[Bug 976138] Re: kerberos setup fails, with broken krb5.conf

Leo Richard Comerford Sun, 08 Apr 2012 10:20:54 -0700

I'm using krb5-user. I've restored the default krb5.conf and then
rebooted, but the situation is as before:


leo@blackbox:~$ ls -l /etc/krb5.conf
-rw-r--r-- 1 root root 115 Apr  8 16:54 /etc/krb5.conf
leo@blackbox:~$ cat /etc/krb5.conf
[libdefaults]
        default_realm = IRISHTOWN.LOCALONLY.RVCOMERFORD.IE
        dns_lookup_realm = false
        dns_lookup_kdc = true
leo@blackbox:~$ host -t SRV _ldap._tcp.irishtown.localonly.rvcomerford.ie
_ldap._tcp.irishtown.localonly.rvcomerford.ie has SRV record 0 100 389 
blackbox.irishtown.localonly.rvcomerford.ie.
leo@blackbox:~$ host -t SRV _kerberos._udp.irishtown.localonly.rvcomerford.ie
_kerberos._udp.irishtown.localonly.rvcomerford.ie has SRV record 0 100 88 
blackbox.irishtown.localonly.rvcomerford.ie.
leo@blackbox:~$ host -t A blackbox.irishtown.localonly.rvcomerford.ie
blackbox.irishtown.localonly.rvcomerford.ie has address 10.37.55.20
leo@blackbox:~$ sudo kinit -V [email protected]
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
kinit: Cannot contact any KDC for realm 'IRISHTOWN.LOCALONLY.RVCOMERFORD.IE' 
while getting initial credentials


Here are some other outputs that might be relevant. Things related to bind:

leo@blackbox:~$ ls -l /etc/bind/named.conf
-rw-r--r-- 1 root bind 508 Apr  7 13:28 /etc/bind/named.conf
leo@blackbox:~$ cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
leo@blackbox:~$ ls -l /etc/bind/named.conf.local
-rw-r--r-- 1 root bind 165 Jan 27 02:54 /etc/bind/named.conf.local
leo@blackbox:~$ cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

leo@blackbox:~$ ls -l /etc/bind/named.conf.options
-rw-r--r-- 1 644 bind 950 Apr  7 15:41 /etc/bind/named.conf.options
leo@blackbox:~$ cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        
//========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        
//========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
leo@blackbox:~$ sudo rndc status
version: 9.8.1-P1
CPUs found: 2
worker threads: 2
number of zones: 20
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running


Some networking details:

leo@blackbox:~$ sudo ifconfig -a
eth0      Link encap:Ethernet  HWaddr e0:cb:4e:ab:1e:dc
          inet addr:10.37.55.20  Bcast:10.37.55.255  Mask:255.255.255.0
          inet6 addr: fe80::e2cb:4eff:feab:1edc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10267 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4379 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1492519 (1.4 MB)  TX bytes:583073 (583.0 KB)
          Interrupt:41

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:826 errors:0 dropped:0 overruns:0 frame:0
          TX packets:826 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:110091 (110.0 KB)  TX bytes:110091 (110.0 KB)

virbr0    Link encap:Ethernet  HWaddr 96:96:10:19:44:c8
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

leo@blackbox:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24     state 
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with 
icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


And /etc/samba/smb.conf:

leo@blackbox:~$ ls -l /etc/samba/smb.conf
-rw-r--r-- 1 root root 395 Apr  7 12:40 /etc/samba/smb.conf
leo@blackbox:~$ cat /etc/samba/smb.conf
# Global parameters
[global]
        server role = domain controller
        workgroup = IRISHTOWN
        realm = irishtown.localonly.rvcomerford.ie
        netbios name = BLACKBOX
        passdb backend = samba4

[netlogon]
        path = /var/lib/samba/sysvol/irishtown.localonly.rvcomerford.ie/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[test]
       path = /srv/testshare
       read only = no

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/976138

Title:
  kerberos setup fails, with broken krb5.conf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/976138/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 976138] Re: kerberos setup fails, with broken krb5.conf

Reply via email to