Timo Altun
2015-Mar-20 11:13 UTC
[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
Hi guys,
thanks again for the quick answers. First, the smb.conf on the linux
fileserver. It is quite long, as I took the old file (working version from
samba3 configuration) and only made adjustments, like adding the realm.
/etc/samba/smb.conf:
[global]
### Browsing/Identification ###
workgroup = MAYWEG.NET
realm = INTRANET.MAYWEG.NET
netbios name = server13
smb ports = 139, 445
hosts allow = 127. 192.168.11.
interfaces = eth0 lo
server string = SAMBA Fileserver
wins support = no
wins server = 192.168.11.250
name resolve order = host wins lmhosts bcast
idmap uid = 15000-25000
idmap gid = 15000-25000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = true
winbind cache time = 15
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = domain
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
pam password change = yes
########## Printing ##########
load printers = yes
printing = cups
printcap name = cups
############ Misc ############
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
restrict anonymous = no
domain master = no
local master = yes
preferred master = no
password server = 192.168.11.250
server signing = disabled
display charset = ISO8859-15
unix charset = ISO8859-15
dos charset = CP1250
read raw = yes
write raw = yes
oplocks = yes
level2oplocks = no
fake oplocks = no
debug level = 2
getwd cache = yes
keepalive = 30
[sda1]
comment = Laufwerk sda1 von Server13
path = /
valid users = administrator
admin users = administrator
read list invalid users case sensitive = no
; msdfs proxy = no
read only = no
writable = yes
create mask = 0775
directory mask = 0775
Thanks for the dnstest script Louis, the output on the DC is:
==========Test DNS Records ==============================Testing : dns entries
testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok
testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok
testing of : host -t A server06.intranet.mayweg.net. : ok
On server13, the linux client:
==========Test DNS Records ==============================Testing : dns entries
testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok
testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok
testing of : host -t A server13.intranet.mayweg.net. : FAILED
The fixing part does not work on server13, as samba-tools (and maybe other
packages) are not installed. I'll try to install the missing parts and will
try again.
Am I right though, that as a domain member this should have worked
automatically for the machine? When join the domain using net ads join on
server13 it does still give me "DNS update failed!".
Greetings,
Timo
On 20 March 2015 at 11:01, L.P.H. van Belle <belle at bazuin.nl> wrote:
> can you run these commands and tell us the output.
> ( copy past it. )
>
> SETFQDN=`hostname -f`
> SETDNSDOMAIN=`hostname -d`
> SETHOSTNAME=`hostname -s`
> SETSERVERIP=`hostname -i`
> echo "==========Test DNS Records
==============================="
> echo "Testing : dns entries"
> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not
found'`" ];
> then
> echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. :
ok"
> else
> echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. :
FAILED"
> fi
> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not
found"
> `" ]; then
> echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
ok"
> else
> echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
> FAILED"
> fi
> if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not
found" `"
> ]; then
> echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
ok"
> else
> echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
FAILED"
> echo "trying to fix it now: "
> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN} ${SETDNSDOMAIN}
> ${SETHOSTNAME} A ${SETSERVERIP}
> fi
>
>
>
> >-----Oorspronkelijk bericht-----
> >Van: rowlandpenny at googlemail.com
> >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >Verzonden: vrijdag 20 maart 2015 10:21
> >Aan: samba at lists.samba.org
> >Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
> >samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
> >(sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot
> >contact any KDC for requested realm)
> >
> >On 20/03/15 09:02, Timo Altun wrote:
> >> Thank you Louis for that answer! Actually I did get kinit and
> >> samba_dnsupdate working, though I am unsure how. I tried
> >some changes to
> >> krb5.conf in the [realms] and [domain_realm] sections, als well as
> >> setting dns_lookup_realm = false to true, but reverted it
> >all back to the
> >> initial file:
> >>
> >> [libdefaults]
> >> default_realm = INTRANET.MAYWEG.NET
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >>
> >> After a reboot, both kinit and samba_dnsupdate worked on the
> >host machine.
> >> Shares can be accessed, RSAT tools are working. From the
> >linux fileserver
> >> nslookup and ping work for hostnames of domainmembers, dig
> >command does not
> >> get an answer. The windows machines can nslookup and ping
> >everything but
> >> the linux machine. Somehow it did not generate an entry in
> >the DNS Server.
> >> Is this normal behavior for linux domain members and I need
> >to create the
> >> DNS entry manually or is something still amiss?
> >>
> >> Greetings and thanks for the help so far,
> >> Timo
> >>
> >>
> >> On 20 March 2015 at 08:42, L.P.H. van Belle <belle at
bazuin.nl> wrote:
> >>
> >>> Try change your resolv.conf from :
> >>>> nameserver 127.0.0.1
> >>>> domain intranet.mayweg.net
> >>> to
> >>> nameserver 192.168.11.250
> >>> search intranet.mayweg.net
> >>>
> >>>> The only thing I was unsure about, was which hostname to
enter
> >>>> for Kerberos
> >>>> Server and Kerberos admin server when asked during the
> >>>> installation of the
> >>>> packages..
> >>> Try these defealt settings for kerberos..
> >>> You didnt have to enter the hostname, Only the default
> >kerberos Domain
> >>> name is needed.
> >>>
> >>> a copy past for you.
> >>>
> >>> echo "krb5-config krb5-config/add_servers_realm
string
> >>> INTRANET.MAYWEG.NET" | debconf-set-selections
> >>> echo "krb5-config krb5-config/read_conf
boolean true" |
> >>> debconf-set-selections
> >>> echo "krb5-config krb5-config/kerberos_servers
string " |
> >>> debconf-set-selections
> >>> echo "krb5-config krb5-config/default_realm
string
> >>> INTRANET.MAYWEG.NET" | debconf-set-selections
> >>> echo "krb5-config krb5-config/add_servers
boolean false" |
> >>> debconf-set-selections
> >>> echo "krb5-config krb5-config/admin_server
string " |
> >>> debconf-set-selections
> >>> echo "krb5-config krb5-config/dns_for_default
> >boolean true" |
> >>> debconf-set-selections
> >>> dpkg-reconfigure plow krb5-config
> >>>
> >>> and if you want to point to a kerberos server.
> >>> echo "krb5-config krb5-config/kerberos_servers
string
> >>> server06.intranet.mayweg.net" | debconf-set-selections
> >>>
> >>> but its not needed, man krb5.conf tells you enough.
> >>>
> >>> after the changes, type:
> >>> host -t SRV _kerberos._udp.intranet.mayweg.net
> >>> if you get not found, then we need to analize more.
> >>>
> >>>
> >>>
> >>> If you want to start with a "Clean server"
> >>> just have a look here.
> >>>
> >>> https://secure.bazuin.nl/scripts/
> >>>
> >>> I added 2 simple scripts. a debian wheezy backported and
> >debian jessie
> >>> script.
> >>> The Jessie script is basicly the wheezy backported version,
> >but without
> >>> the backports repo.
> >>> Its a set with minimal changes to the system, and use the
> >defaults there
> >>> where possible.
> >>>
> >>> If you look in the script,
> >>> these settings MUST be set.
> >>> Settings you must change are :
> >>>
> >>> NTPD_SERVER1_EXTERNAL
> >>> NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 )
> >>> BIND9_NETWORKS
> >>> SAMBA_DC1_IP
> >>> SAMBA_NT_DOMAIN
> >>> SAMBA_SITE_NAME
> >>>
> >>> optional:
> >>> SAMBA_PASS_POLICY_CHANGE
> >>> SAMBA_TEMPLATE_HOMEDIR
> >>> SAMBA_TEMPLATE_SHELL
> >>>
> >>>
> >>> and as last :
> >>> CONFIGURED
> >>>
> >>> All other options are optional.
> >>> If you have a different dns domain name and kerberos domain.
> >>> you must change that.. etc..
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: olol13.samba at the-1337.org
> >>>> [mailto:samba-bounces at lists.samba.org] Namens Timo
Altun
> >>>> Verzonden: vrijdag 20 maart 2015 0:04
> >>>> Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny
-
> >>>> repenny241155 at gmail.com
> >>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not
working.
> >>>> samba_dnsupdate : (sambalist: message 3 of 20)
RuntimeError:
> >>>> (sambalist: to exclusive) kinit for [DC at Realm] failed
(Cannot
> >>>> contact any KDC for requested realm)
> >>>>
> >>>> Ok, I setup a new machine with Debian Jessie and checked
> >and installed
> >>>> everything from OS requirements in the wiki (
> >>>> https://wiki.samba.org/index.php/OS_Requirements ).
> >>>> The only thing I was unsure about, was which hostname to
enter
> >>>> for Kerberos
> >>>> Server and Kerberos admin server when asked during the
> >>>> installation of the
> >>>> packages...I used krb.intranet.mayweg.net.
> >>>> Now, after the classicupgrade kinit isn't working
anymore...I
> >>>> get the same
> >>>> error I get when trying samba_dnsupdate:
> >>>> kinit: Cannot contact any KDC for realm
'INTRANET.MAYWEG.NET'
> >>>> while getting
> >>>> initial credentials.
> >>>>
> >>>> One step I did not do as stated in the wiki is configuring
> >bind with
> >>>> --with-gssapi=/usr/include/gssapi
> >>>> --with-dlopen=yes.
> >>>> Once again the dlopen driver seems to work in this
version,
> >>>> but I have no
> >>>> idea about the first part. Should I build bind myself with
the
> >>>> first option?
> >>>> @Rowland, did you have a working bind installation before
you
> >>>> upgraded/provisioned your domain?
> >>>>
> >>>> @Peter There is no file called namedb in /etc/bind, but
the
> >>>> whole folder is
> >>>> writeable for user bind.
> >>>>
> >>>> My configs, now mostly adapted from Rowland's woking
> >configuration are:
> >>>>
> >>>> /etc/network/interfaces:
> >>>> auto lo
> >>>> iface lo inet loopback
> >>>>
> >>>> auto eth0
> >>>> iface eth0 inet static
> >>>> address 192.168.11.250
> >>>> network 192.168.11.0
> >>>> netmask 255.255.255.0
> >>>> broadcast 192.168.11.255
> >>>>
> >>>> /etc/hosts:
> >>>> 127.0.0.1 localhost
> >>>> 192.168.11.250 server06.intranet.mayweg.net server06
krb
> >>>>
> >>>> # The following lines are desirable for IPv6 capable hosts
> >>>> ::1 localhost ip6-localhost ip6-loopback
> >>>> ff02::1 ip6-allnodes
> >>>> ff02::2 ip6-allrouters
> >>>>
> >>>> /etc/resolv.conf:
> >>>> nameserver 127.0.0.1
> >>>> domain intranet.mayweg.net
> >>>>
> >>>> /etc/bind/named.conf:
> >>>> include "/etc/bind/named.conf.options";
> >>>> include "/etc/bind/named.conf.local";
> >>>> include "/etc/bind/named.conf.default-zones";
> >>>> include "/var/lib/samba/private/named.conf";
> >>>>
> >>>> /etc/bin/named.conf.options:
> >>>> options {
> >>>> directory "/var/cache/bind";
> >>>> dnssec-validation no;
> >>>> auth-nxdomain no; # conform to RFC1035
> >>>> listen-on-v6 { any; };
> >>>> tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> >>>> };
> >>>>
> >>>> /var/lib/samba/private/named.conf:
> >>>> database "dlopen
> >>>>
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> >>>>
> >>>> /etc/krb5.conf:
> >>>> [libdefaults]
> >>>> default_realm = INTRANET.MAYWEG.NET
> >>>> dns_lookup_realm = false
> >>>> dns_lookup_kdc = true
> >>>>
> >>>> /etc/samba/smb.conf:
> >>>> # Global parameters
> >>>> [global]
> >>>> workgroup = MAYWEG.NET
> >>>> realm = INTRANET.MAYWEG.NET
> >>>> netbios name = SERVER06
> >>>> interfaces = lo, eth0
> >>>> bind interfaces only = Yes
> >>>> server role = active directory domain controller
> >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >>>> drepl, winbind,
> >>>> ntp_signd, kcc, dnsupdate
> >>>> idmap_ldb:use rfc2307 = yes
> >>>>
> >>>> [netlogon]
> >>>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
> >>>> read only = No
> >>>>
> >>>> [sysvol]
> >>>> path = /var/lib/samba/sysvol
> >>>> read only = No
> >>>>
> >>>>
> >>>> On 19 March 2015 at 15:31, Peter Serbe <peter at
serbe.ch> wrote:
> >>>>
> >>>>>
> >>>>> Timo Altun schrieb am 19.03.2015 10:30:
> >>>>>
> >>>>>> As I wrote in my first mail, Kerberos does work. I
can
> >successfully
> >>>>> request
> >>>>>> and list a ticket on the AC DC.
> >>>>> OK, then next things, which come to my mind are:
> >>>>> is the keytab, you set in named.conf.options readable
> >>>>> for the user, under which bind is run.
> >>>>>
> >>>>> Then, is the /etc/bind/namedb writable for bind.
> >>>>>
> >>>>> And in the end, it might be a screwed up installation.
> >>>>> I had troubles with dynamic updates a long time ago,
> >>>>> when it turned out, that I screwed something up during
> >>>>> the installation.
> >>>>>
> >>>>> HTH
> >>>>> - Peter
> >>>>>
> >>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and
read the
> >>>> instructions:
https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >
> >Can you post the smb.conf from the linux fileserver
> >
> >Rowland
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland Penny
2015-Mar-20 11:23 UTC
[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
On 20/03/15 11:13, Timo Altun wrote:> Hi guys, > > thanks again for the quick answers. First, the smb.conf on the linux > fileserver. It is quite long, as I took the old file (working version from > samba3 configuration) and only made adjustments, like adding the realm. > > /etc/samba/smb.conf: > [global] > ### Browsing/Identification ### > > workgroup = MAYWEG.NET > realm = INTRANET.MAYWEG.NET > netbios name = server13 > smb ports = 139, 445 > hosts allow = 127. 192.168.11. > interfaces = eth0 lo > server string = SAMBA Fileserver > wins support = no > wins server = 192.168.11.250 > name resolve order = host wins lmhosts bcast > > idmap uid = 15000-25000 > idmap gid = 15000-25000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%U > template shell = /bin/bash > winbind use default domain = yes > winbind offline logon = true > winbind cache time = 15 > > #### Debugging/Accounting #### > > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > > ####### Authentication ####### > > security = domain > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > pam password change = yes > > ########## Printing ########## > > load printers = yes > printing = cups > printcap name = cups > > ############ Misc ############ > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > restrict anonymous = no > domain master = no > local master = yes > preferred master = no > password server = 192.168.11.250 > server signing = disabled > display charset = ISO8859-15 > unix charset = ISO8859-15 > dos charset = CP1250 > read raw = yes > write raw = yes > oplocks = yes > level2oplocks = no > fake oplocks = no > debug level = 2 > getwd cache = yes > keepalive = 30 > > [sda1] > comment = Laufwerk sda1 von Server13 > path = / > valid users = administrator > admin users = administrator > read list > invalid users > case sensitive = no > ; msdfs proxy = no > read only = no > writable = yes > create mask = 0775 > directory mask = 0775 > > Thanks for the dnstest script Louis, the output on the DC is: > ==========Test DNS Records ==============================> Testing : dns entries > testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok > testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok > testing of : host -t A server06.intranet.mayweg.net. : ok > > On server13, the linux client: > ==========Test DNS Records ==============================> Testing : dns entries > testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok > testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok > testing of : host -t A server13.intranet.mayweg.net. : FAILED > > The fixing part does not work on server13, as samba-tools (and maybe other > packages) are not installed. I'll try to install the missing parts and will > try again. > Am I right though, that as a domain member this should have worked > automatically for the machine? When join the domain using net ads join on > server13 it does still give me "DNS update failed!". > > Greetings, > Timo > > > > > On 20 March 2015 at 11:01, L.P.H. van Belle <belle at bazuin.nl> wrote: > >> can you run these commands and tell us the output. >> ( copy past it. ) >> >> SETFQDN=`hostname -f` >> SETDNSDOMAIN=`hostname -d` >> SETHOSTNAME=`hostname -s` >> SETSERVERIP=`hostname -i` >> echo "==========Test DNS Records ===============================" >> echo "Testing : dns entries" >> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not found'`" ]; >> then >> echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : FAILED" >> fi >> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not found" >> `" ]; then >> echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. : >> FAILED" >> fi >> if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not found" `" >> ]; then >> echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED" >> echo "trying to fix it now: " >> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN} ${SETDNSDOMAIN} >> ${SETHOSTNAME} A ${SETSERVERIP} >> fi >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: rowlandpenny at googlemail.com >>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >>> Verzonden: vrijdag 20 maart 2015 10:21 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working. >>> samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: >>> (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot >>> contact any KDC for requested realm) >>> >>> On 20/03/15 09:02, Timo Altun wrote: >>>> Thank you Louis for that answer! Actually I did get kinit and >>>> samba_dnsupdate working, though I am unsure how. I tried >>> some changes to >>>> krb5.conf in the [realms] and [domain_realm] sections, als well as >>>> setting dns_lookup_realm = false to true, but reverted it >>> all back to the >>>> initial file: >>>> >>>> [libdefaults] >>>> default_realm = INTRANET.MAYWEG.NET >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = true >>>> >>>> After a reboot, both kinit and samba_dnsupdate worked on the >>> host machine. >>>> Shares can be accessed, RSAT tools are working. From the >>> linux fileserver >>>> nslookup and ping work for hostnames of domainmembers, dig >>> command does not >>>> get an answer. The windows machines can nslookup and ping >>> everything but >>>> the linux machine. Somehow it did not generate an entry in >>> the DNS Server. >>>> Is this normal behavior for linux domain members and I need >>> to create the >>>> DNS entry manually or is something still amiss? >>>> >>>> Greetings and thanks for the help so far, >>>> Timo >>>> >>>> >>>> On 20 March 2015 at 08:42, L.P.H. van Belle <belle at bazuin.nl> wrote: >>>> >>>>> Try change your resolv.conf from : >>>>>> nameserver 127.0.0.1 >>>>>> domain intranet.mayweg.net >>>>> to >>>>> nameserver 192.168.11.250 >>>>> search intranet.mayweg.net >>>>> >>>>>> The only thing I was unsure about, was which hostname to enter >>>>>> for Kerberos >>>>>> Server and Kerberos admin server when asked during the >>>>>> installation of the >>>>>> packages.. >>>>> Try these defealt settings for kerberos.. >>>>> You didnt have to enter the hostname, Only the default >>> kerberos Domain >>>>> name is needed. >>>>> >>>>> a copy past for you. >>>>> >>>>> echo "krb5-config krb5-config/add_servers_realm string >>>>> INTRANET.MAYWEG.NET" | debconf-set-selections >>>>> echo "krb5-config krb5-config/read_conf boolean true" | >>>>> debconf-set-selections >>>>> echo "krb5-config krb5-config/kerberos_servers string " | >>>>> debconf-set-selections >>>>> echo "krb5-config krb5-config/default_realm string >>>>> INTRANET.MAYWEG.NET" | debconf-set-selections >>>>> echo "krb5-config krb5-config/add_servers boolean false" | >>>>> debconf-set-selections >>>>> echo "krb5-config krb5-config/admin_server string " | >>>>> debconf-set-selections >>>>> echo "krb5-config krb5-config/dns_for_default >>> boolean true" | >>>>> debconf-set-selections >>>>> dpkg-reconfigure plow krb5-config >>>>> >>>>> and if you want to point to a kerberos server. >>>>> echo "krb5-config krb5-config/kerberos_servers string >>>>> server06.intranet.mayweg.net" | debconf-set-selections >>>>> >>>>> but its not needed, man krb5.conf tells you enough. >>>>> >>>>> after the changes, type: >>>>> host -t SRV _kerberos._udp.intranet.mayweg.net >>>>> if you get not found, then we need to analize more. >>>>> >>>>> >>>>> >>>>> If you want to start with a "Clean server" >>>>> just have a look here. >>>>> >>>>> https://secure.bazuin.nl/scripts/ >>>>> >>>>> I added 2 simple scripts. a debian wheezy backported and >>> debian jessie >>>>> script. >>>>> The Jessie script is basicly the wheezy backported version, >>> but without >>>>> the backports repo. >>>>> Its a set with minimal changes to the system, and use the >>> defaults there >>>>> where possible. >>>>> >>>>> If you look in the script, >>>>> these settings MUST be set. >>>>> Settings you must change are : >>>>> >>>>> NTPD_SERVER1_EXTERNAL >>>>> NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 ) >>>>> BIND9_NETWORKS >>>>> SAMBA_DC1_IP >>>>> SAMBA_NT_DOMAIN >>>>> SAMBA_SITE_NAME >>>>> >>>>> optional: >>>>> SAMBA_PASS_POLICY_CHANGE >>>>> SAMBA_TEMPLATE_HOMEDIR >>>>> SAMBA_TEMPLATE_SHELL >>>>> >>>>> >>>>> and as last : >>>>> CONFIGURED >>>>> >>>>> All other options are optional. >>>>> If you have a different dns domain name and kerberos domain. >>>>> you must change that.. etc.. >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: olol13.samba at the-1337.org >>>>>> [mailto:samba-bounces at lists.samba.org] Namens Timo Altun >>>>>> Verzonden: vrijdag 20 maart 2015 0:04 >>>>>> Aan: Peter Serbe; samba at lists.samba.org; Rowland Penny - >>>>>> repenny241155 at gmail.com >>>>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working. >>>>>> samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: >>>>>> (sambalist: to exclusive) kinit for [DC at Realm] failed (Cannot >>>>>> contact any KDC for requested realm) >>>>>> >>>>>> Ok, I setup a new machine with Debian Jessie and checked >>> and installed >>>>>> everything from OS requirements in the wiki ( >>>>>> https://wiki.samba.org/index.php/OS_Requirements ). >>>>>> The only thing I was unsure about, was which hostname to enter >>>>>> for Kerberos >>>>>> Server and Kerberos admin server when asked during the >>>>>> installation of the >>>>>> packages...I used krb.intranet.mayweg.net. >>>>>> Now, after the classicupgrade kinit isn't working anymore...I >>>>>> get the same >>>>>> error I get when trying samba_dnsupdate: >>>>>> kinit: Cannot contact any KDC for realm 'INTRANET.MAYWEG.NET' >>>>>> while getting >>>>>> initial credentials. >>>>>> >>>>>> One step I did not do as stated in the wiki is configuring >>> bind with >>>>>> --with-gssapi=/usr/include/gssapi >>>>>> --with-dlopen=yes. >>>>>> Once again the dlopen driver seems to work in this version, >>>>>> but I have no >>>>>> idea about the first part. Should I build bind myself with the >>>>>> first option? >>>>>> @Rowland, did you have a working bind installation before you >>>>>> upgraded/provisioned your domain? >>>>>> >>>>>> @Peter There is no file called namedb in /etc/bind, but the >>>>>> whole folder is >>>>>> writeable for user bind. >>>>>> >>>>>> My configs, now mostly adapted from Rowland's woking >>> configuration are: >>>>>> /etc/network/interfaces: >>>>>> auto lo >>>>>> iface lo inet loopback >>>>>> >>>>>> auto eth0 >>>>>> iface eth0 inet static >>>>>> address 192.168.11.250 >>>>>> network 192.168.11.0 >>>>>> netmask 255.255.255.0 >>>>>> broadcast 192.168.11.255 >>>>>> >>>>>> /etc/hosts: >>>>>> 127.0.0.1 localhost >>>>>> 192.168.11.250 server06.intranet.mayweg.net server06 krb >>>>>> >>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>> ::1 localhost ip6-localhost ip6-loopback >>>>>> ff02::1 ip6-allnodes >>>>>> ff02::2 ip6-allrouters >>>>>> >>>>>> /etc/resolv.conf: >>>>>> nameserver 127.0.0.1 >>>>>> domain intranet.mayweg.net >>>>>> >>>>>> /etc/bind/named.conf: >>>>>> include "/etc/bind/named.conf.options"; >>>>>> include "/etc/bind/named.conf.local"; >>>>>> include "/etc/bind/named.conf.default-zones"; >>>>>> include "/var/lib/samba/private/named.conf"; >>>>>> >>>>>> /etc/bin/named.conf.options: >>>>>> options { >>>>>> directory "/var/cache/bind"; >>>>>> dnssec-validation no; >>>>>> auth-nxdomain no; # conform to RFC1035 >>>>>> listen-on-v6 { any; }; >>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >>>>>> }; >>>>>> >>>>>> /var/lib/samba/private/named.conf: >>>>>> database "dlopen >>>>>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; >>>>>> >>>>>> /etc/krb5.conf: >>>>>> [libdefaults] >>>>>> default_realm = INTRANET.MAYWEG.NET >>>>>> dns_lookup_realm = false >>>>>> dns_lookup_kdc = true >>>>>> >>>>>> /etc/samba/smb.conf: >>>>>> # Global parameters >>>>>> [global] >>>>>> workgroup = MAYWEG.NET >>>>>> realm = INTRANET.MAYWEG.NET >>>>>> netbios name = SERVER06 >>>>>> interfaces = lo, eth0 >>>>>> bind interfaces only = Yes >>>>>> server role = active directory domain controller >>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>>>> drepl, winbind, >>>>>> ntp_signd, kcc, dnsupdate >>>>>> idmap_ldb:use rfc2307 = yes >>>>>> >>>>>> [netlogon] >>>>>> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts >>>>>> read only = No >>>>>> >>>>>> [sysvol] >>>>>> path = /var/lib/samba/sysvol >>>>>> read only = No >>>>>> >>>>>> >>>>>> On 19 March 2015 at 15:31, Peter Serbe <peter at serbe.ch> wrote: >>>>>> >>>>>>> Timo Altun schrieb am 19.03.2015 10:30: >>>>>>> >>>>>>>> As I wrote in my first mail, Kerberos does work. I can >>> successfully >>>>>>> request >>>>>>>> and list a ticket on the AC DC. >>>>>>> OK, then next things, which come to my mind are: >>>>>>> is the keytab, you set in named.conf.options readable >>>>>>> for the user, under which bind is run. >>>>>>> >>>>>>> Then, is the /etc/bind/namedb writable for bind. >>>>>>> >>>>>>> And in the end, it might be a screwed up installation. >>>>>>> I had troubles with dynamic updates a long time ago, >>>>>>> when it turned out, that I screwed something up during >>>>>>> the installation. >>>>>>> >>>>>>> HTH >>>>>>> - Peter >>>>>>> >>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>> Can you post the smb.conf from the linux fileserver >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>OK, too much wrong in that smb.conf to mention, go and have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland
Timo Altun
2015-Mar-20 14:49 UTC
[Samba] Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
Ok, I setup a new smb.conf and rebooted. Winbind doesn't seem to pass on
the domain users anymore and the DNS Update during domain join still fails.
For some reason, although I have all samba 3.5.6. packages installed on
this debian squeeze samba -V or samba-tool are unknown commands.
Maybe this is why the dns update fails, some missing tools or commands?
wbinfo -u and wbinfo -g return domain users and groups correctly, getent
passwd and getent group do not (did before the smb.conf changes).
The bigger problem right now is the dns record for server13...for the user
accounts I could always go back to the old and ugly smb.conf ;)
Will try to add/exchange some lines to create a working minimal
configuration.
I added the rather simple hosts and resolv.conf files of server13 as well.
The new smb.conf:
[global]
netbios name = server13
workgroup = MAYWEG.NET
security = ADS
realm = INTRANET.MAYWEG.NET
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config MAYWEG.NET:backend = ad
idmap config MAYWEG.NET:schema_mode = rfc2307
idmap config MAYWEG.NET:range = 10000-99999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
[sda1]
comment = Laufwerk sda1 von Server13
path = /
valid users = administrator
admin users = administrator
read list invalid users case sensitive = no
; msdfs proxy = no
read only = no
writable = yes
create mask = 0775
directory mask = 0775
/etc/network/resolv.conf:
search intranet.mayweg.net
nameserver 192.168.11.250
/etc/hosts:
127.0.0.1 localhost.intranet.mayweg.net localhost
192.168.11.141 server13.intranet.mayweg.net server13
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
On 20 March 2015 at 12:23, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 20/03/15 11:13, Timo Altun wrote:
>
>> Hi guys,
>>
>> thanks again for the quick answers. First, the smb.conf on the linux
>> fileserver. It is quite long, as I took the old file (working version
from
>> samba3 configuration) and only made adjustments, like adding the realm.
>>
>> /etc/samba/smb.conf:
>> [global]
>> ### Browsing/Identification ###
>>
>> workgroup = MAYWEG.NET
>> realm = INTRANET.MAYWEG.NET
>> netbios name = server13
>> smb ports = 139, 445
>> hosts allow = 127. 192.168.11.
>> interfaces = eth0 lo
>> server string = SAMBA Fileserver
>> wins support = no
>> wins server = 192.168.11.250
>> name resolve order = host wins lmhosts bcast
>>
>> idmap uid = 15000-25000
>> idmap gid = 15000-25000
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind use default domain = yes
>> winbind offline logon = true
>> winbind cache time = 15
>>
>> #### Debugging/Accounting ####
>>
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>>
>> ####### Authentication #######
>>
>> security = domain
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>> pam password change = yes
>>
>> ########## Printing ##########
>>
>> load printers = yes
>> printing = cups
>> printcap name = cups
>>
>> ############ Misc ############
>>
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> restrict anonymous = no
>> domain master = no
>> local master = yes
>> preferred master = no
>> password server = 192.168.11.250
>> server signing = disabled
>> display charset = ISO8859-15
>> unix charset = ISO8859-15
>> dos charset = CP1250
>> read raw = yes
>> write raw = yes
>> oplocks = yes
>> level2oplocks = no
>> fake oplocks = no
>> debug level = 2
>> getwd cache = yes
>> keepalive = 30
>>
>> [sda1]
>> comment = Laufwerk sda1 von Server13
>> path = /
>> valid users = administrator
>> admin users = administrator
>> read list >> invalid users >> case sensitive =
no
>> ; msdfs proxy = no
>> read only = no
>> writable = yes
>> create mask = 0775
>> directory mask = 0775
>>
>> Thanks for the dnstest script Louis, the output on the DC is:
>> ==========Test DNS Records ==============================>>
Testing : dns entries
>> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok
>> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok
>> testing of : host -t A server06.intranet.mayweg.net. : ok
>>
>> On server13, the linux client:
>> ==========Test DNS Records ==============================>>
Testing : dns entries
>> testing of : host -t SRV _ldap._tcp.intranet.mayweg.net. : ok
>> testing of : host -t SRV _kerberos._udp.intranet.mayweg.net. : ok
>> testing of : host -t A server13.intranet.mayweg.net. : FAILED
>>
>> The fixing part does not work on server13, as samba-tools (and maybe
other
>> packages) are not installed. I'll try to install the missing parts
and
>> will
>> try again.
>> Am I right though, that as a domain member this should have worked
>> automatically for the machine? When join the domain using net ads join
on
>> server13 it does still give me "DNS update failed!".
>>
>> Greetings,
>> Timo
>>
>>
>>
>>
>> On 20 March 2015 at 11:01, L.P.H. van Belle <belle at bazuin.nl>
wrote:
>>
>> can you run these commands and tell us the output.
>>> ( copy past it. )
>>>
>>> SETFQDN=`hostname -f`
>>> SETDNSDOMAIN=`hostname -d`
>>> SETHOSTNAME=`hostname -s`
>>> SETSERVERIP=`hostname -i`
>>> echo "==========Test DNS Records
==============================="
>>> echo "Testing : dns entries"
>>> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep
'not found'`" ];
>>> then
>>> echo "testing of : host -t SRV
_ldap._tcp.${SETDNSDOMAIN}. : ok"
>>> else
>>> echo "testing of : host -t SRV
_ldap._tcp.${SETDNSDOMAIN}. : FAILED"
>>> fi
>>> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep
"not found"
>>> `" ]; then
>>> echo "testing of : host -t SRV
_kerberos._udp.${SETDNSDOMAIN}. :
>>> ok"
>>> else
>>> echo "testing of : host -t SRV
_kerberos._udp.${SETDNSDOMAIN}. :
>>> FAILED"
>>> fi
>>> if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep
"not found"
>>> `"
>>> ]; then
>>> echo "testing of : host -t A
${SETHOSTNAME}.${SETDNSDOMAIN}. : ok"
>>> else
>>> echo "testing of : host -t A
${SETHOSTNAME}.${SETDNSDOMAIN}. :
>>> FAILED"
>>> echo "trying to fix it now: "
>>> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN}
${SETDNSDOMAIN}
>>> ${SETHOSTNAME} A ${SETSERVERIP}
>>> fi
>>>
>>>
>>>
>>> -----Oorspronkelijk bericht-----
>>>> Van: rowlandpenny at googlemail.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>> Verzonden: vrijdag 20 maart 2015 10:21
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not working.
>>>> samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError:
>>>> (sambalist: to exclusive) kinit for [DC at Realm] failed
(Cannot
>>>> contact any KDC for requested realm)
>>>>
>>>> On 20/03/15 09:02, Timo Altun wrote:
>>>>
>>>>> Thank you Louis for that answer! Actually I did get kinit
and
>>>>> samba_dnsupdate working, though I am unsure how. I tried
>>>>>
>>>> some changes to
>>>>
>>>>> krb5.conf in the [realms] and [domain_realm] sections, als
well as
>>>>> setting dns_lookup_realm = false to true, but reverted it
>>>>>
>>>> all back to the
>>>>
>>>>> initial file:
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = INTRANET.MAYWEG.NET
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>>
>>>>> After a reboot, both kinit and samba_dnsupdate worked on
the
>>>>>
>>>> host machine.
>>>>
>>>>> Shares can be accessed, RSAT tools are working. From the
>>>>>
>>>> linux fileserver
>>>>
>>>>> nslookup and ping work for hostnames of domainmembers, dig
>>>>>
>>>> command does not
>>>>
>>>>> get an answer. The windows machines can nslookup and ping
>>>>>
>>>> everything but
>>>>
>>>>> the linux machine. Somehow it did not generate an entry in
>>>>>
>>>> the DNS Server.
>>>>
>>>>> Is this normal behavior for linux domain members and I need
>>>>>
>>>> to create the
>>>>
>>>>> DNS entry manually or is something still amiss?
>>>>>
>>>>> Greetings and thanks for the help so far,
>>>>> Timo
>>>>>
>>>>>
>>>>> On 20 March 2015 at 08:42, L.P.H. van Belle <belle at
bazuin.nl> wrote:
>>>>>
>>>>> Try change your resolv.conf from :
>>>>>>
>>>>>>> nameserver 127.0.0.1
>>>>>>> domain intranet.mayweg.net
>>>>>>>
>>>>>> to
>>>>>> nameserver 192.168.11.250
>>>>>> search intranet.mayweg.net
>>>>>>
>>>>>> The only thing I was unsure about, was which hostname
to enter
>>>>>>> for Kerberos
>>>>>>> Server and Kerberos admin server when asked during
the
>>>>>>> installation of the
>>>>>>> packages..
>>>>>>>
>>>>>> Try these defealt settings for kerberos..
>>>>>> You didnt have to enter the hostname, Only the default
>>>>>>
>>>>> kerberos Domain
>>>>
>>>>> name is needed.
>>>>>>
>>>>>> a copy past for you.
>>>>>>
>>>>>> echo "krb5-config
krb5-config/add_servers_realm string
>>>>>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>>>>> echo "krb5-config krb5-config/read_conf
boolean true" |
>>>>>> debconf-set-selections
>>>>>> echo "krb5-config
krb5-config/kerberos_servers string " |
>>>>>> debconf-set-selections
>>>>>> echo "krb5-config
krb5-config/default_realm string
>>>>>> INTRANET.MAYWEG.NET" | debconf-set-selections
>>>>>> echo "krb5-config
krb5-config/add_servers boolean false" |
>>>>>> debconf-set-selections
>>>>>> echo "krb5-config
krb5-config/admin_server string " |
>>>>>> debconf-set-selections
>>>>>> echo "krb5-config
krb5-config/dns_for_default
>>>>>>
>>>>> boolean true" |
>>>>
>>>>> debconf-set-selections
>>>>>> dpkg-reconfigure plow krb5-config
>>>>>>
>>>>>> and if you want to point to a kerberos server.
>>>>>> echo "krb5-config
krb5-config/kerberos_servers string
>>>>>> server06.intranet.mayweg.net" |
debconf-set-selections
>>>>>>
>>>>>> but its not needed, man krb5.conf tells you enough.
>>>>>>
>>>>>> after the changes, type:
>>>>>> host -t SRV _kerberos._udp.intranet.mayweg.net
>>>>>> if you get not found, then we need to analize more.
>>>>>>
>>>>>>
>>>>>>
>>>>>> If you want to start with a "Clean server"
>>>>>> just have a look here.
>>>>>>
>>>>>> https://secure.bazuin.nl/scripts/
>>>>>>
>>>>>> I added 2 simple scripts. a debian wheezy backported
and
>>>>>>
>>>>> debian jessie
>>>>
>>>>> script.
>>>>>> The Jessie script is basicly the wheezy backported
version,
>>>>>>
>>>>> but without
>>>>
>>>>> the backports repo.
>>>>>> Its a set with minimal changes to the system, and use
the
>>>>>>
>>>>> defaults there
>>>>
>>>>> where possible.
>>>>>>
>>>>>> If you look in the script,
>>>>>> these settings MUST be set.
>>>>>> Settings you must change are :
>>>>>>
>>>>>> NTPD_SERVER1_EXTERNAL
>>>>>> NTPD_RESTRICT_INTERFACE ( if you dont have a eth0 )
>>>>>> BIND9_NETWORKS
>>>>>> SAMBA_DC1_IP
>>>>>> SAMBA_NT_DOMAIN
>>>>>> SAMBA_SITE_NAME
>>>>>>
>>>>>> optional:
>>>>>> SAMBA_PASS_POLICY_CHANGE
>>>>>> SAMBA_TEMPLATE_HOMEDIR
>>>>>> SAMBA_TEMPLATE_SHELL
>>>>>>
>>>>>>
>>>>>> and as last :
>>>>>> CONFIGURED
>>>>>>
>>>>>> All other options are optional.
>>>>>> If you have a different dns domain name and kerberos
domain.
>>>>>> you must change that.. etc..
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: olol13.samba at the-1337.org
>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens
Timo Altun
>>>>>>> Verzonden: vrijdag 20 maart 2015 0:04
>>>>>>> Aan: Peter Serbe; samba at lists.samba.org; Rowland
Penny -
>>>>>>> repenny241155 at gmail.com
>>>>>>> Onderwerp: Re: [Samba] Fwd: Dynamic DNS Updates not
working.
>>>>>>> samba_dnsupdate : (sambalist: message 3 of 20)
RuntimeError:
>>>>>>> (sambalist: to exclusive) kinit for [DC at Realm]
failed (Cannot
>>>>>>> contact any KDC for requested realm)
>>>>>>>
>>>>>>> Ok, I setup a new machine with Debian Jessie and
checked
>>>>>>>
>>>>>> and installed
>>>>
>>>>> everything from OS requirements in the wiki (
>>>>>>> https://wiki.samba.org/index.php/OS_Requirements ).
>>>>>>> The only thing I was unsure about, was which
hostname to enter
>>>>>>> for Kerberos
>>>>>>> Server and Kerberos admin server when asked during
the
>>>>>>> installation of the
>>>>>>> packages...I used krb.intranet.mayweg.net.
>>>>>>> Now, after the classicupgrade kinit isn't
working anymore...I
>>>>>>> get the same
>>>>>>> error I get when trying samba_dnsupdate:
>>>>>>> kinit: Cannot contact any KDC for realm
'INTRANET.MAYWEG.NET'
>>>>>>> while getting
>>>>>>> initial credentials.
>>>>>>>
>>>>>>> One step I did not do as stated in the wiki is
configuring
>>>>>>>
>>>>>> bind with
>>>>
>>>>> --with-gssapi=/usr/include/gssapi
>>>>>>> --with-dlopen=yes.
>>>>>>> Once again the dlopen driver seems to work in this
version,
>>>>>>> but I have no
>>>>>>> idea about the first part. Should I build bind
myself with the
>>>>>>> first option?
>>>>>>> @Rowland, did you have a working bind installation
before you
>>>>>>> upgraded/provisioned your domain?
>>>>>>>
>>>>>>> @Peter There is no file called namedb in /etc/bind,
but the
>>>>>>> whole folder is
>>>>>>> writeable for user bind.
>>>>>>>
>>>>>>> My configs, now mostly adapted from Rowland's
woking
>>>>>>>
>>>>>> configuration are:
>>>>
>>>>> /etc/network/interfaces:
>>>>>>> auto lo
>>>>>>> iface lo inet loopback
>>>>>>>
>>>>>>> auto eth0
>>>>>>> iface eth0 inet static
>>>>>>> address 192.168.11.250
>>>>>>> network 192.168.11.0
>>>>>>> netmask 255.255.255.0
>>>>>>> broadcast 192.168.11.255
>>>>>>>
>>>>>>> /etc/hosts:
>>>>>>> 127.0.0.1 localhost
>>>>>>> 192.168.11.250 server06.intranet.mayweg.net
server06 krb
>>>>>>>
>>>>>>> # The following lines are desirable for IPv6
capable hosts
>>>>>>> ::1 localhost ip6-localhost ip6-loopback
>>>>>>> ff02::1 ip6-allnodes
>>>>>>> ff02::2 ip6-allrouters
>>>>>>>
>>>>>>> /etc/resolv.conf:
>>>>>>> nameserver 127.0.0.1
>>>>>>> domain intranet.mayweg.net
>>>>>>>
>>>>>>> /etc/bind/named.conf:
>>>>>>> include "/etc/bind/named.conf.options";
>>>>>>> include "/etc/bind/named.conf.local";
>>>>>>> include
"/etc/bind/named.conf.default-zones";
>>>>>>> include
"/var/lib/samba/private/named.conf";
>>>>>>>
>>>>>>> /etc/bin/named.conf.options:
>>>>>>> options {
>>>>>>> directory "/var/cache/bind";
>>>>>>> dnssec-validation no;
>>>>>>> auth-nxdomain no; # conform to RFC1035
>>>>>>> listen-on-v6 { any; };
>>>>>>> tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>>>>>>> };
>>>>>>>
>>>>>>> /var/lib/samba/private/named.conf:
>>>>>>> database "dlopen
>>>>>>>
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>>>>>>>
>>>>>>> /etc/krb5.conf:
>>>>>>> [libdefaults]
>>>>>>> default_realm = INTRANET.MAYWEG.NET
>>>>>>> dns_lookup_realm = false
>>>>>>> dns_lookup_kdc = true
>>>>>>>
>>>>>>> /etc/samba/smb.conf:
>>>>>>> # Global parameters
>>>>>>> [global]
>>>>>>> workgroup = MAYWEG.NET
>>>>>>> realm = INTRANET.MAYWEG.NET
>>>>>>> netbios name = SERVER06
>>>>>>> interfaces = lo, eth0
>>>>>>> bind interfaces only = Yes
>>>>>>> server role = active directory domain controller
>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc,
>>>>>>> drepl, winbind,
>>>>>>> ntp_signd, kcc, dnsupdate
>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>
>>>>>>> [netlogon]
>>>>>>> path =
/var/lib/samba/sysvol/intranet.mayweg.net/scripts
>>>>>>> read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>> path = /var/lib/samba/sysvol
>>>>>>> read only = No
>>>>>>>
>>>>>>>
>>>>>>> On 19 March 2015 at 15:31, Peter Serbe <peter at
serbe.ch> wrote:
>>>>>>>
>>>>>>> Timo Altun schrieb am 19.03.2015 10:30:
>>>>>>>>
>>>>>>>> As I wrote in my first mail, Kerberos does
work. I can
>>>>>>>>>
>>>>>>>> successfully
>>>>
>>>>> request
>>>>>>>>
>>>>>>>>> and list a ticket on the AC DC.
>>>>>>>>>
>>>>>>>> OK, then next things, which come to my mind
are:
>>>>>>>> is the keytab, you set in named.conf.options
readable
>>>>>>>> for the user, under which bind is run.
>>>>>>>>
>>>>>>>> Then, is the /etc/bind/namedb writable for
bind.
>>>>>>>>
>>>>>>>> And in the end, it might be a screwed up
installation.
>>>>>>>> I had troubles with dynamic updates a long time
ago,
>>>>>>>> when it turned out, that I screwed something up
during
>>>>>>>> the installation.
>>>>>>>>
>>>>>>>> HTH
>>>>>>>> - Peter
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following
URL and read the
>>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions:
https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>> Can you post the smb.conf from the linux fileserver
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
> OK, too much wrong in that smb.conf to mention, go and have a look here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Apparently Analagous Threads
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server