomain.lan. > Looking for DNS entry SRV _kpasswd._tcp.mydomain.lan PDC.mydomain.lan 464 as _kpasswd._tcp.mydomain.lan. > Checking 0 100 464 PDC.mydomain.lan. against SRV _kpasswd._tcp.mydomain.lan PDC.mydomain.lan 464 > Looking for DNS entry SRV _kpasswd._udp.mydomain.lan PDC.mydomain.lan 464 as _kpasswd._udp.mydomain.lan. > Checking 0 100 464 PDC.mydomain.lan. against SRV _kpasswd._udp.mydomain.lan PDC.mydomain.lan 464 > Looking for DNS entry SRV _kerberos._tcp.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.mydomain.lan. > Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.mydomain.lan PDC.mydomain.lan 88 > Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.dc._msdcs.mydomain.lan. > Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 > Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.mydomain.lan. > Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 88 > Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan. > Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 88 > Looking for DNS entry SRV _kerberos._udp.mydomain.lan PDC.mydomain.lan 88 as _kerberos._udp.mydomain.lan. > Checking 0 100 88 PDC.mydomain.lan. against SRV _kerberos._udp.mydomain.lan PDC.mydomain.lan 88 > Looking for DNS entry SRV _ldap._tcp.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.mydomain.lan. > Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.mydomain.lan PDC.mydomain.lan 389 > Looking for DNS entry SRV _ldap._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.dc._msdcs.mydomain.lan. > Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 > Looking for DNS entry SRV _ldap._tcp.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 as _ldap._tcp.gc._msdcs.mydomain.lan. > Checking 0 100 3268 PDC.mydomain.lan. against SRV _ldap._tcp.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 > Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.pdc._msdcs.mydomain.lan. > Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.pdc._msdcs.mydomain.lan PDC.mydomain.lan 389 > Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.mydomain.lan. > Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 389 > Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan. > Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.lan PDC.mydomain.lan 389 > Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.lan. > Checking 0 100 3268 PDC.mydomain.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.lan PDC.mydomain.lan 3268 > Looking for DNS entry SRV _ldap._tcp.61911020-60b6-42e6-8e50-6addd34584df.domains._msdcs.mydomain.lan PDC.mydomain.lan 389 as _ldap._tcp.61911020-60b6-42e6-8e50-6addd34584df.domains._msdcs.mydomain.lan. > Checking 0 100 389 PDC.mydomain.lan. against SRV _ldap._tcp.61911020-60b6-42e6-8e50-6addd34584df.domains._msdcs.mydomain.lan PDC.mydomain.lan 389 > Looking for DNS entry SRV _gc._tcp.mydomain.lan PDC.mydomain.lan 3268 as _gc._tcp.mydomain.lan. > Checking 0 100 3268 PDC.mydomain.lan. against SRV _gc._tcp.mydomain.lan PDC.mydomain.lan 3268 > Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 3268 as _gc._tcp.Default-First-Site-Name._sites.mydomain.lan. > Checking 0 100 3268 PDC.mydomain.lan. against SRV _gc._tcp.Default-First-Site-Name._sites.mydomain.lan PDC.mydomain.lan 3268 > Looking for DNS entry A mydomain.lan 192.168.18.201 as mydomain.lan. > Looking for DNS entry A PDC.mydomain.lan 192.168.18.201 as PDC.mydomain.lan. > Looking for DNS entry A gc._msdcs.mydomain.lan 192.168.18.201 as gc._msdcs.mydomain.lan. > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 621, in <module> > get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials > raise e > RuntimeError: kinit for PDC$@mydomain.LAN failed (Cannot contact any KDC for requested realm) > > -> Old IP: 192.168.18.201 > -> New IP: 192.168.18.201 > > Kinit failed because it still uses the old address. > > We are using Ubuntu 14.04.5 with Samba 4.3.11. > > How can i fix this problem? > > Thanks for help! > > Julian >
Apparently Analagous Threads
- Fresh ad installation - Win2022 can't join
- dns_tkey_gssnegotiate: TKEY is unacceptable
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- I can't join the new AD server with Samba4