Rowland Penny
2022-Jun-09 06:19 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On Wed, 2022-06-08 at 16:05 -0700, Matthew Schumacher via samba wrote:> On 6/7/22 12:27 AM, Rowland Penny via samba wrote: > > > Thanks for the reply. > > > > > > I looked for documentation on how to convert from MIT to Heimdal, > > > but > > > didn't see anything. Can I simply rebuild and re-deploy or do I > > > need > > > to > > > demote each domain controller then add it back in again? > > > > > > Thanks, > > > schu > > > > > Just add another DC that uses Heimdal and then demote one of your > > existing DCs, repeat until you have no DCs running MIT. > > > > Rowland > > > > > > I took some time to recompile and test out. This page > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > suggests you call kinit before you you join the domain but kinit is > from > my OS now since kerberos is internal. I think this might have > something > to do with the next error which is I can't join the domain with > "--dns-backend=BIND9_DLZ" > > I get the following: > > root at auth:/var/lib/samba/private# samba-tool domain join > admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ > --server masterdc > Password for [ADMIN\administrator]: > INFO 2022-06-08 21:58:18,008 pid:750 > /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is > ADMIN > INFO 2022-06-08 21:58:18,008 pid:750 > /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is > admin.domain.net > Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net > Adding > CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > Adding CN=NTDS > Settings,CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > Adding SPNs to CN=AUTH,OU=Domain > Controllers,DC=admin,DC=domain,DC=net > Setting account password for AUTH$ > Enabling account > Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net > with > dns/ SPN > Join failed - cleaning up > Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net > Deleted CN=NTDS > Settings,CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > Deleted > CN=AUTH,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net > ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - > <00000523: > SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0 > > <> > File "/usr/lib64/python3.9/site- > packages/samba/netcmd/__init__.py", > line 186, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py", > line 702, in run > join_DC(logger=logger, server=server, creds=creds, lp=lp, > domain=domain, > File "/usr/lib64/python3.9/site-packages/samba/join.py", line > 1543, > in join_DC > ctx.do_join() > File "/usr/lib64/python3.9/site-packages/samba/join.py", line > 1431, > in do_join > ctx.join_add_objects() > File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780, > in > join_add_objects > ctx.samdb.add(msg) > > If I join the domain without BIND9, it works fine, but it appears to > skip the DNS install: > > samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" > --server masterdc > > What is interesting is that I can demote this controller then > immediatly > add it back with bind9: > > samba-tool domain demote -U"ADMIN\administrator" --server masterdc > samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" > --dns-backend=BIND9_DLZ --server masterdc > > It works, but samba binds it's own internal DNS to port 53 and bind9 > can't be started. I also figured out that if I add a krb5.conf file > in > my samba/private directory I can get it to join the domain even with > "--dns-backend=BIND9_DLZ" but the result is the same in that samba > appears to use it's own DNS server. > > Is there a way to use the internal kerberos and external DNS or > should I > try to setup bind as a caching forwarder to internal DNS bound to a > different IP or port? > > I looked around in the documentation but didn't see anything obvious > regarding how different DNS systems depend on different Kerberos > systems. > > Thanks, > Matt >It sounds like you are running Samba as an AD DC using the dns domain 'domain.net' and it also sounds like you are running a MIT kdc using the same dns domain. If this is the case, choose one (preferably the MIT kdc) and turn it off. Rowland
Matthew Schumacher
2022-Jun-09 13:48 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On 6/8/22 11:19 PM, Rowland Penny via samba wrote:> On Wed, 2022-06-08 at 16:05 -0700, Matthew Schumacher via samba wrote: >> I took some time to recompile and test out. This page >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory >> suggests you call kinit before you you join the domain but kinit is >> from >> my OS now since kerberos is internal. I think this might have >> something >> to do with the next error which is I can't join the domain with >> "--dns-backend=BIND9_DLZ" >> >> I get the following: >> >> root at auth:/var/lib/samba/private# samba-tool domain join >> admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ >> --server masterdc >> Password for [ADMIN\administrator]: >> INFO 2022-06-08 21:58:18,008 pid:750 >> /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is >> ADMIN >> INFO 2022-06-08 21:58:18,008 pid:750 >> /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is >> admin.domain.net >> Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net >> Adding >> CN=AUTH,CN=Servers,CN=Default-First-Site- >> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net >> Adding CN=NTDS >> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site- >> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net >> Adding SPNs to CN=AUTH,OU=Domain >> Controllers,DC=admin,DC=domain,DC=net >> Setting account password for AUTH$ >> Enabling account >> Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net >> with >> dns/ SPN >> Join failed - cleaning up >> Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net >> Deleted CN=NTDS >> Settings,CN=AUTH,CN=Servers,CN=Default-First-Site- >> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net >> Deleted >> CN=AUTH,CN=Servers,CN=Default-First-Site- >> Name,CN=Sites,CN=Configuration,DC=admin,DC=domain,DC=net >> ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - >> <00000523: >> SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0 >> > <> >> File "/usr/lib64/python3.9/site- >> packages/samba/netcmd/__init__.py", >> line 186, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py", >> line 702, in run >> join_DC(logger=logger, server=server, creds=creds, lp=lp, >> domain=domain, >> File "/usr/lib64/python3.9/site-packages/samba/join.py", line >> 1543, >> in join_DC >> ctx.do_join() >> File "/usr/lib64/python3.9/site-packages/samba/join.py", line >> 1431, >> in do_join >> ctx.join_add_objects() >> File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780, >> in >> join_add_objects >> ctx.samdb.add(msg) >> >> <snip> > It sounds like you are running Samba as an AD DC using the dns domain > 'domain.net' and it also sounds like you are running a MIT kdc using > the same dns domain. > > If this is the case, choose one (preferably the MIT kdc) and turn it > off. > > Rowland > > >Thanks for the reply Rowland. I'm not using the MIT kdc (or at least it's not configured), I noticed that if I put a krb5.conf in the samba/private directory it will join the domain, but that is moot since it doesn't appear to use the external DNS server, which is the same result as if I omitted "--dns-backend=BIND9_DLZ".?? Basically I can't get samba to join a domain using the bind9 dns server without getting: ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - <00000523: SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0 The DNS server is build against the systems MIT kerberos implementation, so I'm assuming this is the issue, can you confirm? If that's the case, what are my options? What do most people do?? Just use the internal DNS server too? Thanks again Matt