Jo
2016-Jun-05 09:05 UTC
[Samba] inconsistent DNS information, windows domain member issues..
I joined a Windows 10 Pro system to my (still experimental) domain. The windows system actually hosts DC2 as a VM, and another Windows (Server 2008 R2) at another location hosts DC1 also as a VM. The two locations are connected via a VPN, both systems run only when needed. The windows system does not directly use DC2 for DNS but instead talks to a DNS resolver that delegates the samba Domain to DC2. DC2 uses itself as nameserver. I am observing the following issues that may be related or not: * When I do a nslookup samba.domain DC2 I get the address of DC1, nslookup DC2.sambadomain DC2 fails. Nslookup DC1.samba.domain DC2 works. When I use dig @DC2 samba.domain it returns DC1 only. Dig samba.domain ANY returns ;; ANSWER SECTION: samba.domain. 3600 IN SOA dc2.samba. domain. hostmaster.samba. domain. 1 900 600 86400 3600 samba. domain. 900 IN NS dc1.samba. domain. samba. domain. 900 IN A 192.168.177.21 ;; ADDITIONAL SECTION: dc1.samba. domain. 900 IN A 192.168.177.21 Same information @DC2 or the local resolver of the network * On windows nslookup -type=ANY samba.domain. (note the .) Server: netgear.local Address: 192.168.15.2 samba.domain primary name server = dc2.samba. domain responsible mail addr = hostmaster.samba.domain serial = 1 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) samba. domain nameserver = dc1.samba. domain samba. domain internet address = 192.168.177.21 dc1.samba. domain internet address = 192.168.177.21 * windows nslookup -type=ANY samba.domain (without .) looks for samba.domain.domain. Is this OK or does it point to a problematic search configuration? * When I use the DNS mmc snap-in I can see a host record for dc2. I can also see a host record for the windows system reflecting the IP address before the system moved to the other location. I tried to update that, but got an error message (translated from German) like the database of the local security authority is internally inconsistent. The snap-in is ultra slow via VPN, but what makes me more nervous are the to me inconsistent views on the DNS nslookup showing DC2, mmc showing DC1 as the NS. * In windows management console, only some of the domain users&principals are shown with the name domain\identity, most of them are shown S-xxx. With the one use shown domain\user I can logon to the windows system however (likely with cached credentials, but don´t dare to change them to confirm) * When I try to modify folder permissions on the windows system, I get a message Unable to contact Active Directory to access or verify claim types * On DC2: kinit Administrator returns kinit: Cannot contact any KDC for realm samba.domain while getting initial credentials. This one was easy to fix by adding the domain to /etc/krb5.conf. I am putting this in as I changed configuration at this point.. * In an attempt to get Samba return DC2 as a nameserver I tried samba-tool dns add dc2 samba.domain @ NS dc2.samba.domain. Password for [Administrator at SAMBA.DOMAIN]: ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1062, in run dns_conn = dns_connect(server, self.lp, self.creds) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 40, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) in another attempt the command produced Record added successfully, but using dig or nslookup I cannot find it. It is shown in the DNS mmc snap-in (at least now). Restarting bind did not help. * Following https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins I tried root at dc2:/etc/bind# samba-tool dns add dc1 samba.domain DC2 A 192.168.15.22 -UAdministrator Password for [SAMBA\Administrator]: ERROR: Record already exists root at dc2:/etc/bind# samba-tool dns add dc2 samba.domain DC2 A 192.168.15.22 -UAdministrator Password for [SAMBA\Administrator]: ERROR: Record already exists root at dc2:/etc/bind# host -t A DC2.samba.domain Host DC2.samba.lindenberg.one not found: 3(NXDOMAIN) How should I proceed there? I don´t know how to fix the inconsistent DNS entries and get windows to work. Please advise. Thanks, Joachim
Rowland penny
2016-Jun-05 10:48 UTC
[Samba] inconsistent DNS information, windows domain member issues..
On 05/06/16 10:05, Jo wrote:> I joined a Windows 10 Pro system to my (still experimental) domain. The > windows system actually hosts DC2 as a VM, and another Windows (Server 2008 > R2) at another location hosts DC1 also as a VM. The two locations are > connected via a VPN, both systems run only when needed. The windows system > does not directly use DC2 for DNS but instead talks to a DNS resolver that > delegates the samba Domain to DC2. DC2 uses itself as nameserver. > > > > I am observing the following issues that may be related or not: > > * When I do a nslookup samba.domain DC2 I get the address of DC1, > nslookup DC2.sambadomain DC2 fails. Nslookup DC1.samba.domain DC2 works. > When I use dig @DC2 samba.domain it returns DC1 only. Dig samba.domain ANY > returns > > ;; ANSWER SECTION: > > samba.domain. 3600 IN SOA dc2.samba. domain. hostmaster.samba. > domain. 1 900 600 86400 3600 > > samba. domain. 900 IN NS dc1.samba. domain. > > samba. domain. 900 IN A 192.168.177.21 > > > > ;; ADDITIONAL SECTION: > > dc1.samba. domain. 900 IN A 192.168.177.21 > > Same information @DC2 or the local resolver of the network > > * On windows nslookup -type=ANY samba.domain. (note the .) > > Server: netgear.local > > Address: 192.168.15.2 > > > > samba.domain > > primary name server = dc2.samba. domain > > responsible mail addr = hostmaster.samba.domain > > serial = 1 > > refresh = 900 (15 mins) > > retry = 600 (10 mins) > > expire = 86400 (1 day) > > default TTL = 3600 (1 hour) > > samba. domain nameserver = dc1.samba. domain > > samba. domain internet address = 192.168.177.21 > > dc1.samba. domain internet address = 192.168.177.21 > > * windows nslookup -type=ANY samba.domain (without .) looks for > samba.domain.domain. Is this OK or does it point to a problematic search > configuration? > > * When I use the DNS mmc snap-in I can see a host record for dc2. I > can also see a host record for the windows system reflecting the IP address > before the system moved to the other location. I tried to update that, but > got an error message (translated from German) like the database of the > local security authority is internally inconsistent. The snap-in is ultra > slow via VPN, but what makes me more nervous are the to me inconsistent > views on the DNS nslookup showing DC2, mmc showing DC1 as the NS. > > * In windows management console, only some of the domain > users&principals are shown with the name domain\identity, most of them are > shown S-xxx. With the one use shown domain\user I can logon to the windows > system however (likely with cached credentials, but don´t dare to change > them to confirm) > > * When I try to modify folder permissions on the windows system, I get > a message Unable to contact Active Directory to access or verify claim > types > > * On DC2: kinit Administrator returns kinit: Cannot contact any KDC > for realm samba.domain while getting initial credentials. This one was > easy to fix by adding the domain to /etc/krb5.conf. I am putting this in as > I changed configuration at this point.. > > * In an attempt to get Samba return DC2 as a nameserver I tried > samba-tool dns add dc2 samba.domain @ NS dc2.samba.domain. > > Password for [Administrator at SAMBA.DOMAIN]: > > ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The > specified I/O operation on %hs was not completed before the time-out period > expired.') > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1062, in > run > > dns_conn = dns_connect(server, self.lp, self.creds) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 40, in > dns_connect > > dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > in another attempt the command produced Record added successfully, but > using dig or nslookup I cannot find it. It is shown in the DNS mmc snap-in > (at least now). Restarting bind did not help. > > * Following > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins I > tried > > root at dc2:/etc/bind# samba-tool dns add dc1 samba.domain DC2 A 192.168.15.22 > -UAdministrator > > Password for [SAMBA\Administrator]: > > ERROR: Record already exists > > root at dc2:/etc/bind# samba-tool dns add dc2 samba.domain DC2 A 192.168.15.22 > -UAdministrator > > Password for [SAMBA\Administrator]: > > ERROR: Record already exists > > root at dc2:/etc/bind# host -t A DC2.samba.domain > > Host DC2.samba.lindenberg.one not found: 3(NXDOMAIN) > > How should I proceed there? > > > > I don´t know how to fix the inconsistent DNS entries and get windows to > work. Please advise. > > Thanks, Joachim >Is bind9 running on the DCs ? and if so, are you using bind_dlz ? Your DCs really need to be running at all times, so that replication can work properly, also each DC should use the other for their DNS server, anything unknown to the DNS servers on the DCs should be forwarded to an external DNS that does know or can find out. Can you please post /etc/resolv.conf, /etc/hosts and /etc/krb5.conf from each DC, can you also post the smb.conf file from each DC. Rowland
Jo
2016-Jun-05 12:43 UTC
[Samba] inconsistent DNS information, windows domain member issues..
> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland penny > Gesendet: Sonntag, 5. Juni 2016 12:49 > An: samba at lists.samba.org > Betreff: Re: [Samba] inconsistent DNS information, windows domain > member issues.. > > On 05/06/16 10:05, Jo wrote: > > I joined a Windows 10 Pro system to my (still experimental) domain. > > The windows system actually hosts DC2 as a VM, and another Windows > > (Server 2008 > > R2) at another location hosts DC1 also as a VM. The two locations are > > connected via a VPN, both systems run only when needed. The windows > > system does not directly use DC2 for DNS but instead talks to a DNS > > resolver that delegates the samba Domain to DC2. DC2 uses itself as > nameserver. > > > > > > > > I am observing the following issues that may be related or not: > > > > * When I do a nslookup samba.domain DC2 I get the address of DC1, > > nslookup DC2.sambadomain DC2 fails. Nslookup DC1.samba.domain DC2 > works. > > When I use dig @DC2 samba.domain it returns DC1 only. Dig > samba.domain > > ANY returns > > > > ;; ANSWER SECTION: > > > > samba.domain. 3600 IN SOA dc2.samba. domain. > hostmaster.samba. > > domain. 1 900 600 86400 3600 > > > > samba. domain. 900 IN NS dc1.samba. domain. > > > > samba. domain. 900 IN A 192.168.177.21 > > > > > > > > ;; ADDITIONAL SECTION: > > > > dc1.samba. domain. 900 IN A 192.168.177.21 > > > > Same information @DC2 or the local resolver of the network > > > > * On windows nslookup -type=ANY samba.domain. (note the .) > > > > Server: netgear.local > > > > Address: 192.168.15.2 > > > > > > > > samba.domain > > > > primary name server = dc2.samba. domain > > > > responsible mail addr = hostmaster.samba.domain > > > > serial = 1 > > > > refresh = 900 (15 mins) > > > > retry = 600 (10 mins) > > > > expire = 86400 (1 day) > > > > default TTL = 3600 (1 hour) > > > > samba. domain nameserver = dc1.samba. domain > > > > samba. domain internet address = 192.168.177.21 > > > > dc1.samba. domain internet address = 192.168.177.21 > > > > * windows nslookup -type=ANY samba.domain (without .) looks for > > samba.domain.domain. Is this OK or does it point to a problematic > > search configuration? > > > > * When I use the DNS mmc snap-in I can see a host record for dc2. I > > can also see a host record for the windows system reflecting the IP > > address before the system moved to the other location. I tried to > > update that, but got an error message (translated from German) like > > “the database of the local security authority is internally > > inconsistent”. The snap-in is ultra slow via VPN, but what makes me > > more nervous are the to me inconsistent views on the DNS – nslookup > showing DC2, mmc showing DC1 as the NS. > > > > * In windows management console, only some of the domain > > users&principals are shown with the name domain\identity, most of them > > are shown S-xxx. With the one use shown domain\user I can logon to the > > windows system however (likely with cached credentials, but don´t dare > > to change them to confirm) > > > > * When I try to modify folder permissions on the windows system, I get > > a message “Unable to contact Active Directory to access or verify > > claim types” > > > > * On DC2: kinit Administrator returns “kinit: Cannot contact any KDC > > for realm ‘samba.domain’ while getting initial credentials. This one > > was easy to fix by adding the domain to /etc/krb5.conf. I am putting > > this in as I changed configuration at this point.. > > > > * In an attempt to get Samba return DC2 as a nameserver I tried > > samba-tool dns add dc2 samba.domain @ NS dc2.samba.domain. > > > > Password for [Administrator at SAMBA.DOMAIN]: > > > > ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} > > The specified I/O operation on %hs was not completed before the > > time-out period > > expired.') > > > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 175, in _run > > > > return self.run(*args, **kwargs) > > > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line > > 1062, in run > > > > dns_conn = dns_connect(server, self.lp, self.creds) > > > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line > > 40, in dns_connect > > > > dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > > > in another attempt the command produced “Record added successfully”, > > but using dig or nslookup I cannot find it. It is shown in the DNS mmc > > snap-in (at least now). Restarting bind did not help. > > > > * Following > > > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins > > I tried > > > > root at dc2:/etc/bind# samba-tool dns add dc1 samba.domain DC2 A > > 192.168.15.22 -UAdministrator > > > > Password for [SAMBA\Administrator]: > > > > ERROR: Record already exists > > > > root at dc2:/etc/bind# samba-tool dns add dc2 samba.domain DC2 A > > 192.168.15.22 -UAdministrator > > > > Password for [SAMBA\Administrator]: > > > > ERROR: Record already exists > > > > root at dc2:/etc/bind# host -t A DC2.samba.domain > > > > Host DC2.samba.lindenberg.one not found: 3(NXDOMAIN) > > > > How should I proceed there? > > > > > > > > I don´t know how to fix the inconsistent DNS entries and get windows > > to work. Please advise. > > > > Thanks, Joachim > > > > Is bind9 running on the DCs ? and if so, are you using bind_dlz ?Yes and yes.> > Your DCs really need to be running at all times, so that replication can work > properly, also each DC should use the other for their DNS server, anything > unknown to the DNS servers on the DCs should be forwarded to an external > DNS that does know or can find out.I understand that they need to be up simultaneously for replication, but otherwise that should not be the case. Or why? Imho the point of redundancy is that you can tolerate failure. In fact I would like to run this on two bananas but haven´t found a usable distribution so far that offers recent versions of Samba (and supports encryption at least of the relevant data). Running the windows hosts all the time is not an option due to noise, energy consumption, etc. The point of whether the DC should use the respective other DC for DNS is obviously debated here. The DCs do have an upstream forwarder configured in bind.> > Can you please post /etc/resolv.conf, /etc/hosts and /etc/krb5.conf from > each DC, can you also post the smb.conf file from each DC. >joachim at dc1:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.177.21 search samba.domain joachim at dc1:~$ cat /etc/hosts 127.0.0.1 localhost 192.168.177.21 dc1 dc1.samba.domain 192.168.15.22 dc2 dc2.samba.domain # The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback #ff02::1 ip6-allnodes #ff02::2 ip6-allrouters joachim at dc1:~$ cat /etc/krb5.conf [libdefaults] default_realm = SAMBA.DOMAIN # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = kerberos.andrew.cmu.edu kdc = kerberos2.andrew.cmu.edu kdc = kerberos3.andrew.cmu.edu admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA [login] krb4_convert = true krb4_get_tickets = false joachim at dc1:~$ cat /etc/samba/smb.conf # Global parameters [global] workgroup = SAMBA realm = SAMBA.DOMAIN netbios name = DC1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samba.domain/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No joachim at dc1:~$ I detected that in krb5.conf the real was missing and added that now. Not sure whether this changes something. joachim at dc2:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.15.22 search samba.domain joachim at dc2:~$ cat /etc/hosts 127.0.0.1 localhost 192.168.15.22 dc2 dc2.samba.domain 192.168.177.21 dc1 dc1.samba.domain joachim at dc2:~$ cat /etc/krb5.conf [libdefaults] default_realm = SAMBA.DOMAIN # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] SAMBA.domain = { kdc = dc2.samba.domain:88 kdc = dc1.samba.domain:88 admin_server = dc1.samba.domain } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = kerberos.andrew.cmu.edu kdc = kerberos2.andrew.cmu.edu kdc = kerberos3.andrew.cmu.edu admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA [login] krb4_convert = true krb4_get_tickets = false joachim at dc2:~$ cat /etc/samba/smb.conf # Global parameters [global] workgroup = SAMBA realm = samba.domain netbios name = DC2 server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, smb dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc [netlogon] path = /var/lib/samba/sysvol/samba.domain/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No joachim at dc2:~$ One new piece of mosaic: root at dc2:/home/joachim# tail /var/log/samba/log.samba [2016/06/05 14:28:12.674356, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable [2016/06/05 14:28:12.697076, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable [2016/06/05 14:28:12.719968, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable [2016/06/05 14:28:12.743569, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable [2016/06/05 14:28:12.756246, 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_UNSUCCESSFUL root at dc2:/home/joachim# I tried to follow https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable, but may be that is outdated? I found a keytab file at /var/lib/samba/private/secrets.keytab and it contains what is described on the wiki page: root at dc2:/home/joachim# klist -k /var/lib/samba/private/secrets.keytab Keytab name: FILE:/var/lib/samba/private/secrets.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HOST/dc2 at SAMBA.DOMAIN 1 HOST/dc2.samba.domain at SAMBA.DOMAIN 1 DC2$@SAMBA.DOMAIN 1 HOST/dc2 at SAMBA.DOMAIN 1 HOST/dc2.samba.domain at SAMBA.DOMAIN 1 DC2$@SAMBA.DOMAIN 1 HOST/dc2 at SAMBA.DOMAIN 1 HOST/dc2.samba.domain at SAMBA.DOMAIN 1 DC2$@SAMBA.DOMAIN 1 HOST/dc2 at SAMBA.DOMAIN 1 HOST/dc2.samba.domain at SAMBA.DOMAIN 1 DC2$@SAMBA.DOMAIN 1 HOST/dc2 at SAMBA.DOMAIN 1 HOST/dc2.samba.domain at SAMBA.DOMAIN 1 DC2$@SAMBA.DOMAIN Do I have to update some configuration path to point to that file? Create a link? Or what else to check? Thanks, Joachim> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- inconsistent DNS information, windows domain member issues..
- inconsistent DNS information, windows domain member issues..
- inconsistent DNS information, windows domain member issues..
- inconsistent DNS information, windows domain member issues..
- Wiki news: Build Samba, Join DCs