On 10.03.2015 21:43, Rowland Penny wrote:> > I wonder if it is a time problem, does 'date' return the same time > (allowing for being run on different machines), they need to be very > close together. > > Rowland >Time seems okay, the system is getting it from the first DC, but I found something interesting in the serverlog: Not authoritative for '_kerberos.dilken.eu', forwarding [2015/03/10 22:31:34.148561, 2] ../source4/dns_server/dns_query.c:629(dns_serve r_process_query_send) Seems that net ads does not correctly set domain name and/or realm. The DNS-question should be _kerberos.ad.dilken.eu for which the DNS is authoritative... Greetings, Roman
On 10/03/15 21:36, Roman Dilken wrote:> On 10.03.2015 21:43, Rowland Penny wrote: > >> I wonder if it is a time problem, does 'date' return the same time >> (allowing for being run on different machines), they need to be very >> close together. >> >> Rowland >> > > Time seems okay, the system is getting it from the first DC, but I found > something interesting in the serverlog: > > Not authoritative for '_kerberos.dilken.eu', forwarding > [2015/03/10 22:31:34.148561, 2] > ../source4/dns_server/dns_query.c:629(dns_serve > r_process_query_send) > > > Seems that net ads does not correctly set domain name and/or realm. The > DNS-question should be _kerberos.ad.dilken.eu for which the DNS is > authoritative... > > Greetings, > > RomanHmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in /etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs Rowland
smb.conf and krb5.conf on dc2: # Global parameters [global] workgroup = AD realm = ad.dilken.eu netbios name = DC2 server role = active directory domain controller idmap_ldb:use rfc2307 = yes log level = 5 [netlogon] path = /var/lib/samba/sysvol/ad.dilken.eu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true default_realm = AD.DILKEN.EU smb.conf and krb5.conf on raspberry-pi: [libdefaults] default_realm = AD.DILKEN.EU dns_lookup_realm = true dns_lookup_kdc = true [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log # Global parameters [global] workgroup = AD realm = AD.DILKEN.EU netbios name = RASPBERRY-PI server role = active directory domain controller dns forwarder = 192.71.247.247 idmap_ldb:use rfc2307 = yes log level = 5 [netlogon] path = /var/lib/samba/sysvol/ad.dilken.eu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I'll check the DNS entries later again. Greetings Am 10.03.2015 um 22:55 schrieb Rowland Penny:>> > > Hmm, it should actually be _kerberos._udp.ad.dilken.eu, what is in /etc/krb5.conf on the two DCs, also what is smb.conf on the two DCs > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba