samba - Jun 2014 - Fresh ADC: Failed DNS update - NT_STATUS_ACCESS_DENIED

I hopefully cleared all SAMBA files and set up a fresh ADC using:

samba-tool domain provision --use-rfc2307 --domain=UAC --realm=UAC.MGR 
--server-role=dc --dns-backend=SAMBA_INTERNAL --targetdir=/srv/files 
--adminpass="secret" --option="dns forwarder=172.16.6.11"

The provisioning seemed okay, i.e. nothing hints at any errors and I see 
a DOMAIN SID as the final entry as well as a fresh smb.conf in 
/srv/files/etc. When I start this setup the following happens:

root at samba:/# samba -i -M single -s /srv/files/etc/smb.conf
samba version 4.1.7-Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
samba: using 'single' process model
Attempting to autogenerate TLS self-signed keys for https for hostname 
'SAMBA.uac.mgr'
TLS self-signed keys generated OK
/usr/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line
510,
in <module>
/usr/sbin/samba_dnsupdate:     get_credentials(lp)
/usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line
123,
in get_credentials
/usr/sbin/samba_dnsupdate:     raise e
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for SAMBA$@UAC.MGR failed 
(Cannot contact any KDC for requested realm)
/usr/sbin/samba_dnsupdate:
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - 
NT_STATUS_ACCESS_DENIED
^C

Shouldn't SAMBA be its own KDC? How to fix this?

Thanks for your help,
  - lars.

On 6/2/2014 9:21 AM, Lars Hanke wrote:
> I hopefully cleared all SAMBA files and set up a fresh ADC using:
>
> samba-tool domain provision --use-rfc2307 --domain=UAC --realm=UAC.MGR 
> --server-role=dc --dns-backend=SAMBA_INTERNAL --targetdir=/srv/files 
> --adminpass="secret" --option="dns
forwarder=172.16.6.11"
>
> The provisioning seemed okay, i.e. nothing hints at any errors and I 
> see a DOMAIN SID as the final entry as well as a fresh smb.conf in 
> /srv/files/etc. When I start this setup the following happens:
>
> root at samba:/# samba -i -M single -s /srv/files/etc/smb.conf
> samba version 4.1.7-Debian started.
> Copyright Andrew Tridgell and the Samba Team 1992-2013
> samba: using 'single' process model
> Attempting to autogenerate TLS self-signed keys for https for hostname 
> 'SAMBA.uac.mgr'
> TLS self-signed keys generated OK
> /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
> /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate",
line
> 510, in <module>
> /usr/sbin/samba_dnsupdate:     get_credentials(lp)
> /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate",
line
> 123, in get_credentials
> /usr/sbin/samba_dnsupdate:     raise e
> /usr/sbin/samba_dnsupdate: RuntimeError: kinit for SAMBA$@UAC.MGR 
> failed (Cannot contact any KDC for requested realm)
> /usr/sbin/samba_dnsupdate:
> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - 
> NT_STATUS_ACCESS_DENIED
> ^C
>
> Shouldn't SAMBA be its own KDC? How to fix this?
>
> Thanks for your help,
>  - lars.
>
I had the same error on a fresh install.

root at addc1:~# samba -i -M single
samba version 4.1.6-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
samba: using 'single' process model
/usr/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line
510,
in <module>
/usr/sbin/samba_dnsupdate:     get_credentials(lp)
/usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line
123,
in get_credentials
/usr/sbin/samba_dnsupdate:     raise e
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for ADDC1$@LAN.ZACKY.COM 
failed (Cannot contact any KDC for requested realm)
/usr/sbin/samba_dnsupdate:
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - 
NT_STATUS_ACCESS_DENIED

The fix for me was to update /etc/resolv.conf and replace the dns 
forwarder address with the address of the local AD server (this computer).

# cat /etc/resolv.conf
nameserver 10.100.15.26
domain lan.zacky.com

Joe