Hi again all,
As mentioned before, I am using Samba 4's internal DNS but even so, I
think I have issues with DNS or Kerberos. The only strange thing is the
UK side works the same as it always has and the India side "kind of"
works.
What works:
* If I add users etc to AD they appear on my India server.
* I can join the domain in India
* Adding a DC in India, it appears in AD under the Domain Controllers
as you would expect
What doesn't work:
* Even though the India DCs are in Active Directory they are not in the
DNS entries e.g.
$ host -t SRV _ldap._tcp.int.thevoiceasia.com.
I only get listings for 2 UK servers and the Old India server (it is
still there even though it was demoted properly and is no longer in AD)
* I get kerberos errors in the samba logs like this:
[2016/01/29 15:23:25.833496, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ ukpcw019$@INT.THEVOICEASIA.COM from
ipv4:10.43.10.144:49339 for
cifs/ukads001.int.thevoiceasia.com at INT.THEVOICEASIA.COM [canonicalize,
renewable, forwardable]
[2016/01/29 15:23:25.836150, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Searching referral for ukads001.int.thevoiceasia.com
[2016/01/29 15:23:25.836219, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Server not found in database:
cifs/ukads001.int.thevoiceasia.com at INT.THEVOICEASIA.COM: no such entry
found in hdb
[2016/01/29 15:23:25.836262, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:10.43.10.144:49339
[2016/01/29 15:23:25.836295, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: tgs-req: sending error: -1765328377 to client
* If I turn off IPv6, samba_dnsupdate fails even in the UK like this:
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor code may provide more information, Minor = Server not found in
Kerberos database.
Failed nsupdate: 1
Failed update of 4 entries
Sincere apologies for list spamming, if anyone needs more information
please let me know.
Thanks,
Wayne
On 2016-01-28 23:26, Wayne Merricks wrote:> Possibly but then that would mean DNS is working for IPv6 but not for
> v4. I'll look into the DNS side, I'm more familiar with Bind than
I
> am with Samba's internal DNS so time for more reading.
>
> Thanks,
>
> Wayne
>
> On 2016-01-28 22:07, Rowland penny wrote:
>> On 28/01/16 21:32, Wayne Merricks wrote:
>>> Apologies, managed to venture onto the dreaded 2nd page of Google
>>> and found an answer.
>>>
>>> If anyone gets stuck add --server to the end of the command and
>>> this points samba-tool directly to the DC you wish to use for
>>> joining.
>>>
>>> E.g. my dc of ukads001.int.thevoiceasia.com makes this command:
>>>
>>> sudo samba-tool domain join int.thevoiceasia.com DC -Uadministrator
>>> --realm=int.thevoiceasia.com
>>>
>>> into
>>>
>>> sudo samba-tool domain join int.thevoiceasia.com DC -Uadministrator
>>> --realm=int.thevoiceasia.com --server ukads001.int.thevoiceasia.com
>>>
>>> If anyone knows why this is necessary without IPv6 I would be
>>> interested in the answer.
>>>
>>> Apologies for any time wasting.
>>>
>>>
>>> On 2016-01-28 21:17, Wayne Merricks wrote:
>>>> Hi James,
>>>>
>>>> Command to join:
>>>>
>>>> sudo samba-tool domain join int.thevoiceasia.com DC
>>>> -Uadministrator
>>>> --realm=int.thevoiceasia.com
>>>>
>>>> I can reproduce the problem in the UK and it seems to be
something
>>>> to
>>>> do with IPv6. As far as I'm aware, although my network
switches
>>>> support IPv6, I have never set it up.
>>>>
>>>> I have disabled IPv6 addresses on all the DCs a few days ago.
I
>>>> suppose it is possible part of my original domain set up
harbours
>>>> some
>>>> IPv6 shenanigans but it certainly isn't intended.
>>>>
>>>> To reproduce:
>>>>
>>>> New UK Server with IPv6 enabled even though my DCs themselves
>>>> report
>>>> no IPv6 addresses (default state):
>>>>
>>>> All OK
>>>>
>>>> New UK Server with IPv6 disabled:
>>>>
>>>> ERROR(exception): uncaught exception - Failed to find a
writeable
>>>> DC
>>>> for domain 'int.thevoiceasia.com'
>>>>
>>>> Does anyone know how I stop IPv6 being used on join?
>>>>
>>>> Regards,
>>>>
>>>> Wayne
>>>>
>>>> On 2016-01-28 18:23, James wrote:
>>>>> On 1/28/2016 12:53 PM, Wayne Merricks wrote:
>>>>>> Failed to find a writeable DC for domain
>>>>> What is the command you are using to join? Have you done
any DNS
>>>>> testing to confirm you can find the DC you wish to join?
>>>>>
>>>>> -- -James
>>>
>>>
>>
>> I don't think this has anything to do with ipv6, I just think that
>> it
>> is a dns problem. If you don't tell the join command which DC to
>> join
>> to, it will have to search for one and if this fails, you get the
>> error message you did.
>>
>> Rowland