Timo Altun
2015-Mar-20 16:56 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
On 20 March 2015 at 17:00, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 20/03/15 15:47, Timo Altun wrote: > >> I'm sorry it got confusing, changed the topic and I'll try to explain. I >> am using Jessie on the DC. Server13 is a linux file server and domain >> member, it is on squeeze. If possible, I do not want to upgrade it. The >> problem here is, that it does not seem to generate a DNS record when >> joining the domain and, after setting up the new smb.conf, the users aren't >> passed on from winbind to the local authentication tools. It also caused >> the single share I set up in the smb.conf to be unaccessible by user >> administrator. Maybe something with the keytab file is not working. >> > > You were confused :-DAnd I most definitely still am :) In general, am I right, that Kerberos is working as intended, when I am able to get tickets? Further, my old smb.conf used security = domain and no keytab...might this be the reason for the winbind users not being transferred? Maybe it's also necessary for DNS updates to have that part working.> > > > >> Domain users have uidNumbers north of 10k, gidNumber are >20k. Doesn't >> the classicupgrade function check if these are in order? >> The errors in the /etc/hosts file were generated by my mail client. First >> line is as you said Rowland. >> > > As long as your uidNumbers and gidNumbers are inside '10000-999999', it > should work, but there may be a problem because you are using squeeze with > 3.5.6. As you do not want to upgrade squeeze, could you use backports, this > will get you 3.6.6.Would that help? I remember trying the backports, but it didn't go smoothly. Is it normal on 3.5.6. that samba -V is an unknown command? smbclient -V does work. My intention of all this is to upgrade the current NT4 style domain to AD with as few changes as possible besides the DC itself. There are just a couple of other linux machines working as file servers, but most of them are on squeeze. With only the installation/configuration of kerberos and winbind I could get them to join the domain and have the old shares working, but the DNS updates fail. The windows clients don't even notice the new DC, which is perfect!> > >> The krb.conf was as long and ugly as the smb.conf, already cut most of >> it, but your 3 line example configuration did not work fully. With the >> following getting kerberos tickets and the domain join are still working. >> >> > It works for me on Linux Mint 17 (aka Ubuntu 14.04) > > What does 'pam-auth-update' show for authentication methods. >Unix authentication Winbind NT/Active Directory authentication LDAP Authentication GNOME Keyring Daemon - Login keyring management ConsoleKit Session Management> > Rowland > > Thanks for the ongoing support! >> >> My krb5.conf: >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> [realms] >> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> = { >> kdc = 192.168.11.250 >> admin_server = 192.168.11.250 >> default_domain = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> } >> >> [domain_realm] >> .intranet.mayweg.net <http://intranet.mayweg.net> = INTRANET.MAYWEG.NET < >> http://INTRANET.MAYWEG.NET> >> intranet.mayweg.net <http://intranet.mayweg.net> = INTRANET.MAYWEG.NET < >> http://INTRANET.MAYWEG.NET> >> >> >> >> >> >> On 20 March 2015 at 16:00, Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 20/03/15 14:49, Timo Altun wrote: >> >> Ok, I setup a new smb.conf and rebooted. Winbind doesn't seem >> to pass on the domain users anymore and the DNS Update during >> domain join still fails. >> For some reason, although I have all samba 3.5.6. packages >> installed on this debian squeeze samba -V or samba-tool are >> unknown commands. >> Maybe this is why the dns update fails, some missing tools or >> commands? >> >> >> Getting a bit lost now, I am sure that you were using Jessie ?? >> >> >> >> wbinfo -u and wbinfo -g return domain users and groups >> correctly, getent passwd and getent group do not (did before >> the smb.conf changes). >> >> >> Do your users in AD have a uidNumber that is inside the range >> 10000-999999, also does Domain Users (at least) have a gidNumber >> inside the same range ? >> >> Yes, domain users have uidNumbers north of 10k, gidNumber are >20k. >> Doesn't the classicupgrade function check if these are in order? >> >> >> >> The bigger problem right now is the dns record for >> server13...for the user accounts I could always go back to the >> old and ugly smb.conf ;) >> Will try to add/exchange some lines to create a working >> minimal configuration. >> I added the rather simple hosts and resolv.conf files of >> server13 as well. >> >> The new smb.conf: >> [global] >> >> netbios name = server13 >> workgroup = MAYWEG.NET <http://MAYWEG.NET> <http://MAYWEG.NET> >> >> security = ADS >> realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> <http://INTRANET.MAYWEG.NET> >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config MAYWEG.NET:backend = ad >> idmap config MAYWEG.NET:schema_mode = rfc2307 >> idmap config MAYWEG.NET:range = 10000-99999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> [sda1] >> comment = Laufwerk sda1 von Server13 >> path = / >> valid users = administrator >> admin users = administrator >> read list >> invalid users >> case sensitive = no >> ; msdfs proxy = no >> read only = no >> writable = yes >> create mask = 0775 >> directory mask = 0775 >> >> /etc/network/resolv.conf: >> search intranet.mayweg.net <http://intranet.mayweg.net> >> <http://intranet.mayweg.net> >> nameserver 192.168.11.250 >> >> /etc/hosts: >> 127.0.0.1localhost.intranet.mayweg.net >> <http://127.0.0.1localhost.intranet.mayweg.net> >> <http://localhost.intranet.mayweg.net> localhost >> 192.168.11.141server13.intranet.mayweg.net >> <http://192.168.11.141server13.intranet.mayweg.net> >> <http://server13.intranet.mayweg.net>server13 >> >> >> The top line should be '127.0.0.1 localhost.localdomain localhost' >> >> What is in /etc/krb5.conf ? it should be: >> >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> >> Rowland >> >> >> ::1 ip6-localhost ip6-loopback >> fe00::0 ip6-localnet >> ff00::0 ip6-mcastprefix >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> >> On 20 March 2015 at 12:23, Rowland Penny >> <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>> wrote: >> >> On 20/03/15 11:13, Timo Altun wrote: >> >> Hi guys, >> >> thanks again for the quick answers. First, the >> smb.conf on the >> linux >> fileserver. It is quite long, as I took the old file >> (working >> version from >> samba3 configuration) and only made adjustments, like >> adding >> the realm. >> >> /etc/samba/smb.conf: >> [global] >> ### Browsing/Identification ### >> >> workgroup = MAYWEG.NET <http://MAYWEG.NET> >> <http://MAYWEG.NET> >> realm = INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET> >> >> >> netbios name = server13 >> smb ports = 139, 445 >> hosts allow = 127. 192.168.11. >> interfaces = eth0 lo >> server string = SAMBA Fileserver >> wins support = no >> wins server = 192.168.11.250 >> name resolve order = host wins lmhosts bcast >> >> idmap uid = 15000-25000 >> idmap gid = 15000-25000 >> winbind enum users = yes >> winbind enum groups = yes >> template homedir = /home/%U >> template shell = /bin/bash >> winbind use default domain = yes >> winbind offline logon = true >> winbind cache time = 15 >> >> #### Debugging/Accounting #### >> >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> >> ####### Authentication ####### >> >> security = domain >> encrypt passwords = true >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> *Retype\snew\sUNIX\spassword:* %n\n . >> pam password change = yes >> >> ########## Printing ########## >> >> load printers = yes >> printing = cups >> printcap name = cups >> >> ############ Misc ############ >> >> socket options = TCP_NODELAY SO_RCVBUF=8192 >> SO_SNDBUF=8192 >> restrict anonymous = no >> domain master = no >> local master = yes >> preferred master = no >> password server = 192.168.11.250 >> server signing = disabled >> display charset = ISO8859-15 >> unix charset = ISO8859-15 >> dos charset = CP1250 >> read raw = yes >> write raw = yes >> oplocks = yes >> level2oplocks = no >> fake oplocks = no >> debug level = 2 >> getwd cache = yes >> keepalive = 30 >> >> [sda1] >> comment = Laufwerk sda1 von Server13 >> path = / >> valid users = administrator >> admin users = administrator >> read list >> invalid users >> case sensitive = no >> ; msdfs proxy = no >> read only = no >> writable = yes >> create mask = 0775 >> directory mask = 0775 >> >> Thanks for the dnstest script Louis, the output on the >> DC is: >> ==========Test DNS Records =============================>> >> Testing : dns entries >> testing of : host -t SRV >> _ldap._tcp.intranet.mayweg.net <http://tcp.intranet.mayweg.net> >> <http://tcp.intranet.mayweg.net>. : ok >> testing of : host -t SRV >> _kerberos._udp.intranet.mayweg.net >> <http://udp.intranet.mayweg.net> >> <http://udp.intranet.mayweg.net>. : ok >> testing of : host -t A server06.intranet.mayweg.net >> <http://server06.intranet.mayweg.net> >> <http://server06.intranet.mayweg.net>. : ok >> >> On server13, the linux client: >> ==========Test DNS Records =============================>> >> Testing : dns entries >> testing of : host -t SRV >> _ldap._tcp.intranet.mayweg.net <http://tcp.intranet.mayweg.net> >> <http://tcp.intranet.mayweg.net>. : ok >> testing of : host -t SRV >> _kerberos._udp.intranet.mayweg.net >> <http://udp.intranet.mayweg.net> >> <http://udp.intranet.mayweg.net>. : ok >> testing of : host -t A server13.intranet.mayweg.net >> <http://server13.intranet.mayweg.net> >> <http://server13.intranet.mayweg.net>. : FAILED >> >> The fixing part does not work on server13, as >> samba-tools (and >> maybe other >> packages) are not installed. I'll try to install the >> missing >> parts and will >> try again. >> Am I right though, that as a domain member this should >> have worked >> automatically for the machine? When join the domain >> using net >> ads join on >> server13 it does still give me "DNS update failed!". >> >> Greetings, >> Timo >> >> >> >> >> On 20 March 2015 at 11:01, L.P.H. van Belle >> <belle at bazuin.nl <mailto:belle at bazuin.nl> >> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: >> >> can you run these commands and tell us the output. >> ( copy past it. ) >> >> SETFQDN=`hostname -f` >> SETDNSDOMAIN=`hostname -d` >> SETHOSTNAME=`hostname -s` >> SETSERVERIP=`hostname -i` >> echo "==========Test DNS Records >> ===============================" >> echo "Testing : dns entries" >> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. >> | grep >> 'not found'`" ]; >> then >> echo "testing of : host -t SRV >> _ldap._tcp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV >> _ldap._tcp.${SETDNSDOMAIN}. : FAILED" >> fi >> if [ -z "`host -t SRV >> _kerberos._udp.${SETDNSDOMAIN}. | >> grep "not found" >> `" ]; then >> echo "testing of : host -t SRV >> _kerberos._udp.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t SRV >> _kerberos._udp.${SETDNSDOMAIN}. : >> FAILED" >> fi >> if [ -z "`host -t A >> ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep >> "not found" `" >> ]; then >> echo "testing of : host -t A >> ${SETHOSTNAME}.${SETDNSDOMAIN}. : ok" >> else >> echo "testing of : host -t A >> ${SETHOSTNAME}.${SETDNSDOMAIN}. : FAILED" >> echo "trying to fix it now: " >> samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN} >> ${SETDNSDOMAIN} >> ${SETHOSTNAME} A ${SETSERVERIP} >> fi >> >> >> >> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> >> [mailto:samba-bounces at lists.samba.org >> <mailto:samba-bounces at lists.samba.org> >> <mailto:samba-bounces at lists.samba.org >> <mailto:samba-bounces at lists.samba.org>>] Namens Rowland >> Penny >> Verzonden: vrijdag 20 maart 2015 10:21 >> Aan: samba at lists.samba.org >> <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org >> >> <mailto:samba at lists.samba.org>> >> Onderwerp: Re: [Samba] Fwd: Dynamic DNS >> Updates not >> working. >> samba_dnsupdate : (sambalist: message 3 of 20) >> RuntimeError: >> (sambalist: to exclusive) kinit for [DC at Realm] >> failed >> (Cannot >> contact any KDC for requested realm) >> >> On 20/03/15 09:02, Timo Altun wrote: >> >> Thank you Louis for that answer! Actually >> I did >> get kinit and >> samba_dnsupdate working, though I am >> unsure how. I >> tried >> >> some changes to >> >> krb5.conf in the [realms] and [domain_realm] >> sections, als well as >> setting dns_lookup_realm = false to true, but >> reverted it >> >> all back to the >> >> initial file: >> >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> >> <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> After a reboot, both kinit and samba_dnsupdate >> worked on the >> >> host machine. >> >> Shares can be accessed, RSAT tools are >> working. >> From the >> >> linux fileserver >> >> nslookup and ping work for hostnames of >> domainmembers, dig >> >> command does not >> >> get an answer. The windows machines can >> nslookup >> and ping >> >> everything but >> >> the linux machine. Somehow it did not >> generate an >> entry in >> >> the DNS Server. >> >> Is this normal behavior for linux domain >> members >> and I need >> >> to create the >> >> DNS entry manually or is something still >> amiss? >> >> Greetings and thanks for the help so far, >> Timo >> >> >> On 20 March 2015 at 08:42, L.P.H. van Belle >> <belle at bazuin.nl <mailto:belle at bazuin.nl> >> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: >> >> Try change your resolv.conf from : >> >> nameserver 127.0.0.1 >> domain intranet.mayweg.net >> <http://intranet.mayweg.net> >> <http://intranet.mayweg.net> >> >> to >> nameserver 192.168.11.250 >> search intranet.mayweg.net >> <http://intranet.mayweg.net> >> <http://intranet.mayweg.net> >> >> The only thing I was unsure about, was >> which hostname to enter >> for Kerberos >> Server and Kerberos admin server when >> asked during the >> installation of the >> packages.. >> >> Try these defealt settings for kerberos.. >> You didnt have to enter the hostname, >> Only the >> default >> >> kerberos Domain >> >> name is needed. >> >> a copy past for you. >> >> echo "krb5-config >> krb5-config/add_servers_realm string >> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> <http://INTRANET.MAYWEG.NET>" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/read_conf boolean true" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/kerberos_servers string " | >> debconf-set-selections >> echo "krb5-config >> krb5-config/default_realm string >> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> <http://INTRANET.MAYWEG.NET>" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/add_servers boolean false" | >> debconf-set-selections >> echo "krb5-config >> krb5-config/admin_server string " | >> debconf-set-selections >> echo "krb5-config >> krb5-config/dns_for_default >> >> boolean true" | >> >> debconf-set-selections >> dpkg-reconfigure plow krb5-config >> >> and if you want to point to a kerberos >> server. >> echo "krb5-config >> krb5-config/kerberos_servers string >> server06.intranet.mayweg.net <http://server06.intranet.mayweg.net >> > >> <http://server06.intranet.mayweg.net>" | >> debconf-set-selections >> >> but its not needed, man krb5.conf >> tells you >> enough. >> >> after the changes, type: >> host -t SRV >> _kerberos._udp.intranet.mayweg.net >> <http://udp.intranet.mayweg.net> >> <http://udp.intranet.mayweg.net> >> >> if you get not found, then we need to >> analize >> more. >> >> >> >> If you want to start with a "Clean server" >> just have a look here. >> >> https://secure.bazuin.nl/scripts/ >> >> I added 2 simple scripts. a debian wheezy >> backported and >> >> debian jessie >> >> script. >> The Jessie script is basicly the wheezy >> backported version, >> >> but without >> >> the backports repo. >> Its a set with minimal changes to the >> system, >> and use the >> >> defaults there >> >> where possible. >> >> If you look in the script, >> these settings MUST be set. >> Settings you must change are : >> >> NTPD_SERVER1_EXTERNAL >> NTPD_RESTRICT_INTERFACE ( if you dont >> have a >> eth0 ) >> BIND9_NETWORKS >> SAMBA_DC1_IP >> SAMBA_NT_DOMAIN >> SAMBA_SITE_NAME >> >> optional: >> SAMBA_PASS_POLICY_CHANGE >> SAMBA_TEMPLATE_HOMEDIR >> SAMBA_TEMPLATE_SHELL >> >> >> and as last : >> CONFIGURED >> >> All other options are optional. >> If you have a different dns domain >> name and >> kerberos domain. >> you must change that.. etc.. >> >> Greetz, >> >> Louis >> >> >> >> -----Oorspronkelijk bericht----- >> Van: olol13.samba at the-1337.org >> <mailto:olol13.samba at the-1337.org> >> <mailto:olol13.samba at the-1337.org >> <mailto:olol13.samba at the-1337.org>> >> [mailto:samba-bounces at lists. >> samba.org >> <mailto:samba-bounces at lists.samba.org> >> <mailto:samba-bounces at lists. >> samba.org >> <mailto:samba-bounces at lists.samba.org>>] >> Namens Timo Altun >> Verzonden: vrijdag 20 maart 2015 0:04 >> Aan: Peter Serbe; >> samba at lists.samba.org <mailto:samba at lists.samba.org> >> <mailto:samba at lists.samba.org >> <mailto:samba at lists.samba.org>>; Rowland >> Penny - >> repenny241155 at gmail.com <mailto:repenny241155 at gmail.com> >> <mailto:repenny241155 at gmail.com >> >> <mailto:repenny241155 at gmail.com>> >> Onderwerp: Re: [Samba] Fwd: >> Dynamic DNS >> Updates not working. >> samba_dnsupdate : (sambalist: >> message 3 of >> 20) RuntimeError: >> (sambalist: to exclusive) kinit for >> [DC at Realm] failed (Cannot >> contact any KDC for requested realm) >> >> Ok, I setup a new machine with Debian >> Jessie and checked >> >> and installed >> >> everything from OS requirements in >> the wiki ( >> https://wiki.samba.org/index.php/OS_Requirements >> ). >> The only thing I was unsure about, was >> which hostname to enter >> for Kerberos >> Server and Kerberos admin server when >> asked during the >> installation of the >> packages...I used >> krb.intranet.mayweg.net <http://krb.intranet.mayweg.net> >> <http://krb.intranet.mayweg.net>. >> Now, after the classicupgrade >> kinit isn't >> working anymore...I >> get the same >> error I get when trying >> samba_dnsupdate: >> kinit: Cannot contact any KDC for >> realm >> 'INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> >> <http://INTRANET.MAYWEG.NET>' >> >> while getting >> initial credentials. >> >> One step I did not do as stated in the >> wiki is configuring >> >> bind with >> >> --with-gssapi=/usr/include/gssapi >> --with-dlopen=yes. >> Once again the dlopen driver seems >> to work >> in this version, >> but I have no >> idea about the first part. Should >> I build >> bind myself with the >> first option? >> @Rowland, did you have a working bind >> installation before you >> upgraded/provisioned your domain? >> >> @Peter There is no file called >> namedb in >> /etc/bind, but the >> whole folder is >> writeable for user bind. >> >> My configs, now mostly adapted from >> Rowland's woking >> >> configuration are: >> >> /etc/network/interfaces: >> auto lo >> iface lo inet loopback >> >> auto eth0 >> iface eth0 inet static >> address 192.168.11.250 >> network 192.168.11.0 >> netmask 255.255.255.0 >> broadcast 192.168.11.255 >> >> /etc/hosts: >> 127.0.0.1 localhost >> 192.168.11.250 >> server06.intranet.mayweg.net <http://server06.intranet.mayweg.net >> > >> <http://server06.intranet. >> mayweg.net> server06 krb >> >> # The following lines are >> desirable for >> IPv6 capable hosts >> ::1 localhost ip6-localhost >> ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> /etc/resolv.conf: >> nameserver 127.0.0.1 >> domain intranet.mayweg.net >> <http://intranet.mayweg.net> >> <http://intranet.mayweg.net> >> >> /etc/bind/named.conf: >> include >> "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include >> "/etc/bind/named.conf.default-zones"; >> include >> "/var/lib/samba/private/named.conf"; >> >> /etc/bin/named.conf.options: >> options { >> directory "/var/cache/bind"; >> dnssec-validation no; >> auth-nxdomain no; # conform to >> RFC1035 >> listen-on-v6 { any; }; >> tkey-gssapi-keytab >> "/var/lib/samba/private/dns.keytab"; >> }; >> >> /var/lib/samba/private/named.conf: >> database "dlopen >> /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9_9.so"; >> >> /etc/krb5.conf: >> [libdefaults] >> default_realm >> INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> /etc/samba/smb.conf: >> # Global parameters >> [global] >> workgroup = MAYWEG.NET >> <http://MAYWEG.NET> <http://MAYWEG.NET> >> realm = INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> >> <http://INTRANET.MAYWEG.NET> >> netbios name = SERVER06 >> interfaces = lo, eth0 >> bind interfaces only = Yes >> server role = active directory domain >> controller >> server services = s3fs, rpc, nbt, >> wrepl, >> ldap, cldap, kdc, >> drepl, winbind, >> ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> path >> /var/lib/samba/sysvol/intranet >> .mayweg.net/scripts >> <http://intranet.mayweg.net/scripts> >> <http://intranet.mayweg.net/scripts> >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> >> On 19 March 2015 at 15:31, Peter Serbe >> <peter at serbe.ch >> <mailto:peter at serbe.ch> <mailto:peter at serbe.ch >> >> <mailto:peter at serbe.ch>>> >> >> wrote: >> >> Timo Altun schrieb am >> 19.03.2015 10:30: >> >> As I wrote in my first mail, >> Kerberos does work. I can >> >> successfully >> >> request >> >> and list a ticket on the >> AC DC. >> >> OK, then next things, which >> come to my >> mind are: >> is the keytab, you set in >> named.conf.options readable >> for the user, under which bind >> is run. >> >> Then, is the /etc/bind/namedb >> writable >> for bind. >> >> And in the end, it might be a >> screwed >> up installation. >> I had troubles with dynamic >> updates a >> long time ago, >> when it turned out, that I screwed >> something up during >> the installation. >> >> HTH >> - Peter >> >> >> -- >> To unsubscribe from this list go >> to the >> following URL and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> >> -- >> To unsubscribe from this list go to the >> following URL and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> Can you post the smb.conf from the linux >> fileserver >> >> Rowland >> >> -- >> To unsubscribe from this list go to the >> following URL >> and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> >> -- >> To unsubscribe from this list go to the following >> URL and >> read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> >> OK, too much wrong in that smb.conf to mention, go and >> have a look >> here: >> >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> >> Rowland >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Mar-20 17:11 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
On 20/03/15 16:56, Timo Altun wrote:> On 20 March 2015 at 17:00, Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > > On 20/03/15 15:47, Timo Altun wrote: > > I'm sorry it got confusing, changed the topic and I'll try to > explain. I am using Jessie on the DC. Server13 is a linux file > server and domain member, it is on squeeze. If possible, I do > not want to upgrade it. The problem here is, that it does not > seem to generate a DNS record when joining the domain and, > after setting up the new smb.conf, the users aren't passed on > from winbind to the local authentication tools. It also caused > the single share I set up in the smb.conf to be unaccessible > by user administrator. Maybe something with the keytab file is > not working. > > > You were confused :-D > > > And I most definitely still am :) > In general, am I right, that Kerberos is working as intended, when I > am able to get tickets? > Further, my old smb.conf used security = domain and no keytab...might > this be the reason for the winbind users not being transferred? > Maybe it's also necessary for DNS updates to have that part working. > > >Was your old domain server an NT-4 style PDC ? you didn't use kerberos with this type of server. Now that you are using a Samba4 AD DC, you have to use 'security = ADS' and keytabs, the main keytab (usually /etc/krb5.keytab) is created for you when you run 'net ads join -U Administrator', the join should create the dns record for the client but sometimes it doesn't. This is not a problem, you just have to create them manually on the DC with 'samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See samba-tool dns add --help' for more info. Having said all that, one thing that I don't think has been raised yet, how did you install samba on the DC ? Rowland
Timo Altun
2015-Mar-20 18:28 UTC
[Samba] Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
Yes, it was/is an NT-4 style PDC with Samba 3.2.5 on lenny. I did a clean install of jessie and installed samba 4.1.17 from jessie repositories. Is there a better way? Strangely the domain join, shares and users did work before on the squeezy member against the Samba4 AD DC with security = domain and no keytab defined, nor created. The only thing that didn't work, was setting the dns record during 'net ads join -Uadministrator'. I'll probably go back to the old, ugly, overloaded smb.conf, so that I have the users working and add the dns entries manually for the other linux machines. Greetings, Timo On 20 March 2015 at 18:11, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 20/03/15 16:56, Timo Altun wrote: > >> On 20 March 2015 at 17:00, Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 20/03/15 15:47, Timo Altun wrote: >> >> I'm sorry it got confusing, changed the topic and I'll try to >> explain. I am using Jessie on the DC. Server13 is a linux file >> server and domain member, it is on squeeze. If possible, I do >> not want to upgrade it. The problem here is, that it does not >> seem to generate a DNS record when joining the domain and, >> after setting up the new smb.conf, the users aren't passed on >> from winbind to the local authentication tools. It also caused >> the single share I set up in the smb.conf to be unaccessible >> by user administrator. Maybe something with the keytab file is >> not working. >> >> >> You were confused :-D >> >> >> And I most definitely still am :) >> In general, am I right, that Kerberos is working as intended, when I am >> able to get tickets? >> Further, my old smb.conf used security = domain and no keytab...might >> this be the reason for the winbind users not being transferred? >> Maybe it's also necessary for DNS updates to have that part working. >> >> >> >> > Was your old domain server an NT-4 style PDC ? you didn't use kerberos > with this type of server. Now that you are using a Samba4 AD DC, you have > to use 'security = ADS' and keytabs, the main keytab (usually > /etc/krb5.keytab) is created for you when you run 'net ads join -U > Administrator', the join should create the dns record for the client but > sometimes it doesn't. This is not a problem, you just have to create them > manually on the DC with 'samba-tool dns add <server> <zone> <name> > <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>'. See samba-tool dns add --help' > for more info. > > Having said all that, one thing that I don't think has been raised yet, > how did you install samba on the DC ? > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Debian Jessie AD DC w. BIND9 : DNS update fails for debian squeezy member server
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)