re,
found something different, but important:
root@linsrv:~# kinit LINSRV$@DOMAIN.LOCAL
kinit: Client not found in Kerberos database while getting initial
credentials
root@linsrv:~# kinit administrator@DOMAIN.LOCAL
Password for administrator@DOMAIN.LOCAL:
Warning: Your password will expire in 979 days on Wed May 11 12:49:49 2016
-> Kerberos is working, but not for the machine!
But the Account exist:
root@linsrv:~# wbinfo -i LINSRV$
DOMAIN\LINSRV$:*:3000023:3000024::/home/DOMAIN/LINSRV$:/bin/false
I looked for the Kerberos Keytab in /etc/krb5.keytab, but there is none.
So I created a new:
samba-tool domain exportkeytab /etc/krb5.keytab
and did the dnsupdate again:
root@linsrv:~# samba_dnsupdate --verbose --all-names
IPs: ['172.16.0.202']
Traceback (most recent call last):
File "/usr/local/samba/sbin/samba_dnsupdate", line 506, in <module>
get_credentials(lp)
File "/usr/local/samba/sbin/samba_dnsupdate", line 119, in get_credentials
creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for LINSRV$@DOMAIN.LOCAL failed (Cannot contact any
KDC for requested realm)
and again the different error message with kinit:
root@linsrv:~# kinit LINSRV$@ITQUADRAT.LOCAL
kinit: Client not found in Kerberos database while getting initial
credentials
But the account is in the Kerberus DB:
root@linsrv:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 LINSRV$@DOMAIN.LOCAL
1 LINSRV$@DOMAIN.LOCAL
1 LINSRV$@DOMAIN.LOCAL
[...]
So, again no idea :-/ Anybody?
Thanks and best regards
Tom
On 2013-09-04 11:13, Thomas Zeitinger wrote:
> Hi there,
>
> I am struggling with samba4 and the internal dns and kerberos.
>
> It seems that DNS is the problem.
>
> When I aske for kerberos dns entrys on my workstation, I get this
> (11.22.33.202 is the samba4 server):
>
> root@lit2:~# dig _kerberos._udp.DOMAIN.LOCAL @11.22.33.202
>
> ; <<>> DiG 9.7.3 <<>> _kerberos._udp.DOMAIN.LOCAL @11.22.33.202
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3733
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;_kerberos._udp.DOMAIN.LOCAL. IN A
>
> ;; Query time: 1 msec
> ;; SERVER: 11.22.33.202#53(11.22.33.202)
> ;; WHEN: Wed Sep 4 10:10:33 2013
> ;; MSG SIZE rcvd: 48
>
>
> But if I ask the samba directly:
>
> root@linsrv:~# samba-tool dns query 11.22.33.202 DOMAIN.LOCAL
> _kerberos._udp ALL
> Password for [Administrator@DOMAIN.LOCAL]:
> Name=, Records=1, Children=0
> SRV: linsrv.domain.local. (88, 0, 100) (flags=f0, serial=110, ttl=900)
>
> root@linsrv:~# samba-tool dns query 11.22.33.202 DOMAIN.LOCAL linsrv ALL
> Password for [Administrator@DOMAIN.LOCAL]:
> Name=, Records=1, Children=0
> A: 11.22.33.202 (flags=f0, serial=110, ttl=900)
>
>
> It seems that the entries from the dns database don't get "propagated"
> to the dns server and I tried a "samba_dnsupdate --verbose --all-names".
>
> This is the result (with 'debug level = 10'):
>
> root@linsrv:/usr/local/samba# samba_dnsupdate --verbose --all-names
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[profiles]"
> Processing section "[homes]"
> Processing section "[daten]"
> Processing section "[install]"
> Processing section "[winupdate]"
> pm_process() returned Yes
> added interface eth0 ip=11.22.33.202 bcast=11.22.33.255
> netmask=255.255.255.0
> IPs: ['11.22.33.202']
> Security token SIDs (1):
> SID[ 0]: S-1-5-18
> Privileges (0xFFFFFFFFFFFFFFFF):
> Privilege[ 0]: SeMachineAccountPrivilege
> Privilege[ 1]: SeTakeOwnershipPrivilege
> Privilege[ 2]: SeBackupPrivilege
> Privilege[ 3]: SeRestorePrivilege
> Privilege[ 4]: SeRemoteShutdownPrivilege
> Privilege[ 5]: SePrintOperatorPrivilege
> Privilege[ 6]: SeAddUsersPrivilege
> Privilege[ 7]: SeDiskOperatorPrivilege
> Privilege[ 8]: SeSecurityPrivilege
> Privilege[ 9]: SeSystemtimePrivilege
> Privilege[ 10]: SeShutdownPrivilege
> Privilege[ 11]: SeDebugPrivilege
> Privilege[ 12]: SeSystemEnvironmentPrivilege
> Privilege[ 13]: SeSystemProfilePrivilege
> Privilege[ 14]: SeProfileSingleProcessPrivilege
> Privilege[ 15]: SeIncreaseBasePriorityPrivilege
> Privilege[ 16]: SeLoadDriverPrivilege
> Privilege[ 17]: SeCreatePagefilePrivilege
> Privilege[ 18]: SeIncreaseQuotaPrivilege
> Privilege[ 19]: SeChangeNotifyPrivilege
> Privilege[ 20]: SeUndockPrivilege
> Privilege[ 21]: SeManageVolumePrivilege
> Privilege[ 22]: SeImpersonatePrivilege
> Privilege[ 23]: SeCreateGlobalPrivilege
> Privilege[ 24]: SeEnableDelegationPrivilege
> Rights (0x 0):
> lpcfg_servicenumber: couldn't find ldb
> schema_fsmo_init: we are master[yes] updates allowed[yes]
> ldb: ldb_trace_request: SEARCH
> dn: @MODULES
> scope: base
> expr: (@LIST=*)
> attr: @LIST
> control: <NONE>
>
> ldb: ldb_trace_request: (tdb)->search
> ldb: Added timed event "ltdb_callback": 0x1bc3540
>
> ldb: Added timed event "ltdb_timeout": 0x26e86f0
>
> ldb: Running timer event 0x1bc3540 "ltdb_callback"
>
> ldb: ldb_trace_response: ENTRY
> dn: @MODULES
> @LIST: samba_secrets
>
>
>
> ldb: Destroying timer event 0x26e86f0 "ltdb_timeout"
>
> ldb: Ending timer event 0x1bc3540 "ltdb_callback"
>
> ldb: ldb_trace_request: REGISTER_CONTROL
> 1.2.840.113556.1.4.1413
> control: <NONE>
>
> ldb: ldb_asprintf/set_errstring: unable to find module or backend to
> handle operation: request
> ldb: ldb_trace_request: SEARCH
> dn: <rootDSE>
> scope: base
> expr: (objectClass=*)
> attr: rootDomainNamingContext
> attr: configurationNamingContext
> attr: schemaNamingContext
> attr: defaultNamingContext
> control: <NONE>
>
> ldb: ldb_trace_request: (rdn_name)->search
> ldb: ldb_trace_next_request: (tdb)->search
> ldb: Added timed event "ltdb_callback": 0x2b4a450
>
> ldb: Added timed event "ltdb_timeout": 0x1fc5d10
>
> ldb: Running timer event 0x2b4a450 "ltdb_callback"
>
> ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
> ldb: Destroying timer event 0x1fc5d10 "ltdb_timeout"
>
> ldb: Ending timer event 0x2b4a450 "ltdb_callback"
>
> ldb_wrap open of secrets.ldb
> ldb: ldb_trace_request: SEARCH
> dn: cn=Primary Domains
> scope: sub
> expr: (&(flatname=DOMAIN)(objectclass=primaryDomain))
> attr: <ALL>
> control: <NONE>
>
> ldb: ldb_trace_request: (rdn_name)->search
> ldb: ldb_trace_next_request: (tdb)->search
> ldb: Added timed event "ltdb_callback": 0x238f910
>
> ldb: Added timed event "ltdb_timeout": 0x2948fe0
>
> ldb: Running timer event 0x238f910 "ltdb_callback"
>
> ldb: ldb_trace_response: ENTRY
> dn: flatname=DOMAIN,cn=Primary Domains
> msDS-KeyVersionNumber: 1
> objectClass: top
> objectClass: primaryDomain
> objectClass: kerberosSecret
> objectSid: S-1-5-21-1406441594-952197255-810364793
> privateKeytab: secrets.keytab
> realm: DOMAIN.LOCAL
> saltPrincipal: host/linsrv.domain.local@DOMAIN.LOCAL
> samAccountName: LINSRV$
> secret:
> q~;iioq&Tf$JL6[]94jYps4+P<$$.HHk2vNoM8?&MO-HEfWN:cc<v>$8XJmos;Jbj59[z(
> BW=+3wZ>Lra&mBWCZBiUzBQwsBVE]O&XK:X)<JX~OTZwkIRU4j?h]Pj3CND;T@9q$!WDbyew+HTAm
> k%F?o@P7GPAj&QnhNKBhK$r
> secureChannelType: 6
> servicePrincipalName: HOST/linsrv
> servicePrincipalName: HOST/linsrv.domain.local
> objectGUID: c4f058db-ed80-466a-9b08-1ceb78957aa7
> whenCreated: 20130816104951.0Z
> whenChanged: 20130816104951.0Z
> uSNCreated: 7
> uSNChanged: 7
> name: DOMAIN
> flatname: DOMAIN
> distinguishedName: flatname=DOMAIN,cn=Primary Domains
>
>
>
> ldb: Destroying timer event 0x2948fe0 "ltdb_timeout"
>
> ldb: Ending timer event 0x238f910 "ltdb_callback"
>
> Traceback (most recent call last):
> File "/usr/local/samba/sbin/samba_dnsupdate", line 506, in <module>
> get_credentials(lp)
> File "/usr/local/samba/sbin/samba_dnsupdate", line 119, in get_credentials
> creds.get_named_ccache(lp, ccachename)
> RuntimeError: kinit for LINSRV$@DOMAIN.LOCAL failed (Cannot contact any
> KDC for requested realm)
>
>
> But Kerberos ist working:
>
> root@linsrv:/usr/local/samba# kinit administrator@DOMAIN.LOCAL
> Password for administrator@DOMAIN.LOCAL:
> Warning: Your password will expire in 980 days on Wed May 11 12:49:49 2016
> root@linsrv:/usr/local/samba# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator@DOMAIN.LOCAL
>
> Valid starting Expires Service principal
> 2013-09-04 11:08:51 2013-09-04 21:08:51 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
> renew until 2013-09-05 11:08:47, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
>
>
> I have no idea how to fix it and would be very glad if someone may help.
>
>
> root@linsrv:/usr/local/samba# samba --version
> Version 4.0.9
> root@linsrv:/usr/local/samba# cat /etc/debian_version
> 7.1
> root@linsrv:/usr/local/samba# uname -a
> Linux linsrv 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
>
>
> Best regards!
>
--
Thomas Zeitinger
Kundenbetreuung
IT-Quadrat EDV Dienstleistungs- und Handels GmbH
Krongasse 8/2 A-1050 Wien
Tel: +43 (1) 311 44 00 - 10
Fax: +43 (1) 311 44 00 - 90
thomas.zeitin...@it2.at
www.it2.at
FN 287345t
UID ATU63123113
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
