On 20/11/12 02:08, pccom frank wrote:
Hi, I have deinstalled bind99 and re-made Samba4
But still, Samba4 not working.
The following are what I did.
Looks like it is the dnsupdate problem. This time, it is the samba4's
dnsupdate problem.
Do I have to initialize kdc server?
Those are copied from FreeBSD handbook for Kerberos 5.
.....
Note that this /etc/krb5.conf file implies that your KDC will have the
fully-qualified hostname of kerberos.example.org. You will need to add
a CNAME (alias) entry to your zone file to accomplish this if your
KDC has a different hostname.
*Note:* For large networks with a properly configured BIND
DNS server, the above example could be trimmed to:
[libdefaults]
default_realm = EXAMPLE.ORG
With the following lines being appended to the example.org zonefile:
_kerberos._udp IN SRV 01 00 88 kerberos.example.org.
_kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
_kpasswd._udp IN SRV 01 00 464 kerberos.example.org.
_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.
_kerberos IN TXT EXAMPLE.ORG
*Note:* For clients to be able to find the *Kerberos* services,
you /must/ have either a fully configured /etc/krb5.conf or a
minimally configured /etc/krb5.conf /and/ a properly configured
DNS server.
Next we will create the *Kerberos* database. This database contains
the keys of all principals encrypted with a master password. You are
not required to remember this password, it will be stored in a file
(/var/heimdal/m-key). To create the master key, run kstash and enter a
password.
Once the master key has been created, you can initialize the database
using the kadmin program with the -l option (standing for “local”).
This option instructs kadmin to modify the database files directly
rather than going through the kadmind network service. This handles
the chicken-and-egg problem of trying to connect to the database
before it is created. Once you have the kadmin prompt, use the
init command to create your realms initial database.
Lastly, while still in kadmin, create your first principal using the
add command. Stick to the defaults options for the principal for now,
you can always change them later with the modify command. Note that
you can use the ? command at any prompt to see the available options.
A sample database creation session is shown below:
# kstash
Master key:xxxxxxxx
Verifying password - Master key:xxxxxxxx
# kadmin -l
kadmin>init EXAMPLE.ORG
Realm max ticket life [unlimited]:
kadmin>add tillman
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
Password:xxxxxxxx
Verifying password - Password:xxxxxxxx
Now it is time to start up the KDC services. Run /etc/rc.d/kerberos
start and /etc/rc.d/kadmind start to bring up the services. Note that
you will not have any kerberized daemons running at this point but you
should be able to confirm that the KDC is functioning by obtaining and
listing a ticket for the principal (user) that you just created from
the command-line of the KDC itself:
% kinit/tillman/
[email protected]'s Password:
% klist
Credentials cache: FILE:/tmp/krb5cc_500
Principal: [email protected]
Issued Expires Principal
Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/[email protected]
The ticket can then be revoked when you have finished:
% kdestroy
================================
......
I did not do anything about Kerberos5. I am assuming Samba4 taking
care about it.
root@f10:/etc # cd /usr/ports/dns/bind99
root@f10:/usr/ports/dns/bind99 # make deinstall
===> Deinstalling for dns/bind99
===> Deinstalling bind99-9.9.2
The following packages will be deinstalled:
bind99-9.9.2
The deinstallation will free 33 MB
Deleting bind99-9.9.2... done
root@f10:/usr/ports/dns/bind99 # make clean
===> Cleaning for bind99-9.9.2
root@f10:/etc # cd /usr/local/samba-master
root@f10:/usr/local/samba-master # git pull
Already up-to-date.
root@f10:/usr/local/samba-master # make clean
WAF_MAKE=1 python ./buildtools/bin/waf clean
Selected embedded Heimdal build
'clean' finished successfully (8.929s)
root@f10:/usr/local/samba-master # make && make install
WAF_MAKE=1 python ./buildtools/bin/waf build
Waf: Entering directory `/usr/local/samba-master/bin'
Selected embedded Heimdal build
[ 1/3814] Generating replace.vscript
......
[3814/3814] Parse::Pidl::Wireshark::NDR.3:
pidl/lib/Parse/Pidl/Wireshark/NDR.pm ->
bin/default/pidl/Parse::Pidl::Wireshark::NDR.3
Waf: Leaving directory `/usr/local/samba-master/bin'
'build' finished successfully (1h5m44.673s)
WAF_MAKE=1 python ./buildtools/bin/waf install
Waf: Entering directory `/usr/local/samba-master/bin'
* creating /usr/local/samba/etc
* creating /usr/local/samba/private
* creating /usr/local/samba/var
* creating /usr/local/samba/private
* creating /usr/local/samba/var/lib
* creating /usr/local/samba/var/locks
* creating /usr/local/samba/var/cache
* creating /usr/local/samba/var/lock
* creating /usr/local/samba/var/run
* creating /usr/local/samba/var/run
Selected embedded Heimdal build
Checking project rules ...
Project rules pass
[ 1/4121] Generating replace.vscript
......
* installing bin/default/pidl/Parse::Pidl::Wireshark::NDR.3 as
/usr/local/samba/share/man/man3/Parse::Pidl::Wireshark::NDR.3
Waf: Leaving directory `/usr/local/samba-master/bin'
'install' finished successfully (13m48.405s)
root@f10:/usr/local/samba-master # rehash
root@f10:/usr/local/samba-master # cd ..
root@f10:/usr/local # rm /usr/local/samba/etc/smb.conf
root@f10:/usr/local # cd samba
root@f10:/usr/local/samba/bin # ./samba-tool domain provision
--realm=f10.pccom.ca --domain=dcf10 --adminpass='small@1' --server-role=dc
Looking up IPv4 addresses
Looking up IPv6 addresses
More than one IPv6 address found. Using fe80:1::92e6:baff:fe88:db31
....
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=f10,DC=pccom,DC=ca
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready
to use
Server Role: active directory domain controller
Hostname: f10
NetBIOS Domain: DCF10
DNS Domain: f10.pccom.ca
DOMAIN SID: S-1-5-21-2143356390-769797765-818328211
root@f10:/usr/local/samba/bin # cp /usr/local/samba/private/krb5.conf /etc
root@f10:/usr/local/samba/sbin # ./samba -i -M single
samba version 4.1.0pre1-GIT-e6a100e started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
samba: using 'single' process model
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 507, in <module>
/usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 121, in get_credentials
/usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp,
ccachename)
/usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for
[email protected] failed (Cannot contact any KDC for requested realm)
/usr/local/samba/sbin/samba_dnsupdate:
../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
NT_STATUS_ACCESS_DENIED
^C
--
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
believed to be clean.
Hello again,
Your problem would seem to be that your version of nsupdate was not
compiled with GSSAPI, nsupdate is a bind program. You need to find out
what freebsd package contains nsupdate and either install a version that
has been compiled with GSSAPI or compile it yourself, adding
--with-openssl=<where ever openssl is> --with-gssapi=<where ever gssapi
is> to the configure line. You will also require the gssapi_krb5 and
OpenSSL libraries.
Sorry I cannot be any more help than this, but I have never used
freebsd, now if you were to jump distro and change to Ubuntu 12.04
server I could provide you with full working instructions.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
