Hi There,
I have an odd issue with my samba4 infrastructure, I have two servers both
replicating fine.
DC1 passes all tests documented here:
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Except the following test:
# kinit administrator
# kinit: krb5_get_init_creds: Client (administrator at DOMAIN.NAME.COM.AU)
unknown
And in the logs I have found the following:
# kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in Kerberos
database) SERVER1 is my DC1, not sure why it has a $ right before the @ is this
normal?
I get the same error when running
# samba_dnsupdate --verbose --all-names
IPs: ['0.0.0.0'] -> shows the real DC1 ip address
Traceback (most recent call last):
File "/usr/local/sbin/samba_dnsupdate", line 621, in <module>
get_credentials(lp)
File "/usr/local/sbin/samba_dnsupdate", line 125, in
get_credentials
raise e
RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in
Kerberos database)
Not sure if this is useful but I have run:
# samba_dnsupdate --verbose --all-names --no-credentials
Calling nsupdate for A server1.domain.name.com.au 0.0.0.0 (add) -> Both lines
don't show 0.0.0.0 it shows the real ip address
Failed nsupdate: A server1.domain.name.com.au 0.0.0.0 : [Errno 2] No such file
or directory
And it keeps trying to find those files all with the same error:
[Errno 2] No such file or directory
Calling nsupdate for A gc._msdcs.a
Calling nsupdate for SRV _gc._tcp.
Last thing that I found
On DC1
# ps ax | grep samba
38636 - Is 0:00.40 /usr/local/sbin/samba --daemon
--configfile=/usr/local/etc/smb4.conf
38637 - I 0:00.00 samba: task[s3fs_parent] (samba)
38638 - S 0:27.24 samba: task[dcesrv] (samba)
38640 - I 0:00.01 samba: task wrepl server_id[38640] (samba)
38641 - I 0:08.63 samba: task[ldapsrv] (samba)
38642 - S 0:00.07 samba: task[cldapd] (samba)
38644 - S 1:04.27 samba: task[dreplsrv] (samba)
38645 - I 0:00.00 samba: task[winbindd_parent] (samba)
38646 - I 0:00.01 samba: task[ntp_signd] (samba)
38648 - I 0:03.79 samba: task[kccsrv] (samba)
38649 - S 0:00.89 samba: task[dnsupdate] (samba)
38650 - I 0:04.54 samba: task[dns] (samba)
on DC2
# ps ax | grep samba
11108 - Ss 0:00.41 /usr/local/sbin/samba --daemon
--configfile=/usr/local/etc/smb4.conf
11109 - I 0:00.00 samba: task[s3fs_parent] (samba)
11110 - S 0:02.74 samba: task[dcesrv] (samba)
11112 - S 0:00.00 samba: task wrepl server_id[11112] (samba)
11113 - I 0:01.77 samba: task[ldapsrv] (samba)
11114 - S 0:00.19 samba: task[cldapd] (samba)
11115 - I 0:00.44 samba: task[kdc] (samba)
11116 - S 0:01.07 samba: task[dreplsrv] (samba)
11117 - I 0:00.00 samba: task[winbindd_parent] (samba)
11118 - S 0:00.00 samba: task[ntp_signd] (samba)
11120 - I 0:00.43 samba: task[kccsrv] (samba)
11121 - S 0:00.04 samba: task[dnsupdate] (samba)
11122 - S 0:00.01 samba: task[dns] (samba)
As you can see task[kdc] (samba) is not running on DC1, I'm pretty sure this
is something to do with my issues, but not sure how to fix this, I appreciate
your help and thanks in advance for reading this.
Regards,
--
Juan Garcia
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
On 22/03/16 05:24, Juan Garcia wrote:> Hi There, > > I have an odd issue with my samba4 infrastructure, I have two servers > both replicating fine. > DC1 passes all tests documented here: > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller > Except the following test: > > # kinit administrator > # kinit: krb5_get_init_creds: Client > (administrator at DOMAIN.NAME.COM.AU) unknownThe wiki page says run 'kinit administrator at DOMAIN.NAME.COM.AU', does this work ? What is in /etc/krb5.conf ? What is in /etc/resolv.conf ? Does each DC use the other for DNS ? Can you post your smb.conf files ? Rowland> > And in the logs I have found the following: > > # kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in > Kerberos database) SERVER1 is my DC1, not sure why it has a $ right > before the @ is this normal? > I get the same error when running > > # samba_dnsupdate --verbose --all-names > IPs: ['0.0.0.0'] -> shows the real DC1 ip address > Traceback (most recent call last): > File "/usr/local/sbin/samba_dnsupdate", line 621, in <module> > get_credentials(lp) > File "/usr/local/sbin/samba_dnsupdate", line 125, in get_credentials > raise e > RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not > found in Kerberos database) > > Not sure if this is useful but I have run: > > # samba_dnsupdate --verbose --all-names --no-credentials > > Calling nsupdate for A server1.domain.name.com.au 0.0.0.0 (add) -> > Both lines don't show 0.0.0.0 it shows the real ip address > Failed nsupdate: A server1.domain.name.com.au 0.0.0.0 : [Errno 2] No > such file or directory > > And it keeps trying to find those files all with the same error: > [Errno 2] No such file or directory > > Calling nsupdate for A gc._msdcs.a > Calling nsupdate for SRV _gc._tcp. > > Last thing that I found > On DC1 > # ps ax | grep samba > 38636 - Is 0:00.40 /usr/local/sbin/samba --daemon > --configfile=/usr/local/etc/smb4.conf > 38637 - I 0:00.00 samba: task[s3fs_parent] (samba) > 38638 - S 0:27.24 samba: task[dcesrv] (samba) > 38640 - I 0:00.01 samba: task wrepl server_id[38640] (samba) > 38641 - I 0:08.63 samba: task[ldapsrv] (samba) > 38642 - S 0:00.07 samba: task[cldapd] (samba) > 38644 - S 1:04.27 samba: task[dreplsrv] (samba) > 38645 - I 0:00.00 samba: task[winbindd_parent] (samba) > 38646 - I 0:00.01 samba: task[ntp_signd] (samba) > 38648 - I 0:03.79 samba: task[kccsrv] (samba) > 38649 - S 0:00.89 samba: task[dnsupdate] (samba) > 38650 - I 0:04.54 samba: task[dns] (samba) > > on DC2 > # ps ax | grep samba > 11108 - Ss 0:00.41 /usr/local/sbin/samba --daemon > --configfile=/usr/local/etc/smb4.conf > 11109 - I 0:00.00 samba: task[s3fs_parent] (samba) > 11110 - S 0:02.74 samba: task[dcesrv] (samba) > 11112 - S 0:00.00 samba: task wrepl server_id[11112] (samba) > 11113 - I 0:01.77 samba: task[ldapsrv] (samba) > 11114 - S 0:00.19 samba: task[cldapd] (samba) > 11115 - I 0:00.44 samba: task[kdc] (samba) > 11116 - S 0:01.07 samba: task[dreplsrv] (samba) > 11117 - I 0:00.00 samba: task[winbindd_parent] (samba) > 11118 - S 0:00.00 samba: task[ntp_signd] (samba) > 11120 - I 0:00.43 samba: task[kccsrv] (samba) > 11121 - S 0:00.04 samba: task[dnsupdate] (samba) > 11122 - S 0:00.01 samba: task[dns] (samba) > > As you can see task[kdc] (samba) is not running on DC1, I'm pretty > sure this is something to do with my issues, but not sure how to fix > this, I appreciate your help and thanks in advance for reading this. > > > Regards, >
Hi Juan, I reply below but information requested by Rowland are still needed (or at least they will be helpful). 2016-03-22 8:44 GMT+01:00 Rowland penny <rpenny at samba.org>:> On 22/03/16 05:24, Juan Garcia wrote: > >> Hi There, >> >> I have an odd issue with my samba4 infrastructure, I have two servers >> both replicating fine. >> DC1 passes all tests documented here: >> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller >> Except the following test: >> >> # kinit administrator >> # kinit: krb5_get_init_creds: Client (administrator at DOMAIN.NAME.COM.AU) >> unknown >> > > The wiki page says run 'kinit administrator at DOMAIN.NAME.COM.AU', does > this work ? > What is in /etc/krb5.conf ? > > What is in /etc/resolv.conf ? > Does each DC use the other for DNS ? > > Can you post your smb.conf files ? > > Rowland > > > >> And in the logs I have found the following: >> >> # kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in >> Kerberos database) SERVER1 is my DC1, not sure why it has a $ right before >> the @ is this normal? >> I get the same error when running >> >> # samba_dnsupdate --verbose --all-names >> IPs: ['0.0.0.0'] -> shows the real DC1 ip address >> Traceback (most recent call last): >> File "/usr/local/sbin/samba_dnsupdate", line 621, in <module> >> get_credentials(lp) >> File "/usr/local/sbin/samba_dnsupdate", line 125, in get_credentials >> raise e >> RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not >> found in Kerberos database) >> >> Not sure if this is useful but I have run: >> >> # samba_dnsupdate --verbose --all-names --no-credentials >> >> Calling nsupdate for A server1.domain.name.com.au 0.0.0.0 (add) -> Both >> lines don't show 0.0.0.0 it shows the real ip address >> Failed nsupdate: A server1.domain.name.com.au 0.0.0.0 : [Errno 2] No >> such file or directory >> >> And it keeps trying to find those files all with the same error: >> [Errno 2] No such file or directory >> >> Calling nsupdate for A gc._msdcs.a >> Calling nsupdate for SRV _gc._tcp. >> >> Last thing that I found >> On DC1 >> # ps ax | grep samba >> 38636 - Is 0:00.40 /usr/local/sbin/samba --daemon >> --configfile=/usr/local/etc/smb4.conf >> 38637 - I 0:00.00 samba: task[s3fs_parent] (samba) >> 38638 - S 0:27.24 samba: task[dcesrv] (samba) >> 38640 - I 0:00.01 samba: task wrepl server_id[38640] (samba) >> 38641 - I 0:08.63 samba: task[ldapsrv] (samba) >> 38642 - S 0:00.07 samba: task[cldapd] (samba) >> 38644 - S 1:04.27 samba: task[dreplsrv] (samba) >> 38645 - I 0:00.00 samba: task[winbindd_parent] (samba) >> 38646 - I 0:00.01 samba: task[ntp_signd] (samba) >> 38648 - I 0:03.79 samba: task[kccsrv] (samba) >> 38649 - S 0:00.89 samba: task[dnsupdate] (samba) >> 38650 - I 0:04.54 samba: task[dns] (samba) >> >> on DC2 >> # ps ax | grep samba >> 11108 - Ss 0:00.41 /usr/local/sbin/samba --daemon >> --configfile=/usr/local/etc/smb4.conf >> 11109 - I 0:00.00 samba: task[s3fs_parent] (samba) >> 11110 - S 0:02.74 samba: task[dcesrv] (samba) >> 11112 - S 0:00.00 samba: task wrepl server_id[11112] (samba) >> 11113 - I 0:01.77 samba: task[ldapsrv] (samba) >> 11114 - S 0:00.19 samba: task[cldapd] (samba) >> 11115 - I 0:00.44 samba: task[kdc] (samba) >> 11116 - S 0:01.07 samba: task[dreplsrv] (samba) >> 11117 - I 0:00.00 samba: task[winbindd_parent] (samba) >> 11118 - S 0:00.00 samba: task[ntp_signd] (samba) >> 11120 - I 0:00.43 samba: task[kccsrv] (samba) >> 11121 - S 0:00.04 samba: task[dnsupdate] (samba) >> 11122 - S 0:00.01 samba: task[dns] (samba) >> >> As you can see task[kdc] (samba) is not running on DC1, I'm pretty sure >> this is something to do with my issues, but not sure how to fix this, I >> appreciate your help and thanks in advance for reading this. >> >KDC is Key Distribution Center from Kerberos so I think as you: issue could come from there. You can force your client to use DC2 to verify the issue comes from DC1 only. You will have to force in your krb5.conf usage of DC2 (no example from my side so you will need to look for an example by yourself :) As a useful information you could also tell us if you use internal DNS or Bind-DLZ DNS backend. That's important. About samba_dnsupdate: using --no-credentials: About DNS updates issue on _gc._tcp: no idea. About DNS updates issue on _msdcs zone: you must be authenticated to modify that zone. Using "testparm -v | grep nsupdate" you should see how is configured your samba server regarding how it sends DNS update. Using vi on samba_dnsupdate, commenting around line 408 (unlink(tmp) or something like that) you will find /tmp/tmp* files containing nsupdate commands. These files are generated by samba_dnsupdate and used by nsupdate. Then you will be able to launch updates manually, for debugging or at least understanding better. And be back here with more information : ) Cheers, mathias> >> >> Regards, >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >