Matthew Schumacher
2022-Jun-08  23:05 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On 6/7/22 12:27 AM, Rowland Penny via samba wrote:>> Thanks for the reply. >> >> I looked for documentation on how to convert from MIT to Heimdal, >> but >> didn't see anything. Can I simply rebuild and re-deploy or do I need >> to >> demote each domain controller then add it back in again? >> >> Thanks, >> schu >> > Just add another DC that uses Heimdal and then demote one of your > existing DCs, repeat until you have no DCs running MIT. > > Rowland > >I took some time to recompile and test out.? This page https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory suggests you call kinit before you you join the domain but kinit is from my OS now since kerberos is internal.? I think this might have something to do with the next error which is I can't join the domain with "--dns-backend=BIND9_DLZ" I get the following: root at auth:/var/lib/samba/private# samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ --server masterdc Password for [ADMIN\administrator]: INFO 2022-06-08 21:58:18,008 pid:750 /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is ADMIN INFO 2022-06-08 21:58:18,008 pid:750 /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is admin.domain.net Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net Adding CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net Adding CN=NTDS Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net Adding SPNs to CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net Setting account password for AUTH$ Enabling account Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net with dns/ SPN Join failed - cleaning up Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net Deleted CN=NTDS Settings,CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net Deleted CN=AUTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - <00000523: SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0 > <> ? File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run ??? return self.run(*args, **kwargs) ? File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py", line 702, in run ??? join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain, ? File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1543, in join_DC ??? ctx.do_join() ? File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1431, in do_join ??? ctx.join_add_objects() ? File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780, in join_add_objects ??? ctx.samdb.add(msg) If I join the domain without BIND9, it works fine, but it appears to skip the DNS install: samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" --server masterdc What is interesting is that I can demote this controller then immediatly add it back with bind9: samba-tool domain demote? -U"ADMIN\administrator" --server masterdc samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ --server masterdc It works, but samba binds it's own internal DNS to port 53 and bind9 can't be started.? I also figured out that if I add a krb5.conf file in my samba/private directory I can get it to join the domain even with "--dns-backend=BIND9_DLZ" but the result is the same in that samba appears to use it's own DNS server. Is there a way to use the internal kerberos and external DNS or should I try to setup bind as a caching forwarder to internal DNS bound to a different IP or port? I looked around in the documentation but didn't see anything obvious regarding how different DNS systems depend on different Kerberos systems. Thanks, Matt
Rowland Penny
2022-Jun-09  06:19 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On Wed, 2022-06-08 at 16:05 -0700, Matthew Schumacher via samba wrote:> On 6/7/22 12:27 AM, Rowland Penny via samba wrote: > > > Thanks for the reply. > > > > > > I looked for documentation on how to convert from MIT to Heimdal, > > > but > > > didn't see anything. Can I simply rebuild and re-deploy or do I > > > need > > > to > > > demote each domain controller then add it back in again? > > > > > > Thanks, > > > schu > > > > > Just add another DC that uses Heimdal and then demote one of your > > existing DCs, repeat until you have no DCs running MIT. > > > > Rowland > > > > > > I took some time to recompile and test out. This page > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > suggests you call kinit before you you join the domain but kinit is > from > my OS now since kerberos is internal. I think this might have > something > to do with the next error which is I can't join the domain with > "--dns-backend=BIND9_DLZ" > > I get the following: > > root at auth:/var/lib/samba/private# samba-tool domain join > admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ > --server masterdc > Password for [ADMIN\administrator]: > INFO 2022-06-08 21:58:18,008 pid:750 > /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is > ADMIN > INFO 2022-06-08 21:58:18,008 pid:750 > /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is > admin.domain.net > Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net > Adding > CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > Adding CN=NTDS > Settings,CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > Adding SPNs to CN=AUTH,OU=Domain > Controllers,DC=admin,DC=domain,DC=net > Setting account password for AUTH$ > Enabling account > Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net > with > dns/ SPN > Join failed - cleaning up > Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net > Deleted CN=NTDS > Settings,CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > Deleted > CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - > <00000523: > SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0 > > <> > File "/usr/lib64/python3.9/site- > packages/samba/netcmd/__init__.py", > line 186, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py", > line 702, in run > join_DC(logger=logger, server=server, creds=creds, lp=lp, > domain=domain, > File "/usr/lib64/python3.9/site-packages/samba/join.py", line > 1543, > in join_DC > ctx.do_join() > File "/usr/lib64/python3.9/site-packages/samba/join.py", line > 1431, > in do_join > ctx.join_add_objects() > File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780, > in > join_add_objects > ctx.samdb.add(msg) > > If I join the domain without BIND9, it works fine, but it appears to > skip the DNS install: > > samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" > --server masterdc > > What is interesting is that I can demote this controller then > immediatly > add it back with bind9: > > samba-tool domain demote -U"ADMIN\administrator" --server masterdc > samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" > --dns-backend=BIND9_DLZ --server masterdc > > It works, but samba binds it's own internal DNS to port 53 and bind9 > can't be started. I also figured out that if I add a krb5.conf file > in > my samba/private directory I can get it to join the domain even with > "--dns-backend=BIND9_DLZ" but the result is the same in that samba > appears to use it's own DNS server. > > Is there a way to use the internal kerberos and external DNS or > should I > try to setup bind as a caching forwarder to internal DNS bound to a > different IP or port? > > I looked around in the documentation but didn't see anything obvious > regarding how different DNS systems depend on different Kerberos > systems. > > Thanks, > Matt >It sounds like you are running Samba as an AD DC using the dns domain 'domain.net' and it also sounds like you are running a MIT kdc using the same dns domain. If this is the case, choose one (preferably the MIT kdc) and turn it off. Rowland