samba - Jun 2016 - Samba43 Kerberos problems

Hi There,

I have an odd issue with my samba4 infrastructure, I have two servers 
both replicating fine.
DC1 passes all tests documented here: 
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Except the following test:

# kinit administrator
# kinit: krb5_get_init_creds: Client (administrator at DOMAIN.NAME.COM.AU) 
unknown

And in the logs I have found the following:

# kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in 
Kerberos database) SERVER1 is my DC1, not sure why it has a $ right 
before the @ is this normal?
I get the same error when running

# samba_dnsupdate --verbose --all-names
IPs: ['0.0.0.0'] -> shows the real DC1 ip address
Traceback (most recent call last):
   File "/usr/local/sbin/samba_dnsupdate", line 621, in <module>
     get_credentials(lp)
   File "/usr/local/sbin/samba_dnsupdate", line 125, in
get_credentials
     raise e
RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not 
found in Kerberos database)

Not sure if this is useful but I have run:

# samba_dnsupdate --verbose --all-names --no-credentials

Calling nsupdate for A server1.domain.name.com.au 0.0.0.0 (add) -> Both 
lines don't show 0.0.0.0 it shows the real ip address
Failed nsupdate: A server1.domain.name.com.au 0.0.0.0 : [Errno 2] No 
such file or directory

And it keeps trying to find those files all with the same error:
[Errno 2] No such file or directory

Calling nsupdate for A gc._msdcs.a
Calling nsupdate for SRV _gc._tcp.

Last thing that I found
On DC1
# ps ax | grep samba
38636  -  Is      0:00.40 /usr/local/sbin/samba --daemon 
--configfile=/usr/local/etc/smb4.conf
38637  -  I       0:00.00 samba: task[s3fs_parent] (samba)
38638  -  S       0:27.24 samba: task[dcesrv] (samba)
38640  -  I       0:00.01 samba: task wrepl server_id[38640] (samba)
38641  -  I       0:08.63 samba: task[ldapsrv] (samba)
38642  -  S       0:00.07 samba: task[cldapd] (samba)
38644  -  S       1:04.27 samba: task[dreplsrv] (samba)
38645  -  I       0:00.00 samba: task[winbindd_parent] (samba)
38646  -  I       0:00.01 samba: task[ntp_signd] (samba)
38648  -  I       0:03.79 samba: task[kccsrv] (samba)
38649  -  S       0:00.89 samba: task[dnsupdate] (samba)
38650  -  I       0:04.54 samba: task[dns] (samba)

on DC2
# ps ax | grep samba
11108  -  Ss       0:00.41 /usr/local/sbin/samba --daemon 
--configfile=/usr/local/etc/smb4.conf
11109  -  I        0:00.00 samba: task[s3fs_parent] (samba)
11110  -  S        0:02.74 samba: task[dcesrv] (samba)
11112  -  S        0:00.00 samba: task wrepl server_id[11112] (samba)
11113  -  I        0:01.77 samba: task[ldapsrv] (samba)
11114  -  S        0:00.19 samba: task[cldapd] (samba)
11115  -  I        0:00.44 samba: task[kdc] (samba)
11116  -  S        0:01.07 samba: task[dreplsrv] (samba)
11117  -  I        0:00.00 samba: task[winbindd_parent] (samba)
11118  -  S        0:00.00 samba: task[ntp_signd] (samba)
11120  -  I        0:00.43 samba: task[kccsrv] (samba)
11121  -  S        0:00.04 samba: task[dnsupdate] (samba)
11122  -  S        0:00.01 samba: task[dns] (samba)

As you can see task[kdc] (samba) is not running on DC1, I'm pretty sure 
this is something to do with my issues, but not sure how to fix this.

This is my /etc/resolv.conf

domain domain.name.com.au
nameserver 192.168.1.1 -> ip address of firewall which handles DNS

This is my /etc/krb5.conf

[libdefaults]
         default_realm = DOMAIN.NAME.COM.AU
         dns_lookup_realm = false
         dns_lookup_kdc = true

This is my /usr/local/etc/smb4.conf

Global parameters
[global]
         interfaces = 192.168.1.100
         bind interfaces only = yes
         workgroup = CW1
         realm = AD.CARRIAGEWORKS.COM.AU
         netbios name = SERVER1
         server role = active directory domain controller
         dns forwarder = 192.168.1.1
         printing = bsd
         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, dns
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver
         restrict anonymous = 1
         map acl inherit = no
         store dos attributes = yes
         unix extensions = no
         ea support = no
         idmap_ldb:use rfc2307 = yes
         browseable= yes
         writable = yes
         read only= no
         create mask = 770
         force create mode = 770
         directory mask = 770
         force directory mode = 770
         kerberos method = system keytab
         client ldap sasl wrapping = sign
         allow dns updates = nonsecure and secure

I appreciate your help and thanks in advance for reading this.

Regards,

-- 
Juan Garcia
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001

Hi,

Try to add "rdns = false" in krb5.conf on SERVER1.


2016-06-21 13:36 GMT+02:00 Juan Garcia <juan at ish.com.au>:
> Hi There,
>
> I have an odd issue with my samba4 infrastructure, I have two servers both
> replicating fine.
> DC1 passes all tests documented here:
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
> Except the following test:
>
> # kinit administrator
> # kinit: krb5_get_init_creds: Client (administrator at DOMAIN.NAME.COM.AU)
> unknown
>
> And in the logs I have found the following:
>
> # kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not found in
> Kerberos database) SERVER1 is my DC1, not sure why it has a $ right before
> the @ is this normal?
> I get the same error when running
>
> # samba_dnsupdate --verbose --all-names
> IPs: ['0.0.0.0'] -> shows the real DC1 ip address
> Traceback (most recent call last):
>   File "/usr/local/sbin/samba_dnsupdate", line 621, in
<module>
>     get_credentials(lp)
>   File "/usr/local/sbin/samba_dnsupdate", line 125, in
get_credentials
>     raise e
> RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU failed (Client not
> found in Kerberos database)
>
> Not sure if this is useful but I have run:
>
> # samba_dnsupdate --verbose --all-names --no-credentials
>
> Calling nsupdate for A server1.domain.name.com.au 0.0.0.0 (add) -> Both
> lines don't show 0.0.0.0 it shows the real ip address
> Failed nsupdate: A server1.domain.name.com.au 0.0.0.0 : [Errno 2] No such
> file or directory
>
> And it keeps trying to find those files all with the same error:
> [Errno 2] No such file or directory
>
> Calling nsupdate for A gc._msdcs.a
> Calling nsupdate for SRV _gc._tcp.
>
> Last thing that I found
> On DC1
> # ps ax | grep samba
> 38636  -  Is      0:00.40 /usr/local/sbin/samba --daemon
> --configfile=/usr/local/etc/smb4.conf
> 38637  -  I       0:00.00 samba: task[s3fs_parent] (samba)
> 38638  -  S       0:27.24 samba: task[dcesrv] (samba)
> 38640  -  I       0:00.01 samba: task wrepl server_id[38640] (samba)
> 38641  -  I       0:08.63 samba: task[ldapsrv] (samba)
> 38642  -  S       0:00.07 samba: task[cldapd] (samba)
> 38644  -  S       1:04.27 samba: task[dreplsrv] (samba)
> 38645  -  I       0:00.00 samba: task[winbindd_parent] (samba)
> 38646  -  I       0:00.01 samba: task[ntp_signd] (samba)
> 38648  -  I       0:03.79 samba: task[kccsrv] (samba)
> 38649  -  S       0:00.89 samba: task[dnsupdate] (samba)
> 38650  -  I       0:04.54 samba: task[dns] (samba)
>
> on DC2
> # ps ax | grep samba
> 11108  -  Ss       0:00.41 /usr/local/sbin/samba --daemon
> --configfile=/usr/local/etc/smb4.conf
> 11109  -  I        0:00.00 samba: task[s3fs_parent] (samba)
> 11110  -  S        0:02.74 samba: task[dcesrv] (samba)
> 11112  -  S        0:00.00 samba: task wrepl server_id[11112] (samba)
> 11113  -  I        0:01.77 samba: task[ldapsrv] (samba)
> 11114  -  S        0:00.19 samba: task[cldapd] (samba)
> 11115  -  I        0:00.44 samba: task[kdc] (samba)
> 11116  -  S        0:01.07 samba: task[dreplsrv] (samba)
> 11117  -  I        0:00.00 samba: task[winbindd_parent] (samba)
> 11118  -  S        0:00.00 samba: task[ntp_signd] (samba)
> 11120  -  I        0:00.43 samba: task[kccsrv] (samba)
> 11121  -  S        0:00.04 samba: task[dnsupdate] (samba)
> 11122  -  S        0:00.01 samba: task[dns] (samba)
>
> As you can see task[kdc] (samba) is not running on DC1, I'm pretty sure
> this is something to do with my issues, but not sure how to fix this.
>
> This is my /etc/resolv.conf
>
> domain domain.name.com.au
> nameserver 192.168.1.1 -> ip address of firewall which handles DNS
>
> This is my /etc/krb5.conf
>
> [libdefaults]
>         default_realm = DOMAIN.NAME.COM.AU
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> This is my /usr/local/etc/smb4.conf
>
> Global parameters
> [global]
>         interfaces = 192.168.1.100
>         bind interfaces only = yes
>         workgroup = CW1
>         realm = AD.CARRIAGEWORKS.COM.AU
>         netbios name = SERVER1
>         server role = active directory domain controller
>         dns forwarder = 192.168.1.1
>         printing = bsd
>         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
>         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver
>         restrict anonymous = 1
>         map acl inherit = no
>         store dos attributes = yes
>         unix extensions = no
>         ea support = no
>         idmap_ldb:use rfc2307 = yes
>         browseable= yes
>         writable = yes
>         read only= no
>         create mask = 770
>         force create mode = 770
>         directory mask = 770
>         force directory mode = 770
>         kerberos method = system keytab
>         client ldap sasl wrapping = sign
>         allow dns updates = nonsecure and secure
>
> I appreciate your help and thanks in advance for reading this.
>
> Regards,
>
> --
> Juan Garcia
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001   fax +61 2 9550 4001
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

> Hi,
>
> Try to add "rdns = false" in krb5.conf on SERVER1.
>
Hi Mathias,

Thanks for your reply I have tried that option but same issues. This is 
getting worst now. Not sure what else to do, any other test/changes you 
advise me to do? Right now I'm out of ideas.
>
> 2016-06-21 13:36 GMT+02:00 Juan Garcia <juan at ish.com.au
> <mailto:juan at ish.com.au>>:
>
>     Hi There,
>
>     I have an odd issue with my samba4 infrastructure, I have two
>     servers both replicating fine.
>     DC1 passes all tests documented here:
>    
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>     Except the following test:
>
>     # kinit administrator
>     # kinit: krb5_get_init_creds: Client
>     (administrator at DOMAIN.NAME.COM.AU
>     <mailto:administrator at DOMAIN.NAME.COM.AU>) unknown
>
>     And in the logs I have found the following:
>
>     # kinit for SERVER1$@DOMAIN.NAME.COM.AU
<http://DOMAIN.NAME.COM.AU>
>     failed (Client not found in Kerberos database) SERVER1 is my DC1,
>     not sure why it has a $ right before the @ is this normal?
>     I get the same error when running
>
>     # samba_dnsupdate --verbose --all-names
>     IPs: ['0.0.0.0'] -> shows the real DC1 ip address
>     Traceback (most recent call last):
>       File "/usr/local/sbin/samba_dnsupdate", line 621, in
<module>
>         get_credentials(lp)
>       File "/usr/local/sbin/samba_dnsupdate", line 125, in
get_credentials
>         raise e
>     RuntimeError: kinit for SERVER1$@DOMAIN.NAME.COM.AU
>     <http://DOMAIN.NAME.COM.AU> failed (Client not found in Kerberos
>     database)
>
>     Not sure if this is useful but I have run:
>
>     # samba_dnsupdate --verbose --all-names --no-credentials
>
>     Calling nsupdate for A server1.domain.name.com.au
>     <http://server1.domain.name.com.au> 0.0.0.0 (add) -> Both
lines
>     don't show 0.0.0.0 it shows the real ip address
>     Failed nsupdate: A server1.domain.name.com.au
>     <http://server1.domain.name.com.au> 0.0.0.0 : [Errno 2] No such
file
>     or directory
>
>     And it keeps trying to find those files all with the same error:
>     [Errno 2] No such file or directory
>
>     Calling nsupdate for A gc._msdcs.a
>     Calling nsupdate for SRV _gc._tcp.
>
>     Last thing that I found
>     On DC1
>     # ps ax | grep samba
>     38636  -  Is      0:00.40 /usr/local/sbin/samba --daemon
>     --configfile=/usr/local/etc/smb4.conf
>     38637  -  I       0:00.00 samba: task[s3fs_parent] (samba)
>     38638  -  S       0:27.24 samba: task[dcesrv] (samba)
>     38640  -  I       0:00.01 samba: task wrepl server_id[38640] (samba)
>     38641  -  I       0:08.63 samba: task[ldapsrv] (samba)
>     38642  -  S       0:00.07 samba: task[cldapd] (samba)
>     38644  -  S       1:04.27 samba: task[dreplsrv] (samba)
>     38645  -  I       0:00.00 samba: task[winbindd_parent] (samba)
>     38646  -  I       0:00.01 samba: task[ntp_signd] (samba)
>     38648  -  I       0:03.79 samba: task[kccsrv] (samba)
>     38649  -  S       0:00.89 samba: task[dnsupdate] (samba)
>     38650  -  I       0:04.54 samba: task[dns] (samba)
>
>     on DC2
>     # ps ax | grep samba
>     11108  -  Ss       0:00.41 /usr/local/sbin/samba --daemon
>     --configfile=/usr/local/etc/smb4.conf
>     11109  -  I        0:00.00 samba: task[s3fs_parent] (samba)
>     11110  -  S        0:02.74 samba: task[dcesrv] (samba)
>     11112  -  S        0:00.00 samba: task wrepl server_id[11112] (samba)
>     11113  -  I        0:01.77 samba: task[ldapsrv] (samba)
>     11114  -  S        0:00.19 samba: task[cldapd] (samba)
>     11115  -  I        0:00.44 samba: task[kdc] (samba)
>     11116  -  S        0:01.07 samba: task[dreplsrv] (samba)
>     11117  -  I        0:00.00 samba: task[winbindd_parent] (samba)
>     11118  -  S        0:00.00 samba: task[ntp_signd] (samba)
>     11120  -  I        0:00.43 samba: task[kccsrv] (samba)
>     11121  -  S        0:00.04 samba: task[dnsupdate] (samba)
>     11122  -  S        0:00.01 samba: task[dns] (samba)
>
>     As you can see task[kdc] (samba) is not running on DC1, I'm pretty
>     sure this is something to do with my issues, but not sure how to fix
>     this.
>
>     This is my /etc/resolv.conf
>
>     domain domain.name.com.au <http://domain.name.com.au>
>     nameserver 192.168.1.1 -> ip address of firewall which handles DNS
>
>     This is my /etc/krb5.conf
>
>     [libdefaults]
>             default_realm = DOMAIN.NAME.COM.AU
<http://DOMAIN.NAME.COM.AU>
>             dns_lookup_realm = false
>             dns_lookup_kdc = true
>
>     This is my /usr/local/etc/smb4.conf
>
>     Global parameters
>     [global]
>             interfaces = 192.168.1.100
>             bind interfaces only = yes
>             workgroup = CW1
>             realm = AD.CARRIAGEWORKS.COM.AU
<http://AD.CARRIAGEWORKS.COM.AU>
>             netbios name = SERVER1
>             server role = active directory domain controller
>             dns forwarder = 192.168.1.1
>             printing = bsd
>             server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
>     winbind, ntp_signd, kcc, dnsupdate, dns
>             dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>     netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>     eventlog6, backupkey, dnsserver
>             restrict anonymous = 1
>             map acl inherit = no
>             store dos attributes = yes
>             unix extensions = no
>             ea support = no
>             idmap_ldb:use rfc2307 = yes
>             browseable= yes
>             writable = yes
>             read only= no
>             create mask = 770
>             force create mode = 770
>             directory mask = 770
>             force directory mode = 770
>             kerberos method = system keytab
>             client ldap sasl wrapping = sign
>             allow dns updates = nonsecure and secure
>
>     I appreciate your help and thanks in advance for reading this.
>
>     Regards,
>
>     --
>     Juan Garcia
>     ish
>     http://www.ish.com.au
>     Level 1, 30 Wilson Street Newtown 2042 Australia
>     phone +61 2 9550 5001 <tel:%2B61%202%209550%205001>   fax +61 2
9550
>     4001 <tel:%2B61%202%209550%204001>
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/options/samba
>
>