Daniele Manfredi
2016-Mar-22 13:35 UTC
[Samba] Samba4 - Cannot contact any KDC for requested realm
Good afternoon, I have installed a fileserver with samba4 environment. This is configured to works as AD-DC even if I only use it as a fileserver (at the moment). All seems to works fine but, every 10 minutes, the log print these messages: Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557554, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Mar 22 11:53:17 fileserver samba[1946]: /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557717, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Mar 22 11:53:17 fileserver samba[1946]: /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 614, in <module> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557790, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Mar 22 11:53:17 fileserver samba[1946]: /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557825, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Mar 22 11:53:17 fileserver samba[1946]: /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 125, in get_credentials Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557867, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Mar 22 11:53:17 fileserver samba[1946]: /usr/local/samba/sbin/samba_dnsupdate: raise e Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557896, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Mar 22 11:53:17 fileserver samba[1946]: /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for FILESERVER$@MYDOMAIN.IT failed (Cannot contact any KDC for requested realm) Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557967, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) Mar 22 11:53:17 fileserver samba[1946]: /usr/local/samba/sbin/samba_dnsupdate: Following, some configuration files that may help you to understand the problem. /etc/krb5.conf and /usr/local/samba/private/krb5.conf: [libdefaults] default_realm = MYDOMAIN.IT dns_lookup_realm = false dns_lookup_kdc = true smb.conf # Global parameters [global] realm = mydomain.it server role = active directory domain controller server services = -dns printcap name = /dev/null unix extensions = no printing = bsd dns forwarder = 8.8.8.8 workgroup = MYDOMAIN os level = 255 interfaces = 192.168.0.221/255.255.255.0 load printers = no netbios name = FILESERVER winbind use default domain = yes winbind trusted domains only = no Thank you in advance for your help. Daniele
Rowland penny
2016-Mar-22 13:45 UTC
[Samba] Samba4 - Cannot contact any KDC for requested realm
On 22/03/16 13:35, Daniele Manfredi wrote:> Good afternoon, > I have installed a fileserver with samba4 environment. > This is configured to works as AD-DC even if I only use it as a > fileserver (at the moment). > All seems to works fine but, every 10 minutes, the log print these > messages: > > Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557554, > 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > Mar 22 11:53:17 fileserver samba[1946]: > /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): > Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557717, > 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > Mar 22 11:53:17 fileserver samba[1946]: > /usr/local/samba/sbin/samba_dnsupdate: File > "/usr/local/samba/sbin/samba_dnsupdate", line 614, in <module> > Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557790, > 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > Mar 22 11:53:17 fileserver samba[1946]: > /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) > Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557825, > 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > Mar 22 11:53:17 fileserver samba[1946]: > /usr/local/samba/sbin/samba_dnsupdate: File > "/usr/local/samba/sbin/samba_dnsupdate", line 125, in get_credentials > Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557867, > 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > Mar 22 11:53:17 fileserver samba[1946]: > /usr/local/samba/sbin/samba_dnsupdate: raise e > Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557896, > 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > Mar 22 11:53:17 fileserver samba[1946]: > /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for > FILESERVER$@MYDOMAIN.IT failed (Cannot contact any KDC for requested > realm) > Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 11:53:17.557967, > 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > Mar 22 11:53:17 fileserver samba[1946]: > /usr/local/samba/sbin/samba_dnsupdate: > > > Following, some configuration files that may help you to understand > the problem. > > /etc/krb5.conf and /usr/local/samba/private/krb5.conf: > > [libdefaults] > default_realm = MYDOMAIN.IT > dns_lookup_realm = false > dns_lookup_kdc = true > > smb.conf > > # Global parameters > [global] > realm = mydomain.it > server role = active directory domain controller > server services = -dns > printcap name = /dev/null > unix extensions = no > printing = bsd > dns forwarder = 8.8.8.8 > workgroup = MYDOMAIN > os level = 255 > interfaces = 192.168.0.221/255.255.255.0 > load printers = no > netbios name = FILESERVER > winbind use default domain = yes > winbind trusted domains only = no > > Thank you in advance for your help. > Daniele > > >OK, you have this: server services = -dns and this: dns forwarder = 8.8.8.8 Is Bind9 running on the DC ? If it is, is it setup correctly ? What is in /etc/resolv.conf ? Rowland
Rowland penny
2016-Mar-22 14:57 UTC
[Samba] Samba4 - Cannot contact any KDC for requested realm
On 22/03/16 14:38, Daniele Manfredi wrote:> Il 22/03/2016 14.45, Rowland penny ha scritto: >> On 22/03/16 13:35, Daniele Manfredi wrote: >>> Good afternoon, >>> I have installed a fileserver with samba4 environment. >>> This is configured to works as AD-DC even if I only use it as a >>> fileserver (at the moment). >>> All seems to works fine but, every 10 minutes, the log print these >>> messages: >>> >>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 >>> 11:53:17.557554, 0] >>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>> Mar 22 11:53:17 fileserver samba[1946]: >>> /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call >>> last): >>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 >>> 11:53:17.557717, 0] >>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>> Mar 22 11:53:17 fileserver samba[1946]: >>> /usr/local/samba/sbin/samba_dnsupdate: File >>> "/usr/local/samba/sbin/samba_dnsupdate", line 614, in <module> >>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 >>> 11:53:17.557790, 0] >>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>> Mar 22 11:53:17 fileserver samba[1946]: >>> /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) >>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 >>> 11:53:17.557825, 0] >>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>> Mar 22 11:53:17 fileserver samba[1946]: >>> /usr/local/samba/sbin/samba_dnsupdate: File >>> "/usr/local/samba/sbin/samba_dnsupdate", line 125, in get_credentials >>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 >>> 11:53:17.557867, 0] >>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>> Mar 22 11:53:17 fileserver samba[1946]: >>> /usr/local/samba/sbin/samba_dnsupdate: raise e >>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 >>> 11:53:17.557896, 0] >>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>> Mar 22 11:53:17 fileserver samba[1946]: >>> /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for >>> FILESERVER$@MYDOMAIN.IT failed (Cannot contact any KDC for requested >>> realm) >>> Mar 22 11:53:17 fileserver samba[1946]: [2016/03/22 >>> 11:53:17.557967, 0] >>> ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) >>> Mar 22 11:53:17 fileserver samba[1946]: >>> /usr/local/samba/sbin/samba_dnsupdate: >>> >>> >>> Following, some configuration files that may help you to understand >>> the problem. >>> >>> /etc/krb5.conf and /usr/local/samba/private/krb5.conf: >>> >>> [libdefaults] >>> default_realm = MYDOMAIN.IT >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> smb.conf >>> >>> # Global parameters >>> [global] >>> realm = mydomain.it >>> server role = active directory domain controller >>> server services = -dns >>> printcap name = /dev/null >>> unix extensions = no >>> printing = bsd >>> dns forwarder = 8.8.8.8 >>> workgroup = MYDOMAIN >>> os level = 255 >>> interfaces = 192.168.0.221/255.255.255.0 >>> load printers = no >>> netbios name = FILESERVER >>> winbind use default domain = yes >>> winbind trusted domains only = no >>> >>> Thank you in advance for your help. >>> Daniele >>> >>> >>> >> >> OK, you have this: >> >> server services = -dns >> >> and this: >> >> dns forwarder = 8.8.8.8 >> >> Is Bind9 running on the DC ? >> If it is, is it setup correctly ? >> >> What is in /etc/resolv.conf ? >> >> Rowland >> >> > Yes, > Bind9 is up and running. > > Following, Bind9 configuration files: > > /etc/bind/named.conf: > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/usr/local/samba/private/named.conf"; > > /etc/bind/named.conf.options: > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the addresses > replacing > // the all-0's placeholder. > > forwarders { > 8.8.8.8; > 8.8.4.4; > > }; > > > //======================================================================== > > // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > //======================================================================== > > // dnssec-validation auto; > > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # > per samba4 > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > }; > > /etc/bind/named.conf.local: (all commented : I tried to make zones but > seems to be wrong...) > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > #zone "mydomain.it" IN { > # type master; > # file "/etc/bind/zones/mydomain.it.hosts"; > #}; > # > #zone "0.168.192.in-addr.arpa" { > # type master; > # file "/etc/bind/zones/0.168.192.in-addr.arpa"; > #}; > > > /etc/bind/named.conf.default-zones: > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > /usr/local/samba/private/named.conf: > > dlz "AD DNS Zone" { > # For BIND 9.8.x > # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; > > # For BIND 9.9.x > database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; > > # For BIND 9.10.x > # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so"; > }; > > > /etc/resolv.conf > > nameserver 8.8.8.8 > nameserver 127.0.0.1 > #nameserver 192.168.2.221 > nameserver 192.168.0.221 > domain MYDOMAIN.ITEverything looks ok apart from your /etc/resolv.conf. I would suggest you change it to: nameserver 127.0.0.1 search mydomain.it Remove the forwarder line from smb.conf, you only need it if you are using the internal DNS server. Talking of which, did you provision with the internal DNS server and then change to Bind9 ? If you did, have you read this Samba wiki page: https://wiki.samba.org/index.php/Changing_the_DNS_backend Rowland