Rick Schauer
2014-Apr-21 21:34 UTC
[Samba] Samba 4.1.6 and 4.1.7 Kerberos problem on Debian Linux
I am trying to setup an AD using a Linux server to get away from Windows Server
2008. So far I have tried the setup on both a Debian 7.4 64 bit machine, and a
Raspberry Pi (Debian variant). I've tried both Samba stable versions 4.1.6
and 4.1.7, and they both give me the same results.
I followed the instructions to install the Samba 4 AD setup at
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
I also went through the OS requirements on the Samba4 wiki.
Everything works great except the Kerberos test on the Samba4 AD server. I get
the following error (XXXXX is substituted here for my domain):
# kinit administrator at XXXXX.LOCAL<mailto:administrator at XXXXX.LOCAL>
Kinit: Cannot contact any KDC for realm 'XXXXX.LOCAL' while getting
initial credentials.
All the other tests work fine, and there are no errors in the log files. I do
get one for cups not getting a list of printers, but I don't have any setup
yet.
I want to get past this problem first. I have tried it on two separate machines
running Debian. Same results.
My Kerberos 5 version is 1.10.1 and my krb5.conf file looks like this:
[libdefaults]
default_realm = XXXXX.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
The DNS and smbclient tests on the AD all return good results. I am using the
Samba internal DNS. The Python version is 2.7.4. The acl and attr are working
on my file system. I can run nslookup and get valid results for the AD server
and external DNS names (yahoo.com as an example).
Could there a problem with the version of the krb5-user package from the Debian
distribution library not working with Samba4? Or some other dependent package?
Or have I done something wrong?
Rick Schauer
L.P.H. van Belle
2014-Apr-23 06:55 UTC
[Samba] Samba 4.1.6 and 4.1.7 Kerberos problem on Debian Linux
Hai Debian works fine with samba4. if you want an easy setup look here. https://secure.bazuin.nl/scripts/ for you problem check the following. For a DC config, Can you check whats in the /etc/nsswitch.conf should be something like : passwd: compat group: compat shadow: compat hosts: files dns make sure /etc/hosts looks like this. 127.0.0.1 localhost 192.168.1.1 server.domain.tld server ::1 ip6-localhost ip6-loopback and the /etc/resolv.conf search domain.tld domain domain.tld nameserver IP_AD_DC1 nameserver IP_AD_DC2 /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = DOMAIN.TLD and do the checks here http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS are you running samba DNS of BIND DNS ? and any of these installed. ( dpkg --get-selections grep avahi ) avahi-autoipd avahi-daemon avahi-discover avahi-dnsconfd if so, remove them, check the configs above and reboot your server. and try again. Best regards, Louis>-----Oorspronkelijk bericht----- >Van: rschauer at dualhelix.net >[mailto:samba-bounces at lists.samba.org] Namens Rick Schauer >Verzonden: maandag 21 april 2014 23:35 >Aan: samba at lists.samba.org >Onderwerp: [Samba] Samba 4.1.6 and 4.1.7 Kerberos problem on >Debian Linux > >I am trying to setup an AD using a Linux server to get away >from Windows Server 2008. So far I have tried the setup on >both a Debian 7.4 64 bit machine, and a Raspberry Pi (Debian >variant). I've tried both Samba stable versions 4.1.6 and >4.1.7, and they both give me the same results. > >I followed the instructions to install the Samba 4 AD setup at >https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO >I also went through the OS requirements on the Samba4 wiki. > >Everything works great except the Kerberos test on the Samba4 >AD server. I get the following error (XXXXX is substituted >here for my domain): > ># kinit administrator at XXXXX.LOCAL<mailto:administrator at XXXXX.LOCAL> >Kinit: Cannot contact any KDC for realm 'XXXXX.LOCAL' while >getting initial credentials. > >All the other tests work fine, and there are no errors in the >log files. I do get one for cups not getting a list of >printers, but I don't have any setup yet. >I want to get past this problem first. I have tried it on two >separate machines running Debian. Same results. > >My Kerberos 5 version is 1.10.1 and my krb5.conf file looks like this: > >[libdefaults] > default_realm = XXXXX.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > >The DNS and smbclient tests on the AD all return good results. > I am using the Samba internal DNS. The Python version is >2.7.4. The acl and attr are working on my file system. I can >run nslookup and get valid results for the AD server and >external DNS names (yahoo.com as an example). > >Could there a problem with the version of the krb5-user >package from the Debian distribution library not working with >Samba4? Or some other dependent package? Or have I done >something wrong? > >Rick Schauer > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2014-Apr-23 08:20 UTC
[Samba] Samba 4.1.6 and 4.1.7 Kerberos problem on Debian Linux
On 21/04/14 22:34, Rick Schauer wrote:> I am trying to setup an AD using a Linux server to get away from Windows Server 2008. So far I have tried the setup on both a Debian 7.4 64 bit machine, and a Raspberry Pi (Debian variant). I've tried both Samba stable versions 4.1.6 and 4.1.7, and they both give me the same results. > > I followed the instructions to install the Samba 4 AD setup at https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO > I also went through the OS requirements on the Samba4 wiki. > > Everything works great except the Kerberos test on the Samba4 AD server. I get the following error (XXXXX is substituted here for my domain): > > # kinit administrator at XXXXX.LOCAL<mailto:administrator at XXXXX.LOCAL> > Kinit: Cannot contact any KDC for realm 'XXXXX.LOCAL' while getting initial credentials. > > All the other tests work fine, and there are no errors in the log files. I do get one for cups not getting a list of printers, but I don't have any setup yet. > I want to get past this problem first. I have tried it on two separate machines running Debian. Same results. > > My Kerberos 5 version is 1.10.1 and my krb5.conf file looks like this: > > [libdefaults] > default_realm = XXXXX.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > The DNS and smbclient tests on the AD all return good results. I am using the Samba internal DNS. The Python version is 2.7.4. The acl and attr are working on my file system. I can run nslookup and get valid results for the AD server and external DNS names (yahoo.com as an example). > > Could there a problem with the version of the krb5-user package from the Debian distribution library not working with Samba4? Or some other dependent package? Or have I done something wrong? > > Rick Schauer >What have you got in /etc/resolv.conf ? Rowland