samba - Jul 2022 - Kerberos kinit not running

root at TestAD:/home/maurizio# samba-tool testparm
INFO 2022-07-20 22:05:23,177 pid:846 
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb 
config files from /etc/samba/smb.conf
INFO 2022-07-20 22:05:23,178 pid:846 
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded 
services file OK.
Press enter to see a dump of your service definitions

# Global parameters
[global]
 ??????? netbios name = TESTAD
 ??????? realm = CALORO.M
 ??????? server role = active directory domain controller
 ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
 ??????? winbind expand groups = 2
 ??????? workgroup = CALORO
 ??????? idmap_ldb:use rfc2307 = yes

[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /var/lib/samba/sysvol/testad.caloro.m/scripts
 ??????? read only = No
root at TestAD:/home/maurizio#

--

root at TestAD:/etc/bind# cat named.conf.options
options {
 ??????? directory "/var/cache/bind";

 ??????? // If there is a firewall between you and nameservers you want
 ??????? // to talk to, you may need to fix the firewall to allow multiple
 ??????? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113

 ??????? // If your ISP provided one or more IP addresses for stable
 ??????? // nameservers, you probably want to use them as forwarders.
 ??????? // Uncomment the following block, and insert the addresses 
replacing
 ??????? // the all-0's placeholder.

 ??????? forwarders {
 ??????????????? 8.8.8.8;
 ??????? };

//=======================================================================
??????? // If BIND logs error messages about the root key being expired,
 ??????? // you will need to update your keys.? See 
https://www.isc.org/bind-keys
//=======================================================================
??????? dnssec-validation auto;

 ??????? listen-on { any; };
 ??????? empty-zones-enable no;
 ??????? // https://wiki.samba.org/index.php/Dns-backend_bind
 ??????? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
 ??????? minimal-responses yes;
};

--

root at TestAD:/etc/bind# vi /etc/krb5.conf
[libdefaults]
 ??????? default_realm = CALORO.M
 ??????? dns_lookup_kdc = yes
 ??????? dns_lookup_realm = no
 ??????? ticket_lifetime = 24h


Am 20.07.2022 um 22:50 schrieb Rowland Penny via samba:
> On Wed, 2022-07-20 at 22:32 +0200, Maurizio Caloro via samba wrote:
>> root at TestAD:/home/maurizio# cat /etc/bind/named.conf
>> // This is the primary configuration file for the BIND DNS server
>> named.
>> //
>> // Please read /usr/share/doc/bind9/README.Debian.gz for information
>> on the
>> // structure of BIND configuration files in Debian, *BEFORE* you
>> customize
>> // this configuration file.
>> //
>> // If you are just adding zones, please do that in
>> /etc/bind/named.conf.local
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/bind-dns/named.conf";
>>
>> root at TestAD:/home/maurizio# cat /etc/bind/named.conf.local
>> //
>> // Do any local configuration here
>> //
>>
>> // Consider adding the 1918 zones here, if they are not used in your
>> // organization
>> include "/etc/bind/zones.rfc1918";
>>
>> zone "caloro.m" {
>>           type master;
>>           file "/etc/bind/caloro.m";
>>           };
>>
>> zone "10.168.192.in-addr.arpa" {
>>           type master;
>>           file "/etc/bind/reverse.caloro.m";
>>           };
>>
>>
> Please remove the zones you added to named.conf.local, they are
> flatfiles and have no place in a DC's Bind9 conf files, they are stored
> in AD.
>
>> root at TestAD:/home/maurizio# cat /etc/bind/caloro.m
> Remove that as well.
>
> Please post the contents of /etc/bind/named.conf.options.
>
>> --
>>
>> root at TestAD:/home/maurizio# testparm -s
> Sorry, I should have said 'samba-tool testparm', but never mind, it
has
> shown your major error.
>
>> Load smb config files from /etc/samba/smb.conf
>> Loaded services file OK.
>> Weak crypto is allowed
>>
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> # Global parameters
>> [global]
>>           passdb backend = samba_dsdb
>>           realm = TESTAD.CALORO.M
> You have 'default_realm = CALORO.M' in /etc/krb5.conf,
> 'TESTAD.CALORO.M' != 'CALORO.M', which is it ?
>
> Rowland
>
>
>

On Wed, 2022-07-20 at 23:18 +0200, Maurizio Caloro via samba
wrote:
> root at TestAD:/home/maurizio# samba-tool testparm
> INFO 2022-07-20 22:05:23,177 pid:846 
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded
> smb 
> config files from /etc/samba/smb.conf
> INFO 2022-07-20 22:05:23,178 pid:846 
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded 
> services file OK.
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>          netbios name = TESTAD
>          realm = CALORO.M
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          winbind expand groups = 2
>          workgroup = CALORO
>          idmap_ldb:use rfc2307 = yes
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/testad.caloro.m/scripts
If you run 'hostname -d', does it return 'testad.caloro.m' ?
> 
> --
> 
> root at TestAD:/etc/bind# cat named.conf.options
Try this version:

options {
    directory "/var/cache/bind";

    recursion yes;
    forwarders {
            8.8.8.8;
    };
 
    dnssec-enable no;
    dnssec-validation no;
 
    listen-on { any; };
    notify no;
    auth-nxdomain yes;
    empty-zones-enable no;
    minimal-responses yes;
    // https://wiki.samba.org/index.php/Dns-backend_bind
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};

Rowland