Hello Samba community! I have an legacy system with 7 Windows VM. In this system, the domain user is used to run services and interact with individual parts. I also have one PC on a domain from which I can run RSAT and can check the Zentyal webconfig. domain controller objectVersion: 47 #samba-tool domain level show Domain and forest function level for domain Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2008 R2 MasterDC on Zentyal 6.2 (Ubuntu 18.04.5 LTS) dc1.mydomain.lan already installed. -Samba 4.7.6-Ubuntu -BIND 9.11.3-1ubuntu1.17-Ubuntu I?m not at all sure that everything is in order with this domain controller, but it somehow coped with its role for 5 years. I found the following error when I did # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator> resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20> > GENSEC backend 'gssapi_spnego', 'gssapi_krb5', 'gssapi_krb5_sasl', > 'spnego', 'schannel', 'naclrpc_as_system', 'sasl-EXTERNAL', 'ntlmssp', > 'ntlmssp_resume_ccache', 'http_basic', 'http_ntlm' > 'krb5', 'fake_gssapi_krb5' registered > Password for [MYDOMAIN\administrator]: > Wrong username or password: kinit for administrator at MYDOMAIN.LAN failed > (Client not found in Kerberos database) > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC1 failed > (next[ntlmssp]): NT_STATUS_LOGON_FAILURE > ... > resolve_lmhosts: Attempting lmhosts lookup for name DC2<0x20> > Wrong username or password: kinit for administrator at MYDOMAIN.LAN failed > (Client not found in Kerberos database) > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC2 failed > (next[ntlmssp]): NT_STATUS_LOGON_FAILURE > ... > > * Comparing [DOMAIN] context...but ldapcmp on BDC dc2.mydomain.lan don't show any errors. and now i'm creating BDC on Debian 12 bookworm dc2.mydomain.lan -Samba 4.17.12-Debian -BIND 9.18.24-1-Debian I'm starting with this manual: https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html After kinit administrator failed failed due to an error, I tried editing /etc/krb5kdc/kdc.conf but this cant help. I used Kerberos client configuration file (/etc/krb5.conf) from this manual(dns_lookup_kdc = true) https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory added a [realms] section to the Kerberos client configuration file and "kinit administrator" worked. Today I had errors with identifiers 40970, 40960, 8019 so i think i have problems with kerberos. So what needs to be done to remove errors and prevent machines from being disconnected from the domain? Since I am planning to demote and remove DC1 due to security issues, what should I do to move the KDC to DC2? I found manual how set up a secondary KDC: https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc Is this manual suitable for use with samba?
On 26-06-2024 13:00, ?????? ??????? via samba wrote:> Hello Samba community! > > I have an legacy system with 7 Windows VM. > In this system, the domain user is used to run services and interact > with individual parts. > I also have one PC on a domain from which I can run RSAT and can check > the Zentyal webconfig. > > domain controller objectVersion: 47 > #samba-tool domain level show > Domain and forest function level for domain > Forest function level: (Windows) 2003 > Domain function level: (Windows) 2003 > Lowest function level of a DC: (Windows) 2008 R2 > > > MasterDC on Zentyal 6.2 (Ubuntu 18.04.5 LTS) dc1.mydomain.lan already > installed. > ?-Samba 4.7.6-Ubuntu > ?-BIND 9.11.3-1ubuntu1.17-Ubuntu > I?m not at all sure that everything is in order with this domain > controller, but it somehow coped with its role for 5 years. > I found the following error when I did # samba-tool ldapcmp ldap://DC1 > ldap://DC2 -Uadministrator >> resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20> >> GENSEC backend 'gssapi_spnego', 'gssapi_krb5', 'gssapi_krb5_sasl', >> 'spnego', 'schannel', 'naclrpc_as_system', 'sasl-EXTERNAL', >> 'ntlmssp', 'ntlmssp_resume_ccache', 'http_basic', 'http_ntlm' >> 'krb5', 'fake_gssapi_krb5'? registered >> Password for [MYDOMAIN\administrator]: >> Wrong username or password: kinit for administrator at MYDOMAIN.LAN >> failed (Client not found in Kerberos database) >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC1 failed >> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE >> ... >> resolve_lmhosts: Attempting lmhosts lookup for name DC2<0x20> >> Wrong username or password: kinit for administrator at MYDOMAIN.LAN >> failed (Client not found in Kerberos database) >> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC2 failed >> (next[ntlmssp]): NT_STATUS_LOGON_FAILURE >> ... >> >> * Comparing [DOMAIN] context... > but ldapcmp on BDC dc2.mydomain.lan don't show any errors. > > and now i'm creating BDC on Debian 12 bookworm dc2.mydomain.lan > ?-Samba 4.17.12-Debian > ?-BIND 9.18.24-1-Debian > I'm starting with this manual: > https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.html > > After kinit administrator failed failed due to an error, I tried > editing /etc/krb5kdc/kdc.conf but this cant help. > I used Kerberos client configuration file (/etc/krb5.conf) from this > manual(dns_lookup_kdc = true) > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > added a [realms] section to the Kerberos client configuration file and > "kinit administrator" worked. > > > Today I had errors with identifiers 40970, 40960, 8019 so i think i > have problems with kerberos. > So what needs to be done to remove errors and prevent machines from > being disconnected from the domain? > Since I am planning to demote and remove DC1 due to security issues, > what should I do to move the KDC to DC2? > I found manual how set up a secondary KDC: > https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc > Is this manual suitable for use with samba?Something called a BDC is terminolgy from NT-domain, which was replaced by Active Directory in Windows 2000. In AD every DC runs a KDC. In principal every DC is equal except that one holds the FSMO roles to provide backward compatibility with NT-domains. The procedure to follow is more or less: deploy more DCs (follow the docs on the Samba-wiki: wiki.samba.org ), then you transfer the FSMO roles, demote the old DC and remove it from the domain. The docs from Tranquil.it are also up-to-date and well written. It is hard to give advice on any other docs, there are too many and lots of them are out-dated. - Kees.> >
On Wed, 26 Jun 2024 14:00:03 +0300 ?????? ??????? via samba <samba at lists.samba.org> wrote:> Hello Samba community! > > I have an legacy system with 7 Windows VM. > In this system, the domain user is used to run services and interact > with individual parts. > I also have one PC on a domain from which I can run RSAT and can > check the Zentyal webconfig. > > domain controller objectVersion: 47 > #samba-tool domain level show > Domain and forest function level for domain > Forest function level: (Windows) 2003 > Domain function level: (Windows) 2003 > Lowest function level of a DC: (Windows) 2008 R2 > > > MasterDC on Zentyal 6.2 (Ubuntu 18.04.5 LTS) dc1.mydomain.lan already > installed. > -Samba 4.7.6-Ubuntu > -BIND 9.11.3-1ubuntu1.17-UbuntuThat is very old and hopelessly out of date.> I?m not at all sure that everything is in order with this domain > controller, but it somehow coped with its role for 5 years. > I found the following error when I did # samba-tool ldapcmp > ldap://DC1 ldap://DC2 -Uadministrator > > resolve_lmhosts: Attempting lmhosts lookup for name DC1<0x20> > > GENSEC backend 'gssapi_spnego', 'gssapi_krb5', 'gssapi_krb5_sasl', > > 'spnego', 'schannel', 'naclrpc_as_system', 'sasl-EXTERNAL', > > 'ntlmssp', 'ntlmssp_resume_ccache', 'http_basic', 'http_ntlm' > > 'krb5', 'fake_gssapi_krb5' registered > > Password for [MYDOMAIN\administrator]: > > Wrong username or password: kinit for administrator at MYDOMAIN.LAN > > failed (Client not found in Kerberos database)It could just be that the Administrator password has expired, try resetting it with samba-tool, see: samba-tool user setpassword --help For more info.> > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC1 failed > > (next[ntlmssp]): NT_STATUS_LOGON_FAILURE > > ... > > resolve_lmhosts: Attempting lmhosts lookup for name DC2<0x20> > > Wrong username or password: kinit for administrator at MYDOMAIN.LAN > > failed (Client not found in Kerberos database) > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/DC2 failed > > (next[ntlmssp]): NT_STATUS_LOGON_FAILURE > > ... > > > > * Comparing [DOMAIN] context... > but ldapcmp on BDC dc2.mydomain.lan don't show any errors. > > and now i'm creating BDC on Debian 12 bookworm dc2.mydomain.lan > -Samba 4.17.12-Debian > -BIND 9.18.24-1-Debian > I'm starting with this manual: > https://samba.tranquil.it/doc/en/samba_config_server/debian/server_secondary_debian.htmlThe Tranquil IT stuff is usually pretty good.> After kinit administrator failed failed due to an error, I tried > editing /etc/krb5kdc/kdc.conf but this cant help.Thing is, you shouldn't have /etc/krb5kdc/kdc.conf on a Samba AD DC. Have you installed the krb5-kdc package, if so remove it immediately, if not sooner.> I used Kerberos client configuration file (/etc/krb5.conf) from this > manual(dns_lookup_kdc = true) > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > added a [realms] section to the Kerberos client configuration file > and "kinit administrator" worked. > > > Today I had errors with identifiers 40970, 40960, 8019 so i think i > have problems with kerberos. > So what needs to be done to remove errors and prevent machines from > being disconnected from the domain? > Since I am planning to demote and remove DC1 due to security issues, > what should I do to move the KDC to DC2? > I found manual how set up a secondary KDC: > https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc > Is this manual suitable for use with samba?Absolutely not, Kerberos is built into a Samba AD DC and you shouldn't run a separate kdc, unless you have specifically built Samba to use MIT kerberos instead of Heimdal, in which case you are running an experimental DC that you shouldn't use in production. Rowland