Rowland Penny
2022-Jul-14 07:23 UTC
[Samba] Problems runing kinit on a (wannabe) secondary DC
On Thu, 2022-07-14 at 08:43 +0200, Lorenzo Milesi via samba wrote:> I've installed a DC on Ubuntu 20.04 with Samba 4.15 using Van Belle's > repos. > The DC is used for LDAP auth and working fine. It hasn't been tested > for Windows clients auth, yet. > > I'm attempting to configure a secondary DC, on a remote VPS withe > same specs as above, but I'm unable to initialize kerberos > communications. On the client I get the "classic" 'Cannot contact any > KDC for realm ... while getting initial credentials', while from > debug I'm unable to figure out what's going bad. > > Active DC: 192.168.8.1 Samba 4.15.7-Ubuntu (dc-contabo) > Secondary DC: 192.168.1.206 Samba 4.15.7-Ubuntu (dc-lan)No, that is: first DC and another DC, all DC's are equal except for the FSMO roles.> > > root at dc-lan:~# KRB5_TRACE=/dev/stdout kinit Administrator > [987] 1657780070.241479: Getting initial credentials for > Administrator at WDC.DOMAIN.IT > kinit: Cannot contact any KDC for realm 'WDC.DOMAIN.IT' while getting > initial credentialsObviously your prospective second DC cannot contact your first DC.> Primary smb.conf: > # Global parameters > [global] > dns forwarder = 1.1.1.1 > netbios name = DC-CONTABO > realm = WDC.DOMAIN.IT > server role = active directory domain controller > workgroup = DOMAIN > allow dns updates = disabledWhy have you disabled dns updates ?> interfaces = eth1 > bind interfaces only = yes > server services = -dnsAs you seem to be using Bind9, why is a dns forwarder set ? Can you ping the first DC from the second DC ? I suggest you go here: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Download the script and run it on both your DC's and post the output into a reply to this. Rowland
Lorenzo Milesi
2022-Jul-14 12:36 UTC
[Samba] Problems runing kinit on a (wannabe) secondary DC
>> Primary smb.conf: >> # Global parameters >> [global] >> dns forwarder = 1.1.1.1 >> netbios name = DC-CONTABO >> realm = WDC.DOMAIN.IT >> server role = active directory domain controller >> workgroup = DOMAIN >> allow dns updates = disabled > > Why have you disabled dns updates ?Possibly unintentionally while trying to debug...> >> interfaces = eth1 >> bind interfaces only = yes >> server services = -dns > > As you seem to be using Bind9, why is a dns forwarder set ?Leftover during the upgrade phase> Can you ping the first DC from the second DC ?Yes, I can ping back and forth, I can telnet from second to first on port 88. Also, from what I could get in the server log, the second does correctly authenticate as Administrator, during kinit. Something I forgot to add, after I enter the password, the command remains on hold for something like 20 or 30s, after that time prints the error.> Download the script and run it on both your DC's and post the output > into a reply to this.Here they are, thanks: #### FIRST DC ##### Config collected --- 2022-07-14-13:50 ----------- Hostname: dc-contabo DNS Domain: wdc.domain.it Realm: WDC.DOMAIN.IT FQDN: dc-contabo.wdc.domain.it ipaddress: 75.119.x.y 192.168.8.1 10.8.0.1 ----------- This computer is running Ubuntu 20.04.4 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:50:56:46:2e:11 brd ff:ff:ff:ff:ff:ff inet 75.119.x.y/19 brd 75.119.255.255 scope global eth0 inet6 fe80::250:56ff:fe46:2e11/64 scope link 3: eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether ba:25:80:99:69:d3 brd ff:ff:ff:ff:ff:ff inet 192.168.8.1/24 brd 192.168.8.255 scope global eth1 inet6 fe80::b825:80ff:fe99:69d3/64 scope link 4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0 ----------- Checking file: /etc/hosts 127.0.0.1 localhost #127.0.1.1 vmi.contaboserver.net vmi # The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback #ff02::1 ip6-allnodes #ff02::2 ip6-allrouters 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo 192.168.1.206 dclan.wdc.domain.it dclan ----------- Checking file: /etc/resolv.conf search wdc.domain.it nameserver 127.0.0.1 ----------- Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output: Server: 127.0.0.1 Address: 127.0.0.1#53 _kerberos._tcp.wdc.domain.it service = 0 100 88 dc-contabo.wdc.domain.it. ----------- 'kinit Administrator' password checked failed. Wrong password or kerberos REALM problems. ----------- Samba is running as an AD DC ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = WDC.DOMAIN.IT dns_lookup_kdc = true dns_lookup_realm = false # TEST udp_preference_limit=1 ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd group: files systemd shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] dns forwarder = 1.1.1.1 netbios name = DC-CONTABO realm = WDC.DOMAIN.IT server role = active directory domain controller workgroup = WORKGROUP allow dns updates = disabled interfaces = eth1 bind interfaces only = yes server services = -dns log level = 1 auth_audit:3 auth_json_audit:3 kerberos:10 tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/wdc.domain.it/scripts read only = No ----------- This DC is not being used as a fileserver Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------- Checking file: /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 1.1.1.1; }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= allow-query { any;}; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; minimal-responses yes; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; dlz "domain.it" { # For BIND 9.9.0 database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; }; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/usr/share/dns/root.hints"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list check : wdc.domain.it _msdcs.wdc.domain.it ----------- ----------- This is the DC with the PDC Emulator role and time is: 2022-07-14T13:50:27 ----------- Installed packages: ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem extended attributes ii bind9 1:9.16.1-0ubuntu2.10 amd64 Internet Domain Name Server ii bind9-dnsutils 1:9.16.1-0ubuntu2.10 amd64 Clients provided with BIND 9 ii bind9-host 1:9.16.1-0ubuntu2.10 amd64 DNS Lookup Utility ii bind9-libs:amd64 1:9.16.1-0ubuntu2.10 amd64 Shared Libraries used by BIND 9 ii bind9-utils 1:9.16.1-0ubuntu2.10 amd64 Utilities for BIND 9 ii dnsutils 1:9.16.1-0ubuntu2.10 all Transitional package for bind9-dnsutils ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-6ubuntu4.1 all internationalization support for MIT Kerberos ii krb5-user 1.17-6ubuntu4.1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-6 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba nameservice integration plugins ii libsmbclient:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba winbind client library ii python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3) ii python3-samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Python 3 bindings for Samba ii samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.15.7~dfsg-0ubuntu0~20.04 all common files used by both the Samba server and client ii samba-common-bin 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 service to resolve user and group information from Windows NT servers ----------- #### SECOND DC ##### Config collected --- 2022-07-14-13:52 ----------- Hostname: dc-lan DNS Domain: wdc.domain.it Realm: WDC.DOMAIN.IT FQDN: dc-lan.wdc.domain.it ipaddress: 192.168.1.206 ----------- This computer is running Ubuntu 20.04.4 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 6e:03:dc:d8:bb:0f brd ff:ff:ff:ff:ff:ff inet 192.168.1.206/24 brd 192.168.1.255 scope global ens18 inet6 fe80::6c03:dcff:fed8:bb0f/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo 192.168.1.206 dc-lan.wdc.domain.it dclan ----------- Checking file: /etc/resolv.conf # This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs must not access this file directly, but only through the # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, # replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search wdc.domain.it domain ----------- systemd stub resolver detected, running command : systemd-resolve --status ----------- Global LLMNR setting: no MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: 192.168.8.1 DNS Servers: 192.168.8.1 DNS Domain: wdc.domain.it DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test Link 2 (ens18) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: 192.168.8.1 DNS Servers: 192.168.8.1 DNS Domain: wdc.domain.it domain ----------- Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok, sample output: Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: _kerberos._tcp.wdc.domain.it service = 0 100 88 dc-contabo.wdc.domain.it. Authoritative answers can be found from: ----------- 'kinit Administrator' password checked failed. Wrong password or kerberos REALM problems. ----------- Samba is not being run as a DC or a Unix domain member. ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = WDC.DOMAIN.IT dns_lookup_kdc = false dns_lookup_realm = false [realms] WDC.DOMAIN.IT = { kdc = 127.0.0.1 kdc = 192.168.8.1 } ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd group: files systemd shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Time on the DC with PDC Emulator role is: 2022-07-14T13:52:42 Time on this computer is: 2022-07-14T13:52:42 Time verified ok, within the allowed 300sec margin. Time offset is currently : 0 seconds ----------- Installed packages: ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-6ubuntu4.1 all internationalization support for MIT Kerberos ii krb5-user 1.17-6ubuntu4.1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-6 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba nameservice integration plugins ii libsmbclient:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba winbind client library ii python3-attr 19.3.0-2 all Attributes without boilerplate (Python 3) ii python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3) ii python3-samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Python 3 bindings for Samba ii samba 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.15.7~dfsg-0ubuntu0~20.04 all common files used by both the Samba server and client ii samba-common-bin 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.15.7~dfsg-0ubuntu0~20.04 amd64 service to resolve user and group information from Windows NT servers ----------- -- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.