Yesterday i delete the hole debian machine and rebuild Samba ad-dc Same issu, thanks for any help or update. root at AD:/home/mauri# kinit Administrator Password for Administrator at CALORO.M: kinit: Password incorrect while getting initial credentials root at AD:/source# cat /tmp/samba-debug-info.txt Collected config --- 2020-03-24-12:27 ----------- Hostname: AD DNS Domain: CALORO.M FQDN: AD.CALORO.M ipaddress: 192.168.1.7 ----------- Kerberos SRV _kerberos._tcp.CALORO.M record verified ok, sample output: Server: 192.168.1.7 Address: 192.168.1.7#53 _kerberos._tcp.CALORO.M service = 0 100 88 ad.caloro.m. Password for Administrator at CALORO.M: kinit: Password incorrect while getting initial credentials Wrong password or kerberos REALM problems, exiting now. root at AD:/source# root at AD:/home/mauri# cat /etc/resolv.conf domain CALORO.M nameserver 192.168.1.7 root at AD:/home/maur# ping caloro.m PING ad.caloro.m (192.168.1.7) 56(84) bytes of data. 64 bytes from ad.caloro.m (192.168.1.7): icmp_seq=1 ttl=64 time=0.016 ms 64 bytes from ad.caloro.m (192.168.1.7): icmp_seq=2 ttl=64 time=0.046 ms --- ad.caloro.m ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 31ms rtt min/avg/max/mdev = 0.016/0.031/0.046/0.015 ms root at AD:/home/mauri# cat /etc/hosts 127.0.0.1 localhost 192.168.1.7 ad.caloro.m caloro.m # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at AD:/home/maur# -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland penny via samba Gesendet: Montag, 23. M?rz 2020 16:30 An: maurizio at caloro.ch Cc: samba at lists.samba.org Betreff: Re: [Samba] Samba still DNS Exit Code 23 On 23/03/2020 14:59, mauri via samba wrote:> Meny thanks for our fast answer ! > > root at AD:/source# cat /tmp/samba-debug-info.txt Collected config --- > 2020-03-23-15:57 ----------- > > Hostname: AD > DNS Domain: Caloro.m > FQDN: AD.Caloro.m > ipaddress: 192.168.1.7 > > ----------- > > Kerberos SRV _kerberos._tcp.Caloro.m record verified ok, sample output: > Server: 192.168.1.9 > Address: 192.168.1.9#53 > > _kerberos._tcp.caloro.m service = 0 0 88 AD.CALORO.M. > > -----Urspr?ngliche Nachricht----- > Von: maurizio at caloro.ch <maurizio at caloro.ch> > Gesendet: Montag, 23. M?rz 2020 15:45 > An: 'L.P.H. van Belle' <belle at bazuin.nl> > Betreff: AW: [Samba] Samba still DNS Exit Code 23 > > Meny thanks for our fast answer ! > > root at AD:/source# ./samba-collect-debug-info.sh Please wait, collecting debug info. > > Password for Administrator at CALORO.M: > kinit: Client 'Administrator at CALORO.M' not found in Kerberos database while getting initial credentials Wrong password or kerberos REALM problems, exiting now. > > smbpasswd -a administrator, but the same issueFirst problem, you do not use smbpasswd against a Samba AD DC. Louis's script has a problem, if 'kinit' fails, then the rest of the test script fails, try my version attached. Just about all your post tells me, your /etc/resolv.conf is probably set up incorrectly, it should be: search Caloro.m nameserver 192.168.1.7 Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 24/03/2020 11:29, maurizio at caloro.ch wrote:> Yesterday i delete the hole debian machine and rebuild Samba ad-dc > Same issu, thanks for any help or update. > > > root at AD:/home/mauri# kinit Administrator > Password for Administrator at CALORO.M: > kinit: Password incorrect while getting initial credentialsLets start again from basics ;-) What was your 'samba-tool provision' command ? Can you post the contents of the following files: /etc/hostname /etc/krb5.conf /etc/samba/smb.conf Can you also post the output of: ps ax | grep -E 'samba|smbd|winbind' Rowland
On 24/03/2020 11:52, maurizio at caloro.ch wrote:> Thanks to watch me config > Regards > Mauri > > --- >>> What was your 'samba-tool provision' command ? > samba-tool domain provision --server-role=dc --use-rfc2307 > --dns-backend=SAMBA_INTERNALBecause you seemingly didn't add '--adminpass=PASSWORD' (where 'PASSWORD' would be a secure password), Administrator will have a random password, do you know this ?>>> /etc/hostname > root at AD:/# cat /etc/hostsNo, 'cat /etc/hostname' '/etc/hosts' is different. Try /etc/krb5.conf like this: [libdefaults] ??????? default_realm = CALORO.M ??????? dns_lookup_kdc = true ??????? dns_lookup_relam = false>> /etc/samba/smb.conf > # Global parameters > [global] > dns forwarder = 192.168.1.9What is '192.168.1.9' ? Rowland
On 24/03/2020 14:13, maurizio at caloro.ch wrote:> Hello Rowland > Now i made the changes.... but Samba-ad-dc failed to start.... > > Smb.conf > Dns forrwarder change to 192.168.1.7I never said change the forwarder, I asked what your existing forwarder (192.168.1.9) was, you cannot use the DC's ipaddress for the forwarder, it must be a dns server outside the AD dns domain (8.8.8.8 for instance) It looks like Samba didn't fully stop, try stopping it with systemd, then check with 'ps ax' and kill any Samba processes still running (samba, smbd and winbindd), then start Samba again. Now, can you please post the output of 'cat /etc/hostname' Also, just what is '192.168.1.9' ? Rowland
On 24/03/2020 17:15, maurizio at caloro.ch wrote:> I have stopped everyting also reboot the server but same issueHow are you starting Samba ? Is another KDC running, or to put it another way, is the krb5-kdc package installed ? If it is, remove it.>> Also, just what is '192.168.1.9' ? > DNS Bind ServerOK, but what dns domain is it authoritative for ? If it is the 'caloro.m' dns domain, then I suggest you turn it off and use the DC instead. Rowland
On 24/03/2020 17:38, maurizio at caloro.ch wrote:> Systemctl start samba-ad-dc > > Only one KDC Service are still running on this machine that need to run also > Samba AD DC > "krb5-kdc is already the newest version (1.17-3)"apt-get purge krb5-kdc -y That is the MIT kdc, a samba DC uses the builtin Heimdal kdc, you cannot have two kdc's> > DNS entry removed > >>> If it is the 'caloro.m' dns domain, then I suggest you turn it off and > use the DC instead. > Sorry i dont know what you, mean....A Samba DC has it's own dns server and every DC is authoritative for the dns domain (in your case caloro.m). The DC uses itself for its nameserver and your clients must also use the DC for their nameservers. The DC should return records for the caloro.m dns domain, but anything outside the caloro.m dns domain should be forwarded to a dns server outside the? caloro.m dns domain. This could be one of Googles dns servers (8.8.8.8 for instance) or it could be another dns server you control, but it must be outside the? caloro.m dns domain. So, if your Bind9 server has 'caloro.m' as one of its zones, you cannot use it. Rowland
On 24/03/2020 17:44, maurizio at caloro.ch wrote:> If stoping the service krb5-kdc.service > > systemctl stop krb5-kdc.service > > then the Samba-ad-dc service will be start. > > But cannot start now the krb5-kdc.service > > Its any issue with same ports ???? > >Yes, see my other post, remove krb5-kdc, it must not be installed on a Samba AD DC. Rowland
On 24/03/2020 21:35, maurizio at caloro.ch wrote:> i join now one Windows 10 machine to this AD, and the folloring error appair. > > "Naming information cannot be located because: the specified domain either does not exist or could not be contacted" > > > C:\Users\Maurizio>nslookup ad.caloro.m > Server: domino.caloro.m > Address: 192.168.1.9 > > Name: ad.caloro.m > Address: 192.168.1.7I told you, turn off bind9 on 192.168.1.9 , it appears to be trying to be authoritative for the 'caloro.m' dns domain and unless you can sync the dns records from the DC to your bind9 dns server (and keep them synced), you are going to have problems. If you must use Bind9, then install it on the DC and upgrade Samba to use it. Your Windows problem is undoubtedly caused by the Windows client contacting your Bind9 server (which very probably knows nothing about the AD domain) instead of the DC. Rowland