samba - Oct 2013 - kinit user works, kinit user@domain.local doesn't

I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
Samba was installed from source and provisioned with internal DNS as PDC of
the domain domain.local. Users were mapped through pam.

I created a new user (user at domain.local) and joined a winxp workstation
(workstation.domain.local). It seems kerberos is working since user can log
to workstation without any problem using user at domain.local. Same with DNS;
if I try to "ping pdc.domain.local", I get name resolved correctly, as
well
as with just "ping pdc".

However, if I run "ping workstation.domain.local" from pdc, I get
"unknown
host", though "ping workstation" works. Similarly, if I run
"kinit user", I
get a ticket, but
"kinit user at domain.local"
produces
"Cannot contact any KDC for realm 'domain.local' while getting
initial
credentials".

Probably related issue is with samba_dnsupdate. Running
"sudo /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
gives
"RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any KDC
for requested realm)".
"sudo host -t SRV _kerberos._udp.domain.local."
gives
"_kerberos._udp.domain.local has SRV record 0 100 88
pdc.domain.local."
so it seems there is a correct record for kdc in dns. I've read that this
issue can be caused by wrong dns setting in resolv.conf.
My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
domain domain.local
nameserver 127.0.0.1

and my /etc/hosts:
127.0.0.1       localhost.localdomain   localhost
127.0.1.1       pdc.domain.local        pdc
#network interface eth0:
192.168.1.67    pdc.domain.local        pdc 

So even here everything looks ok

My krb5.conf:
[libdefaults]
        default_realm = DOMAIN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
        forwardable = true

[realms]
DOMAIN.LOCAL = {
        kdc = pdc.domain.local
        admin_server = pdc.domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

My smb.conf:
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LOCAL
        netbios name = PDC
        server role = active directory domain controller
        server role check:inhibit = yes
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
        template shell = /bin/bash
        security = user
        map to guest = bad user
        guest account = nobody
        encrypt passwords = yes
        allow dns updates = True
        dns forwarder = 217.119.113.244
        interfaces = 127.0.1.1/8 eth0 lo
        bind interfaces only = yes
        logon path = \\%L\profiles\%U\%a
        logon drive = P:
        wins support = yes
        name resolve order = wins host bcast
        load printers = yes
        printing = cups
        printcap name = cups

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No



--
View this message in context:
http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
Sent from the Samba - General mailing list archive at Nabble.com.

Try appending a dot character to the end and put it in domain_realm
mapping.  Let us know.

kinit user at domain.local.
 On Oct 13, 2013 11:08 AM, "Danny Fedor" <lubomirf.vav at
gmail.com> wrote:
> I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
> Samba was installed from source and provisioned with internal DNS as PDC of
> the domain domain.local. Users were mapped through pam.
>
> I created a new user (user at domain.local) and joined a winxp workstation
> (workstation.domain.local). It seems kerberos is working since user can log
> to workstation without any problem using user at domain.local. Same with
DNS;
> if I try to "ping pdc.domain.local", I get name resolved
correctly, as well
> as with just "ping pdc".
>
> However, if I run "ping workstation.domain.local" from pdc, I get
"unknown
> host", though "ping workstation" works. Similarly, if I run
"kinit user", I
> get a ticket, but
> "kinit user at domain.local"
> produces
> "Cannot contact any KDC for realm 'domain.local' while getting
initial
> credentials".
>
> Probably related issue is with samba_dnsupdate. Running
> "sudo /usr/local/samba/sbin/samba_dnsupdate --verbose
--all-names"
> gives
> "RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any
KDC
> for requested realm)".
> "sudo host -t SRV _kerberos._udp.domain.local."
> gives
> "_kerberos._udp.domain.local has SRV record 0 100 88
pdc.domain.local."
> so it seems there is a correct record for kdc in dns. I've read that
this
> issue can be caused by wrong dns setting in resolv.conf.
> My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
> domain domain.local
> nameserver 127.0.0.1
>
> and my /etc/hosts:
> 127.0.0.1       localhost.localdomain   localhost
> 127.0.1.1       pdc.domain.local        pdc
> #network interface eth0:
> 192.168.1.67    pdc.domain.local        pdc
>
> So even here everything looks ok
>
> My krb5.conf:
> [libdefaults]
>         default_realm = DOMAIN.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         forwardable = true
>
> [realms]
> DOMAIN.LOCAL = {
>         kdc = pdc.domain.local
>         admin_server = pdc.domain.local
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
> domain.local = DOMAIN.LOCAL
>
> My smb.conf:
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN.LOCAL
>         netbios name = PDC
>         server role = active directory domain controller
>         server role check:inhibit = yes
>         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
>         template shell = /bin/bash
>         security = user
>         map to guest = bad user
>         guest account = nobody
>         encrypt passwords = yes
>         allow dns updates = True
>         dns forwarder = 217.119.113.244
>         interfaces = 127.0.1.1/8 eth0 lo
>         bind interfaces only = yes
>         logon path = \\%L\profiles\%U\%a
>         logon drive = P:
>         wins support = yes
>         name resolve order = wins host bcast
>         load printers = yes
>         printing = cups
>         printcap name = cups
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
>
> --
> View this message in context:
>
http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>