Rowland Penny
2022-Jun-07 07:27 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On Mon, 2022-06-06 at 14:13 -0700, Matthew Schumacher via samba wrote:> On 6/6/22 8:08 AM, Rowland Penny via samba wrote: > > You might want to read this: > > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > > > > Where you will find that using MIT is classed as experimental and > > running Samba with MIT as an RODC isn't supported. > > > > Rowland > > > > Thanks for the reply. > > I looked for documentation on how to convert from MIT to Heimdal, > but > didn't see anything. Can I simply rebuild and re-deploy or do I need > to > demote each domain controller then add it back in again? > > Thanks, > schu >Just add another DC that uses Heimdal and then demote one of your existing DCs, repeat until you have no DCs running MIT. Rowland
Matthew Schumacher
2022-Jun-08 23:05 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On 6/7/22 12:27 AM, Rowland Penny via samba wrote:>> Thanks for the reply. >> >> I looked for documentation on how to convert from MIT to Heimdal, >> but >> didn't see anything. Can I simply rebuild and re-deploy or do I need >> to >> demote each domain controller then add it back in again? >> >> Thanks, >> schu >> > Just add another DC that uses Heimdal and then demote one of your > existing DCs, repeat until you have no DCs running MIT. > > Rowland > >I took some time to recompile and test out.? This page https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory suggests you call kinit before you you join the domain but kinit is from my OS now since kerberos is internal.? I think this might have something to do with the next error which is I can't join the domain with "--dns-backend=BIND9_DLZ" I get the following: root at auth:/var/lib/samba/private# samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ --server masterdc Password for [ADMIN\administrator]: INFO 2022-06-08 21:58:18,008 pid:750 /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is ADMIN INFO 2022-06-08 21:58:18,008 pid:750 /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is admin.domain.net Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net Adding CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net Adding CN=NTDS Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net Adding SPNs to CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net Setting account password for AUTH$ Enabling account Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net with dns/ SPN Join failed - cleaning up Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net Deleted CN=NTDS Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net Deleted CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - <00000523: SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0 > <> ? File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run ??? return self.run(*args, **kwargs) ? File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py", line 702, in run ??? join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain, ? File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1543, in join_DC ??? ctx.do_join() ? File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1431, in do_join ??? ctx.join_add_objects() ? File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780, in join_add_objects ??? ctx.samdb.add(msg) If I join the domain without BIND9, it works fine, but it appears to skip the DNS install: samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" --server masterdc What is interesting is that I can demote this controller then immediatly add it back with bind9: samba-tool domain demote? -U"ADMIN\administrator" --server masterdc samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ --server masterdc It works, but samba binds it's own internal DNS to port 53 and bind9 can't be started.? I also figured out that if I add a krb5.conf file in my samba/private directory I can get it to join the domain even with "--dns-backend=BIND9_DLZ" but the result is the same in that samba appears to use it's own DNS server. Is there a way to use the internal kerberos and external DNS or should I try to setup bind as a caching forwarder to internal DNS bound to a different IP or port? I looked around in the documentation but didn't see anything obvious regarding how different DNS systems depend on different Kerberos systems. Thanks, Matt