samba - Jan 2017 - UNSOLVED: Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)

On Tue, 17 Jan 2017 04:30:31 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> > And there is your problem, AD lives (or dies) on DNS, unlike NT. You
> > have this line 'dns-nameservers 127.0.0.1' in your smb.conf.
It is
> > useless, it is pointing to itself and you are not running a dns
> > server, even if you were running a dns server, it shouldn't point
to
> > itself.
> 
> Oh and I forgot, I am running a DNS server on the DC, on the right
> port and with all my clients are needing.
> They are only not served trough samba but directlly by bind. If they
> (clients) would see any difference, I couldn't join at all with any
> machine, isn't it?
> 
As I asked if you are using BIND_DLZ, I take it you are using the
totally unsupported flatfiles. It wouldn't take much to start using
Bind9 in the way that Samba supports, just why do you not want to do
this ?

Rowland

Samba - General mailing list wrote
> On Tue, 17 Jan 2017 04:30:31 -0800 (PST)
> rawi via samba <
> samba at .samba
> > wrote:
> 
>> Oh and I forgot, I am running a DNS server on the DC, on the right
>> port and with all my clients are needing.
>> They are only not served trough samba but directlly by bind. If they
>> (clients) would see any difference, I couldn't join at all with any
>> machine, isn't it?
>> 
> 
> As I asked if you are using BIND_DLZ, I take it you are using the
> totally unsupported flatfiles. It wouldn't take much to start using
> Bind9 in the way that Samba supports, just why do you not want to do
> this ?
> 
> Rowland
No, I have dhcp and a full bind9 serving master zones forward and reverse,
with exception of the _msdcs... SOA, which I let only forward and it seems
enough...

The configs are static, no dynamic updates, and I generate the dhcp config
and the zones per script, if something changes.

In all the complexity you mean it exists in my unsupported configuration you
will laugh, but I try to keep things simple and stupid, so I can grasp all
the little I do :)

- First I wish to stay with a single dns name space with only a part of it
in the AD, but BIND_DLZ should serve a separate sub-zone for the AD.

- Doing dns and dns-updates trough samba could be a source of error and
frustration, as I read sometimes in questions here in the mail list or other
places in forums.
So I say to my clients to not do dns-updates, because I have already all
possible in DNS.
Equally positive I feel that no service is trying to modify configurations
of another service. I simply avoid this and the need to handle with special
kerberos user-services and keys, or to temper with apparmor is gone too.

- I sniffed at the beginning with dns_update, which records and SOA samba
supplementary needs on this machine, and this is an one time addition to the
zones in bind.

- I learned afterward, which DNS records should be added, if I join a second
DC to the AD.
- It seemed to me (reading different postings), that samba still has a bug
with doing this automatically, so one has anyway to add the _ldap.. ,
objectGUIDs addresses and the other records of the new DC himself.

So, I see it really simpler this way.
I'm sorry, that this will be always a source of discordance here by any
other question, related or unrelated to DNS.
I still do not think that the original problem was caused by the program
which DNS serves, otherwise it would have disturbed all other test-clients.

Regards
rawi




--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713561.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Tue, 17 Jan 2017 05:54:41 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:


> 
> No, I have dhcp and a full bind9 serving master zones forward and
> reverse, with exception of the _msdcs... SOA, which I let only
> forward and it seems enough...
I have been using BIND_DLZ and DHCP updating the Samba AD database for
the last 4 years without problem.
> 
> The configs are static, no dynamic updates, and I generate the dhcp
> config and the zones per script, if something changes.
Why not just get DHCP to do the updates for you.
> 
> In all the complexity you mean it exists in my unsupported
> configuration you will laugh, but I try to keep things simple and
> stupid, so I can grasp all the little I do :)
I don't think your setup is simple.
> 
> - First I wish to stay with a single dns name space with only a part
> of it in the AD, but BIND_DLZ should serve a separate sub-zone for
> the AD.
This will probably never work correctly, you should setup your AD as a
subdomain of your main domain i.e. if your main domain is example.com,
you would use samdom.example.com for your AD domain.
> 
> - Doing dns and dns-updates trough samba could be a source of error
> and frustration, as I read sometimes in questions here in the mail
> list or other places in forums.
I have never had any errors.
> So I say to my clients to not do dns-updates, because I have already
> all possible in DNS.
Quite right your windows clients shouldn't be allowed to update their
own records, DHCP should do it for them ;-)
> Equally positive I feel that no service is trying to modify
> configurations of another service. I simply avoid this and the need
> to handle with special kerberos user-services and keys, or to temper
> with apparmor is gone too.
You need to learn about kerberos, this is another of those things that
AD relies on and kerberos relies on DNS and time, just a thought, you
are running an ntp server on the DC, aren't you ?
> 
> - I sniffed at the beginning with dns_update, which records and SOA
> samba supplementary needs on this machine, and this is an one time
> addition to the zones in bind.
I will say it again, using bind9 with flatfiles is NOT supported.
> 
> - I learned afterward, which DNS records should be added, if I join a
> second DC to the AD.
> - It seemed to me (reading different postings), that samba still has
> a bug with doing this automatically, so one has anyway to add the
> _ldap.. , objectGUIDs addresses and the other records of the new DC
> himself.
Well yes and no, the records aren't created by the join, but they are
created when Samba is restarted on the joined DC, but they wouldn't be
on any Samba set up your way, because you have turned of dnsupdate!
> 
> So, I see it really simpler this way.
No, it isn't
> I'm sorry, that this will be always a source of discordance here by
> any other question, related or unrelated to DNS.
> I still do not think that the original problem was caused by the
> program which DNS serves, otherwise it would have disturbed all other
> test-clients.
I am fairly convinced it is a DNS problem and as you are using an
unsupported DNS, well, it is your domain and you can do as you like.

Rowland