samba - Mar 2015 - Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)

Good morning!

First of all thanks Rowland for the fast answer yesterday! I realized that
samba-technical might have been the wrong mailing list and switched it to
the normal samba users list (hopefully it worked, as it does get a bit
confusing with spamgourmets sendto addresses!). Unfortunately the problem
with samba_dnsupdate remains after the changes.
I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty
new to both samba and linux and added most lines that looked promising from
other threads. Expected the DC itself to be able to join the domain
(again), as I remembered it to be possible after a classicupgrade with the
samba internal dns.

Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not
necessary to build it yourself and configure it with dlopen (see here
<https://lists.samba.org/archive/samba/2015-January/188049.html>).
The driver is supposedly included and also seems to load alright:

named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz
19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver
19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen'
19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen'
19-Mar-2015 08:05:26.405 Loading SDLZ driver.
19-Mar-2015 08:05:26.646 samba_dlz: started for DN
DC=intranet,DC=mayweg,DC=net
19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 DLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 samba_dlz: starting configure
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone
'11.168.192.in-addr.arpa'
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone '
intranet.mayweg.net'
19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_
msdcs.intranet.mayweg.net'


The error for samba_dnsupdate --all-names remains (btw, without --all-names
it works):
ldb: Destroying timer event 0x233f310 "ltdb_timeout"
ldb: Ending timer event 0x1d2bb70 "ltdb_callback"
Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 612, in <module>
    get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
    raise e
RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
contact any KDC for requested realm)


Again, I'm very grateful for any hints where the problem could originate
from.
Greetings,
Timo


On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com <
sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net> wrote:
> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote:
>
>> Hello,
>>
>> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ
>> backend on Debian Jessie. Before I was using tinydns on a different
server
>> and want to replace it with BIND.
>> I'm trying this with copies of virtual machines in a different
subnet (The
>> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
>> administration, a debian squeezy file server that is part of the domain
>> and
>> an xp client).
>> For the most part the new configuration is working, a lot thanks to
>> exploration of the wiki and the mailing list archives, but I cannot
>> resolve
>> the hostnames of domain members and think it is because dynamic DNS
>> updates
>> through kerberos aren't working.
>>
>> When I try "samba_dnsupdate --verbose --all-names", I get the
following
>> error:
>> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
>> ldb: Ending timer event 0x1859f30 "ltdb_callback"
>> Traceback (most recent call last):
>>    File "/usr/sbin/samba_dnsupdate", line 612, in
<module>
>>      get_credentials(lp)
>>    File "/usr/sbin/samba_dnsupdate", line 125, in
get_credentials
>>      raise e
>> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
>> contact any KDC for requested realm)
>>
>> I can join the domain with windows & linux machines and administer
it and
>> the dns server with RSAT tools. Neither SELinux nor Apparmor are
present.
>>
>> The dns tests from the samba ad dc howto
>>
<https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend>
>> were
>> all successful:
>> host -t SRV _ldap._tcp.intranet.mayweg.net.
>> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389
>> server06.intranet.mayweg.net.
>> host -t SRV _kerberos._udp.intranet.mayweg.net.
>> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88
>> server06.intranet.mayweg.net.
>> host -t A server06.intranet.mayweg.net.
>> server06.intranet.mayweg.net has address 192.168.11.250
>>
>> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net
on
>> all machines, but hostnames of machines I joined to the domain are not
>> resolvable from other domain members. A linux machine that joined had
the
>> output:
>> Joined 'SERVER13' to realm 'intranet.mayweg.net'
>> DNS update failed!
>>
>> I can get kerberos tickets on all machines, and join the domain using
net
>> ads join from all of them but the ad dc itself.
>> On server06 "net ads join -Uadministrator" returns
>> Failed to join domain: This operation is only allowed for the PDC of
the
>> domain. Maybe this has something to do with the dns updates not
working.
>>
>
> You do not run 'net ads join' on a DC, the provision does it for
you (or
> as in your case, the upgrade procedure)
>
>
>>
>> I'll follow up with version info and configuration files
(interfaces,
>> resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
>> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
>> implementations of krb5-admin-server and krb5-kdc installed and
configured
>> until I realized Samba4 brings the heimdal implementation of kerberos
with
>> it. I uninstalled the MIT parts afterwards. Configuration files:
>>
>>
>> /etc/network/interfaces:
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>>          address 192.168.11.250
>>          netmask 255.255.255.0
>>          network 192.168.11.0
>>          broadcast 192.168.11.255
>>
>>
>> /etc/resolv.conf:
>> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error
>> domain intranet.mayweg.net
>>
>>
>> /etc/hosts:
>> 127.0.0.1       localhost localhost.localdomain
>> 192.168.11.250  server06.intranet.mayweg.net server06
>> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net
>>
>
> Remove everything from the '192.168.11.250' line from 'krb'
onwards, they
> shouldn't be there.
>
>
>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> /etc/samba/smb.conf:
>> [global]
>> workgroup = MAYWEG.NET
>> realm = INTRANET.MAYWEG.NET
>> netbios name = SERVER06
>> interfaces = lo, eth0
>> bind interfaces only = Yes
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind,
>> ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> #added after classicupgrade
>> kerberos method = system keytab
>> client ldap sasl wrapping = sign
>> allow dns updates = nonsecure and secure
>> nsupdate command =  /usr/bin/nsupdate -g
>> domain logons = yes
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
> remove everything you added to smb.conf
>
>  /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf):
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> dns_lookup_realm = true #changed to true
>> dns_lookup_kdc = true
>>
>> #added after classicupgrade
>>
>> [realms]
>> INTRANET.MAYWEG.NET = {
>>          kdc = krb.intranet.mayweg.net
>>          admin_server = krb.intranet.mayweg.net
>>          default_domain = intranet.mayweg.net
>> }
>>
>> [domain_realm]
>>
>> .intranet.mayweg.net = INTRANET.MAYWEG.NET
>> intranet.mayweg.net = INTRANET.MAYWEG.NET
>>
>> [logging]
>> kdc = FILE:/var/log/kerberos/krb5kdc.log
>> admin_server = FILE:/var/log/kerberos/kadmin.log
>> default = FILE:/var/log/kerberos/krb5lib.log
>>
>>
> Change krb5.conf back to what it was.
>
>
>  /etc/bind/named.conf (copied together from the includes...):
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>> // be authoritative for the localhost forward and reverse zones, and
for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>> dlz "AD DNS Zone" {
>>      # For BIND 9.8.x
>>      # database "dlopen /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9.so";
>>
>>      # For BIND 9.9.x
>>      database "dlopen /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9_9.so";
>>
>>      # For BIND 9.10.x
>>      # database "dlopen
>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
>> };
>> logging {
>>          channel update_debug {
>>                  file "/var/log/update_debug.log" versions 3
size 100k;
>>                  severity debug;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>          channel security_info {
>>                  file "/var/log/security_info.log" versions 1
size 100k;
>>                  severity info;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>          channel bind_log {
>>                  file "/var/log/bind.log" versions 3 size 1m;
>>                  severity info;
>>                  print-category  yes;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>
>>          category default { bind_log; };
>>          category lame-servers { null; };
>>          category update { update_debug; };
>>          category update-security { update_debug; };
>>          category security { security_info; };
>> };
>> options {
>>          directory "/var/named";
>>          recursion yes;
>>          dnssec-validation auto;
>>        tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>> auth-nxdomain yes;
>>      notify no;
>>      empty-zones-enable no;
>>      allow-query {
>>          127.0.0.1;
>>          192.168.11.0/24;
>>          # add other networks you want to allow to query your DNS
>>      };
>>      allow-query-cache {
>>          127.0.0.1;
>>          192.168.11.0/24;
>>          # add other networks you want to allow to query your DNS
>>      };
>>      allow-recursion {
>>          192.168.11.0/24;
>> 127.0.0.1;
>>          # add other networks you want to allow to do recursive queries
>>      };
>>      forwarders {
>>          # Google public DNS server here - replace with your own if
>> necessary
>>       };
>>      allow-transfer {
>>          # this config is for a single master DNS server
>>          none;
>>      };
>> };
>>
>> I hope I provided all the necessary information and am grateful for any
>> hints on where to look for a fix to this problem.
>>
>> Greetings,
>> Timo
>>
>
> Finally, was the version of bind you are using configured with dlopen ?
>
> Rowland
>
>
>

Good morning!

First of all thanks Rowland for the fast answer yesterday! I realized that
samba-technical might have been the wrong mailing list and switched it to
the normal samba users list (hopefully it worked, as it does get a bit
confusing with spamgourmets addresses!). Unfortunately the problem with
samba_dnsupdate remains after the changes.
I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty
new to both samba and linux and added most lines to the configs that looked
promising.
Expected the DC itself to be able to join the domain (again), as I
remembered it to be possible after a classicupgrade with the samba internal
dns.

Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not
necessary to build it yourself and configure it with dlopen (see here
<https://lists.samba.org/archive/samba/2015-January/188049.html>).
The driver is supposedly included and also seems to load alright:

named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz
19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver
19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen'
19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen'
19-Mar-2015 08:05:26.405 Loading SDLZ driver.
19-Mar-2015 08:05:26.646 samba_dlz: started for DN
DC=intranet,DC=mayweg,DC=net
19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 DLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 samba_dlz: starting configure
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone
'11.168.192.in-addr.arpa'
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone '
intranet.mayweg.net'
19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_
msdcs.intranet.mayweg.net'


The error for samba_dnsupdate --all-names remains (btw, without --all-names
it works):
ldb: Destroying timer event 0x233f310 "ltdb_timeout"
ldb: Ending timer event 0x1d2bb70 "ltdb_callback"
Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 612, in <module>
    get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
    raise e
RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
contact any KDC for requested realm)


Again, I'm very grateful for any hints where the problem could originate
from.
Greetings,
Timo


On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com <
sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net> wrote:
> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote:
>
>> Hello,
>>
>> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ
>> backend on Debian Jessie. Before I was using tinydns on a different
server
>> and want to replace it with BIND.
>> I'm trying this with copies of virtual machines in a different
subnet (The
>> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
>> administration, a debian squeezy file server that is part of the domain
>> and
>> an xp client).
>> For the most part the new configuration is working, a lot thanks to
>> exploration of the wiki and the mailing list archives, but I cannot
>> resolve
>> the hostnames of domain members and think it is because dynamic DNS
>> updates
>> through kerberos aren't working.
>>
>> When I try "samba_dnsupdate --verbose --all-names", I get the
following
>> error:
>> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
>> ldb: Ending timer event 0x1859f30 "ltdb_callback"
>> Traceback (most recent call last):
>>    File "/usr/sbin/samba_dnsupdate", line 612, in
<module>
>>      get_credentials(lp)
>>    File "/usr/sbin/samba_dnsupdate", line 125, in
get_credentials
>>      raise e
>> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
>> contact any KDC for requested realm)
>>
>> I can join the domain with windows & linux machines and administer
it and
>> the dns server with RSAT tools. Neither SELinux nor Apparmor are
present.
>>
>> The dns tests from the samba ad dc howto
>>
<https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend>
>> were
>> all successful:
>> host -t SRV _ldap._tcp.intranet.mayweg.net.
>> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389
>> server06.intranet.mayweg.net.
>> host -t SRV _kerberos._udp.intranet.mayweg.net.
>> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88
>> server06.intranet.mayweg.net.
>> host -t A server06.intranet.mayweg.net.
>> server06.intranet.mayweg.net has address 192.168.11.250
>>
>> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net
on
>> all machines, but hostnames of machines I joined to the domain are not
>> resolvable from other domain members. A linux machine that joined had
the
>> output:
>> Joined 'SERVER13' to realm 'intranet.mayweg.net'
>> DNS update failed!
>>
>> I can get kerberos tickets on all machines, and join the domain using
net
>> ads join from all of them but the ad dc itself.
>> On server06 "net ads join -Uadministrator" returns
>> Failed to join domain: This operation is only allowed for the PDC of
the
>> domain. Maybe this has something to do with the dns updates not
working.
>>
>
> You do not run 'net ads join' on a DC, the provision does it for
you (or
> as in your case, the upgrade procedure)
>
>
>>
>> I'll follow up with version info and configuration files
(interfaces,
>> resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
>> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
>> implementations of krb5-admin-server and krb5-kdc installed and
configured
>> until I realized Samba4 brings the heimdal implementation of kerberos
with
>> it. I uninstalled the MIT parts afterwards. Configuration files:
>>
>>
>> /etc/network/interfaces:
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>>          address 192.168.11.250
>>          netmask 255.255.255.0
>>          network 192.168.11.0
>>          broadcast 192.168.11.255
>>
>>
>> /etc/resolv.conf:
>> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error
>> domain intranet.mayweg.net
>>
>>
>> /etc/hosts:
>> 127.0.0.1       localhost localhost.localdomain
>> 192.168.11.250  server06.intranet.mayweg.net server06
>> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net
>>
>
> Remove everything from the '192.168.11.250' line from 'krb'
onwards, they
> shouldn't be there.
>
>
>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> /etc/samba/smb.conf:
>> [global]
>> workgroup = MAYWEG.NET
>> realm = INTRANET.MAYWEG.NET
>> netbios name = SERVER06
>> interfaces = lo, eth0
>> bind interfaces only = Yes
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind,
>> ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> #added after classicupgrade
>> kerberos method = system keytab
>> client ldap sasl wrapping = sign
>> allow dns updates = nonsecure and secure
>> nsupdate command =  /usr/bin/nsupdate -g
>> domain logons = yes
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
> remove everything you added to smb.conf
>
>  /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf):
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> dns_lookup_realm = true #changed to true
>> dns_lookup_kdc = true
>>
>> #added after classicupgrade
>>
>> [realms]
>> INTRANET.MAYWEG.NET = {
>>          kdc = krb.intranet.mayweg.net
>>          admin_server = krb.intranet.mayweg.net
>>          default_domain = intranet.mayweg.net
>> }
>>
>> [domain_realm]
>>
>> .intranet.mayweg.net = INTRANET.MAYWEG.NET
>> intranet.mayweg.net = INTRANET.MAYWEG.NET
>>
>> [logging]
>> kdc = FILE:/var/log/kerberos/krb5kdc.log
>> admin_server = FILE:/var/log/kerberos/kadmin.log
>> default = FILE:/var/log/kerberos/krb5lib.log
>>
>>
> Change krb5.conf back to what it was.
>
>
>  /etc/bind/named.conf (copied together from the includes...):
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>> // be authoritative for the localhost forward and reverse zones, and
for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>> dlz "AD DNS Zone" {
>>      # For BIND 9.8.x
>>      # database "dlopen /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9.so";
>>
>>      # For BIND 9.9.x
>>      database "dlopen /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9_9.so";
>>
>>      # For BIND 9.10.x
>>      # database "dlopen
>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
>> };
>> logging {
>>          channel update_debug {
>>                  file "/var/log/update_debug.log" versions 3
size 100k;
>>                  severity debug;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>          channel security_info {
>>                  file "/var/log/security_info.log" versions 1
size 100k;
>>                  severity info;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>          channel bind_log {
>>                  file "/var/log/bind.log" versions 3 size 1m;
>>                  severity info;
>>                  print-category  yes;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>
>>          category default { bind_log; };
>>          category lame-servers { null; };
>>          category update { update_debug; };
>>          category update-security { update_debug; };
>>          category security { security_info; };
>> };
>> options {
>>          directory "/var/named";
>>          recursion yes;
>>          dnssec-validation auto;
>>        tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>> auth-nxdomain yes;
>>      notify no;
>>      empty-zones-enable no;
>>      allow-query {
>>          127.0.0.1;
>>          192.168.11.0/24;
>>          # add other networks you want to allow to query your DNS
>>      };
>>      allow-query-cache {
>>          127.0.0.1;
>>          192.168.11.0/24;
>>          # add other networks you want to allow to query your DNS
>>      };
>>      allow-recursion {
>>          192.168.11.0/24;
>> 127.0.0.1;
>>          # add other networks you want to allow to do recursive queries
>>      };
>>      forwarders {
>>          # Google public DNS server here - replace with your own if
>> necessary
>>       };
>>      allow-transfer {
>>          # this config is for a single master DNS server
>>          none;
>>      };
>> };
>>
>> I hope I provided all the necessary information and am grateful for any
>> hints on where to look for a fix to this problem.
>>
>> Greetings,
>> Timo
>>
>
> Finally, was the version of bind you are using configured with dlopen ?
>
> Rowland
>
>
>

sambalist.1.olol13 at spamgourmet.com schrieb am 19.03.2015 09:38:
> The error for samba_dnsupdate --all-names remains (btw, without --all-names
> it works):
> ldb: Destroying timer event 0x233f310 "ltdb_timeout"
> ldb: Ending timer event 0x1d2bb70 "ltdb_callback"
> Traceback (most recent call last):
>  File "/usr/sbin/samba_dnsupdate", line 612, in <module>
>    get_credentials(lp)
>  File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
>    raise e
> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
> contact any KDC for requested realm)
Obviously the first thing to do is to get Kerberos working. 
See: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO 
Go to 'Testing Kerberos'. Check the hosts file, too, as 
it is needed to resolve the name of the KDC. 

HTH 
- Peter

Thank you for the answers Peter and Rowland and sorry to everybody for the
spam...switched to another e-mail address and hope my messages will arrive
only once from now on.
As I wrote in my first mail, Kerberos does work. I can successfully request
and list a ticket on the AC DC.

kinit administrator at INTRANET.MAYWEG.NET
Password for administrator at INTRANET.MAYWEG.NET:

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at INTRANET.MAYWEG.NET
Valid starting       Expires              Service principal
19.03.2015 10:05:48  19.03.2015 20:05:48  krbtgt/
INTRANET.MAYWEG.NET at INTRANET.MAYWEG.NET
renew until 20.03.2015 10:05:46

Rowland, I did not change the DNS-Server to bind, I removed smb.conf and
/var/lib/samba/private and redid the classicupgrade with the
--dns-backend=BIND9_DLZ
option.

Timo



Good morning!

First of all thanks Rowland for the fast answer yesterday! I realized that
samba-technical might have been the wrong mailing list and switched it to
the normal samba users list (hopefully it worked, as it does get a bit
confusing with spamgourmets sendto addresses!). Unfortunately the problem
with samba_dnsupdate remains after the changes.
I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty
new to both samba and linux and added most lines that looked promising from
other threads. Expected the DC itself to be able to join the domain
(again), as I remembered it to be possible after a classicupgrade with the
samba internal dns.

Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not
necessary to build it yourself and configure it with dlopen (see here
<https://lists.samba.org/archive/samba/2015-January/188049.html>).
The driver is supposedly included and also seems to load alright:

named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz
19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver
19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen'
19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen'
19-Mar-2015 08:05:26.405 Loading SDLZ driver.
19-Mar-2015 08:05:26.646 samba_dlz: started for DN
DC=intranet,DC=mayweg,DC=net
19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 DLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 samba_dlz: starting configure
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone
'11.168.192.in-addr.arpa'
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone '
intranet.mayweg.net'
19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_
msdcs.intranet.mayweg.net'


The error for samba_dnsupdate --all-names remains (btw, without --all-names
it works):
ldb: Destroying timer event 0x233f310 "ltdb_timeout"
ldb: Ending timer event 0x1d2bb70 "ltdb_callback"
Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 612, in <module>
    get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
    raise e
RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
contact any KDC for requested realm)


Again, I'm very grateful for any hints where the problem could originate
from.
Greetings,
Timo


On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com <
sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net> wrote:
> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote:
>
>> Hello,
>>
>> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ
>> backend on Debian Jessie. Before I was using tinydns on a different
server
>> and want to replace it with BIND.
>> I'm trying this with copies of virtual machines in a different
subnet
(The
>> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
>> administration, a debian squeezy file server that is part of the domain
>> and
>> an xp client).
>> For the most part the new configuration is working, a lot thanks to
>> exploration of the wiki and the mailing list archives, but I cannot
>> resolve
>> the hostnames of domain members and think it is because dynamic DNS
>> updates
>> through kerberos aren't working.
>>
>> When I try "samba_dnsupdate --verbose --all-names", I get the
following
>> error:
>> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
>> ldb: Ending timer event 0x1859f30 "ltdb_callback"
>> Traceback (most recent call last):
>>    File "/usr/sbin/samba_dnsupdate", line 612, in
<module>
>>      get_credentials(lp)
>>    File "/usr/sbin/samba_dnsupdate", line 125, in
get_credentials
>>      raise e
>> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
>> contact any KDC for requested realm)
>>
>> I can join the domain with windows & linux machines and administer
it and
>> the dns server with RSAT tools. Neither SELinux nor Apparmor are
present.
>>
>> The dns tests from the samba ad dc howto
>>
<https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend>
>> were
>> all successful:
>> host -t SRV _ldap._tcp.intranet.mayweg.net.
>> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389
>> server06.intranet.mayweg.net.
>> host -t SRV _kerberos._udp.intranet.mayweg.net.
>> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88
>> server06.intranet.mayweg.net.
>> host -t A server06.intranet.mayweg.net.
>> server06.intranet.mayweg.net has address 192.168.11.250
>>
>> I can resolve the server06.intranet.mayweg.net and intranet.mayweg.net
on
>> all machines, but hostnames of machines I joined to the domain are not
>> resolvable from other domain members. A linux machine that joined had
the
>> output:
>> Joined 'SERVER13' to realm 'intranet.mayweg.net'
>> DNS update failed!
>>
>> I can get kerberos tickets on all machines, and join the domain using
net
>> ads join from all of them but the ad dc itself.
>> On server06 "net ads join -Uadministrator" returns
>> Failed to join domain: This operation is only allowed for the PDC of
the
>> domain. Maybe this has something to do with the dns updates not
working.
>>
>
> You do not run 'net ads join' on a DC, the provision does it for
you (or
> as in your case, the upgrade procedure)
>
>
>>
>> I'll follow up with version info and configuration files
(interfaces,
>> resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
>> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
>> implementations of krb5-admin-server and krb5-kdc installed and
configured
>> until I realized Samba4 brings the heimdal implementation of kerberos
with
>> it. I uninstalled the MIT parts afterwards. Configuration files:
>>
>>
>> /etc/network/interfaces:
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>>          address 192.168.11.250
>>          netmask 255.255.255.0
>>          network 192.168.11.0
>>          broadcast 192.168.11.255
>>
>>
>> /etc/resolv.conf:
>> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error
>> domain intranet.mayweg.net
>>
>>
>> /etc/hosts:
>> 127.0.0.1       localhost localhost.localdomain
>> 192.168.11.250  server06.intranet.mayweg.net server06
>> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net
>>
>
> Remove everything from the '192.168.11.250' line from 'krb'
onwards, they
> shouldn't be there.
>
>
>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>>
>> /etc/samba/smb.conf:
>> [global]
>> workgroup = MAYWEG.NET
>> realm = INTRANET.MAYWEG.NET
>> netbios name = SERVER06
>> interfaces = lo, eth0
>> bind interfaces only = Yes
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind,
>> ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> #added after classicupgrade
>> kerberos method = system keytab
>> client ldap sasl wrapping = sign
>> allow dns updates = nonsecure and secure
>> nsupdate command =  /usr/bin/nsupdate -g
>> domain logons = yes
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
> remove everything you added to smb.conf
>
>  /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf):
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> dns_lookup_realm = true #changed to true
>> dns_lookup_kdc = true
>>
>> #added after classicupgrade
>>
>> [realms]
>> INTRANET.MAYWEG.NET = {
>>          kdc = krb.intranet.mayweg.net
>>          admin_server = krb.intranet.mayweg.net
>>          default_domain = intranet.mayweg.net
>> }
>>
>> [domain_realm]
>>
>> .intranet.mayweg.net = INTRANET.MAYWEG.NET
>> intranet.mayweg.net = INTRANET.MAYWEG.NET
>>
>> [logging]
>> kdc = FILE:/var/log/kerberos/krb5kdc.log
>> admin_server = FILE:/var/log/kerberos/kadmin.log
>> default = FILE:/var/log/kerberos/krb5lib.log
>>
>>
> Change krb5.conf back to what it was.
>
>
>  /etc/bind/named.conf (copied together from the includes...):
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>> // be authoritative for the localhost forward and reverse zones, and
for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>> dlz "AD DNS Zone" {
>>      # For BIND 9.8.x
>>      # database "dlopen /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9.so";
>>
>>      # For BIND 9.9.x
>>      database "dlopen /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9_9.so";
>>
>>      # For BIND 9.10.x
>>      # database "dlopen
>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
>> };
>> logging {
>>          channel update_debug {
>>                  file "/var/log/update_debug.log" versions 3
size 100k;
>>                  severity debug;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>          channel security_info {
>>                  file "/var/log/security_info.log" versions 1
size 100k;
>>                  severity info;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>          channel bind_log {
>>                  file "/var/log/bind.log" versions 3 size 1m;
>>                  severity info;
>>                  print-category  yes;
>>                  print-severity  yes;
>>                  print-time      yes;
>>          };
>>
>>          category default { bind_log; };
>>          category lame-servers { null; };
>>          category update { update_debug; };
>>          category update-security { update_debug; };
>>          category security { security_info; };
>> };
>> options {
>>          directory "/var/named";
>>          recursion yes;
>>          dnssec-validation auto;
>>        tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>> auth-nxdomain yes;
>>      notify no;
>>      empty-zones-enable no;
>>      allow-query {
>>          127.0.0.1;
>>          192.168.11.0/24;
>>          # add other networks you want to allow to query your DNS
>>      };
>>      allow-query-cache {
>>          127.0.0.1;
>>          192.168.11.0/24;
>>          # add other networks you want to allow to query your DNS
>>      };
>>      allow-recursion {
>>          192.168.11.0/24;
>> 127.0.0.1;
>>          # add other networks you want to allow to do recursive queries
>>      };
>>      forwarders {
>>          # Google public DNS server here - replace with your own if
>> necessary
>>       };
>>      allow-transfer {
>>          # this config is for a single master DNS server
>>          none;
>>      };
>> };
>>
>> I hope I provided all the necessary information and am grateful for any
>> hints on where to look for a fix to this problem.
>>
>> Greetings,
>> Timo
>>
>
> Finally, was the version of bind you are using configured with dlopen ?
>
> Rowland
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 19/03/15 09:30, Timo Altun wrote:
> Thank you for the answers Peter and Rowland and sorry to everybody for the
> spam...switched to another e-mail address and hope my messages will arrive
> only once from now on.
> As I wrote in my first mail, Kerberos does work. I can successfully request
> and list a ticket on the AC DC.
>
> kinit administrator at INTRANET.MAYWEG.NET
> Password for administrator at INTRANET.MAYWEG.NET:
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at INTRANET.MAYWEG.NET
> Valid starting       Expires              Service principal
> 19.03.2015 10:05:48  19.03.2015 20:05:48  krbtgt/
> INTRANET.MAYWEG.NET at INTRANET.MAYWEG.NET
> renew until 20.03.2015 10:05:46
>
> Rowland, I did not change the DNS-Server to bind, I removed smb.conf and
> /var/lib/samba/private and redid the classicupgrade with the
> --dns-backend=BIND9_DLZ
> option.
>
> Timo
>
>
>
> Good morning!
>
> First of all thanks Rowland for the fast answer yesterday! I realized that
> samba-technical might have been the wrong mailing list and switched it to
> the normal samba users list (hopefully it worked, as it does get a bit
> confusing with spamgourmets sendto addresses!). Unfortunately the problem
> with samba_dnsupdate remains after the changes.
> I did changed the smb.conf, krb5.conf, and hosts as requested. I am pretty
> new to both samba and linux and added most lines that looked promising from
> other threads. Expected the DC itself to be able to join the domain
> (again), as I remembered it to be possible after a classicupgrade with the
> samba internal dns.
>
> Regarding BIND, I am using version 9.9 on Debian Jessie and read it is not
> necessary to build it yourself and configure it with dlopen (see here
> <https://lists.samba.org/archive/samba/2015-January/188049.html>).
> The driver is supposedly included and also seems to load alright:
>
> named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz
> 19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver
> 19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen'
> 19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen'
> 19-Mar-2015 08:05:26.405 Loading SDLZ driver.
> 19-Mar-2015 08:05:26.646 samba_dlz: started for DN
> DC=intranet,DC=mayweg,DC=net
> 19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully.
> 19-Mar-2015 08:05:26.646 DLZ driver loaded successfully.
> 19-Mar-2015 08:05:26.646 samba_dlz: starting configure
> 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone
> '11.168.192.in-addr.arpa'
> 19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone '
> intranet.mayweg.net'
> 19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone '_
> msdcs.intranet.mayweg.net'
>
>
> The error for samba_dnsupdate --all-names remains (btw, without --all-names
> it works):
> ldb: Destroying timer event 0x233f310 "ltdb_timeout"
> ldb: Ending timer event 0x1d2bb70 "ltdb_callback"
> Traceback (most recent call last):
>    File "/usr/sbin/samba_dnsupdate", line 612, in <module>
>      get_credentials(lp)
>    File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
>      raise e
> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed (Cannot
> contact any KDC for requested realm)
>
>
> Again, I'm very grateful for any hints where the problem could
originate
> from.
> Greetings,
> Timo
>
>
> On 18 March 2015 at 19:57, Rowland Penny - repenny241155 at gmail.com <
> sambalist.olol13.20ba6b371d.repenny241155#gmail.com at ob.0sg.net>
wrote:
>
>> On 18/03/15 17:05, sambalist.1.olol13 at spamgourmet.com wrote:
>>
>>> Hello,
>>>
>>> I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with
BIND9_DLZ
>>> backend on Debian Jessie. Before I was using tinydns on a different
> server
>>> and want to replace it with BIND.
>>> I'm trying this with copies of virtual machines in a different
subnet
> (The
>>> debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
>>> administration, a debian squeezy file server that is part of the
domain
>>> and
>>> an xp client).
>>> For the most part the new configuration is working, a lot thanks to
>>> exploration of the wiki and the mailing list archives, but I cannot
>>> resolve
>>> the hostnames of domain members and think it is because dynamic DNS
>>> updates
>>> through kerberos aren't working.
>>>
>>> When I try "samba_dnsupdate --verbose --all-names", I get
the following
>>> error:
>>> ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
>>> ldb: Ending timer event 0x1859f30 "ltdb_callback"
>>> Traceback (most recent call last):
>>>     File "/usr/sbin/samba_dnsupdate", line 612, in
<module>
>>>       get_credentials(lp)
>>>     File "/usr/sbin/samba_dnsupdate", line 125, in
get_credentials
>>>       raise e
>>> RuntimeError: kinit for SERVER06$@INTRANET.MAYWEG.NET failed
(Cannot
>>> contact any KDC for requested realm)
>>>
>>> I can join the domain with windows & linux machines and
administer it and
>>> the dns server with RSAT tools. Neither SELinux nor Apparmor are
present.
>>>
>>> The dns tests from the samba ad dc howto
>>>
<https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend>
>>> were
>>> all successful:
>>> host -t SRV _ldap._tcp.intranet.mayweg.net.
>>> _ldap._tcp.intranet.mayweg.net has SRV record 0 100 389
>>> server06.intranet.mayweg.net.
>>> host -t SRV _kerberos._udp.intranet.mayweg.net.
>>> _kerberos._udp.intranet.mayweg.net has SRV record 0 100 88
>>> server06.intranet.mayweg.net.
>>> host -t A server06.intranet.mayweg.net.
>>> server06.intranet.mayweg.net has address 192.168.11.250
>>>
>>> I can resolve the server06.intranet.mayweg.net and
intranet.mayweg.net on
>>> all machines, but hostnames of machines I joined to the domain are
not
>>> resolvable from other domain members. A linux machine that joined
had the
>>> output:
>>> Joined 'SERVER13' to realm 'intranet.mayweg.net'
>>> DNS update failed!
>>>
>>> I can get kerberos tickets on all machines, and join the domain
using net
>>> ads join from all of them but the ad dc itself.
>>> On server06 "net ads join -Uadministrator" returns
>>> Failed to join domain: This operation is only allowed for the PDC
of the
>>> domain. Maybe this has something to do with the dns updates not
working.
>>>
>> You do not run 'net ads join' on a DC, the provision does it
for you (or
>> as in your case, the upgrade procedure)
>>
>>
>>> I'll follow up with version info and configuration files
(interfaces,
>>> resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
>>> Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
>>> implementations of krb5-admin-server and krb5-kdc installed and
> configured
>>> until I realized Samba4 brings the heimdal implementation of
kerberos
> with
>>> it. I uninstalled the MIT parts afterwards. Configuration files:
>>>
>>>
>>> /etc/network/interfaces:
>>> auto lo
>>> iface lo inet loopback
>>>
>>> auto eth0
>>> iface eth0 inet static
>>>           address 192.168.11.250
>>>           netmask 255.255.255.0
>>>           network 192.168.11.0
>>>           broadcast 192.168.11.255
>>>
>>>
>>> /etc/resolv.conf:
>>> nameserver 192.168.11.250 #had 127.0.0.1 before with the same error
>>> domain intranet.mayweg.net
>>>
>>>
>>> /etc/hosts:
>>> 127.0.0.1       localhost localhost.localdomain
>>> 192.168.11.250  server06.intranet.mayweg.net server06
>>> krb.intranet.mayweg.net kdc.intranet.mayweg.net intranet.mayweg.net
>>>
>> Remove everything from the '192.168.11.250' line from
'krb' onwards, they
>> shouldn't be there.
>>
>>
>>
>>> # The following lines are desirable for IPv6 capable hosts
>>> ::1     localhost ip6-localhost ip6-loopback
>>> ff02::1 ip6-allnodes
>>> ff02::2 ip6-allrouters
>>>
>>>
>>> /etc/samba/smb.conf:
>>> [global]
>>> workgroup = MAYWEG.NET
>>> realm = INTRANET.MAYWEG.NET
>>> netbios name = SERVER06
>>> interfaces = lo, eth0
>>> bind interfaces only = Yes
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind,
>>> ntp_signd, kcc, dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>> #added after classicupgrade
>>> kerberos method = system keytab
>>> client ldap sasl wrapping = sign
>>> allow dns updates = nonsecure and secure
>>> nsupdate command =  /usr/bin/nsupdate -g
>>> domain logons = yes
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>>
>> remove everything you added to smb.conf
>>
>>   /etc/krb5.conf (copied from /var/lib/samba/private/krb5.conf):
>>> [libdefaults]
>>> default_realm = INTRANET.MAYWEG.NET
>>> dns_lookup_realm = true #changed to true
>>> dns_lookup_kdc = true
>>>
>>> #added after classicupgrade
>>>
>>> [realms]
>>> INTRANET.MAYWEG.NET = {
>>>           kdc = krb.intranet.mayweg.net
>>>           admin_server = krb.intranet.mayweg.net
>>>           default_domain = intranet.mayweg.net
>>> }
>>>
>>> [domain_realm]
>>>
>>> .intranet.mayweg.net = INTRANET.MAYWEG.NET
>>> intranet.mayweg.net = INTRANET.MAYWEG.NET
>>>
>>> [logging]
>>> kdc = FILE:/var/log/kerberos/krb5kdc.log
>>> admin_server = FILE:/var/log/kerberos/kadmin.log
>>> default = FILE:/var/log/kerberos/krb5lib.log
>>>
>>>
>> Change krb5.conf back to what it was.
>>
>>
>>   /etc/bind/named.conf (copied together from the includes...):
>>> zone "." {
>>> type hint;
>>> file "/etc/bind/db.root";
>>> };
>>> // be authoritative for the localhost forward and reverse zones,
and for
>>> // broadcast zones as per RFC 1912
>>>
>>> zone "localhost" {
>>> type master;
>>> file "/etc/bind/db.local";
>>> };
>>>
>>> zone "127.in-addr.arpa" {
>>> type master;
>>> file "/etc/bind/db.127";
>>> };
>>>
>>> zone "0.in-addr.arpa" {
>>> type master;
>>> file "/etc/bind/db.0";
>>> };
>>>
>>> zone "255.in-addr.arpa" {
>>> type master;
>>> file "/etc/bind/db.255";
>>> };
>>> dlz "AD DNS Zone" {
>>>       # For BIND 9.8.x
>>>       # database "dlopen /usr/lib/x86_64-linux-gnu/
>>> samba/bind9/dlz_bind9.so";
>>>
>>>       # For BIND 9.9.x
>>>       database "dlopen /usr/lib/x86_64-linux-gnu/
>>> samba/bind9/dlz_bind9_9.so";
>>>
>>>       # For BIND 9.10.x
>>>       # database "dlopen
>>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
>>> };
>>> logging {
>>>           channel update_debug {
>>>                   file "/var/log/update_debug.log"
versions 3 size 100k;
>>>                   severity debug;
>>>                   print-severity  yes;
>>>                   print-time      yes;
>>>           };
>>>           channel security_info {
>>>                   file "/var/log/security_info.log"
versions 1 size 100k;
>>>                   severity info;
>>>                   print-severity  yes;
>>>                   print-time      yes;
>>>           };
>>>           channel bind_log {
>>>                   file "/var/log/bind.log" versions 3
size 1m;
>>>                   severity info;
>>>                   print-category  yes;
>>>                   print-severity  yes;
>>>                   print-time      yes;
>>>           };
>>>
>>>           category default { bind_log; };
>>>           category lame-servers { null; };
>>>           category update { update_debug; };
>>>           category update-security { update_debug; };
>>>           category security { security_info; };
>>> };
>>> options {
>>>           directory "/var/named";
>>>           recursion yes;
>>>           dnssec-validation auto;
>>>         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>>> auth-nxdomain yes;
>>>       notify no;
>>>       empty-zones-enable no;
>>>       allow-query {
>>>           127.0.0.1;
>>>           192.168.11.0/24;
>>>           # add other networks you want to allow to query your DNS
>>>       };
>>>       allow-query-cache {
>>>           127.0.0.1;
>>>           192.168.11.0/24;
>>>           # add other networks you want to allow to query your DNS
>>>       };
>>>       allow-recursion {
>>>           192.168.11.0/24;
>>> 127.0.0.1;
>>>           # add other networks you want to allow to do recursive
queries
>>>       };
>>>       forwarders {
>>>           # Google public DNS server here - replace with your own
if
>>> necessary
>>>        };
>>>       allow-transfer {
>>>           # this config is for a single master DNS server
>>>           none;
>>>       };
>>> };
>>>
>>> I hope I provided all the necessary information and am grateful for
any
>>> hints on where to look for a fix to this problem.
>>>
>>> Greetings,
>>> Timo
>>>
>> Finally, was the version of bind you are using configured with dlopen ?
>>
>> Rowland
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
OK, I am using Debian wheezy with samba and bind9 from backports.

These are the conf files I use (comments removed to save space) :

/etc/resolv.conf

search example.com
nameserver 192.168.0.3 <-- this my second DC
nameserver 127.0.0.1

/etc/krb5.conf

[libdefaults]
         default_realm = EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

/etc/samba/smb.conf

# Global parameters
[global]
         workgroup = EXAMPLE
         realm = example.com
         netbios name = DC01
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

[netlogon]
         path = /var/lib/samba/sysvol/example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bind/named.conf.options

options {
         directory "/var/cache/bind";

         forwarders { 8.8.8.8; 8.8.4.4; };

         dnssec-validation no;

         auth-nxdomain no;    # conform to RFC1035
         listen-on-v6 { any; };
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

/var/lib/samba/private/named.conf

dlz "AD DNS Zone" {
     # For BIND 9.9.0
     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

These work for me :-)

Rowland

Timo Altun schrieb am 19.03.2015 10:30:
> As I wrote in my first mail, Kerberos does work. I can successfully request
> and list a ticket on the AC DC.
OK, then next things, which come to my mind are: 
is the keytab, you set in named.conf.options readable 
for the user, under which bind is run. 

Then, is the /etc/bind/namedb writable for bind. 

And in the end, it might be a screwed up installation. 
I had troubles with dynamic updates a long time ago, 
when it turned out, that I screwed something up during 
the installation. 

HTH
- Peter