Good morning!
First of all thanks Rowland for the fast answer yesterday! I realized
that samba-technical might have been the wrong mailing list and
switched it to the normal samba users list (hopefully it worked, as it
does get a bit confusing with spamgourmets addresses!). Unfortunately
the problem with samba_dnsupdate remains after the changes.
I did changed the smb.conf, krb5.conf, and hosts as requested. I am
pretty new to both samba and linux and added most lines to the configs
that looked promising.
Expected the DC itself to be able to join the domain (again), as I
remembered it to be possible after a classicupgrade with the samba
internal dns.
Regarding BIND, I am using version 9.9 on Debian Jessie and read it is
not necessary to build it yourself and configure it with dlopen (see
here <https://lists.samba.org/archive/samba/2015-January/188049.html>).
named -g -c /etc/bind/named.conf -u named -d3 2>&1 | grep -i dlz
19-Mar-2015 08:05:26.396 Registering DLZ_dlopen driver
19-Mar-2015 08:05:26.396 Registering SDLZ driver 'dlopen'
19-Mar-2015 08:05:26.396 Registering DLZ driver 'dlopen'
19-Mar-2015 08:05:26.405 Loading SDLZ driver.
19-Mar-2015 08:05:26.646 samba_dlz: started for DN
DC=intranet,DC=mayweg,DC=net
19-Mar-2015 08:05:26.646 SDLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 DLZ driver loaded successfully.
19-Mar-2015 08:05:26.646 samba_dlz: starting configure
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone
'11.168.192.in-addr.arpa'
19-Mar-2015 08:05:26.647 samba_dlz: configured writeable zone
'intranet.mayweg.net <http://intranet.mayweg.net>'
19-Mar-2015 08:05:26.648 samba_dlz: configured writeable zone
'_msdcs.intranet.mayweg.net <http://msdcs.intranet.mayweg.net>'
The error for samba_dnsupdate --all-names remains (btw, without
ldb: Destroying timer event 0x233f310 "ltdb_timeout"
ldb: Ending timer event 0x1d2bb70 "ltdb_callback"
File "/usr/sbin/samba_dnsupdate", line 612, in <module>
get_credentials(lp)
File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
raise e
<http://INTRANET.MAYWEG.NET> failed (Cannot contact any KDC for
requested realm)
Again, I'm very grateful for any hints where the problem could
originate from.
Greetings,
Timo
Hello,
I am trying to upgrade an Samba 3 DC to an Samba 4 AD DC with BIND9_DLZ
backend on Debian Jessie. Before I was using tinydns on a different server
and want to replace it with BIND.
I'm trying this with copies of virtual machines in a different subnet (The
debian jessie AD DC and DNS, a Win7 Client used for RSAT tools
administration, a debian squeezy file server that is part of the domain and
an xp client).
For the most part the new configuration is working, a lot thanks to
exploration of the wiki and the mailing list archives, but I cannot resolve
the hostnames of domain members and think it is because dynamic DNS updates
through kerberos aren't working.
When I try "samba_dnsupdate --verbose --all-names", I get the following
ldb: Destroying timer event 0x1a42d10 "ltdb_timeout"
ldb: Ending timer event 0x1859f30 "ltdb_callback"
File "/usr/sbin/samba_dnsupdate", line 612, in <module>
get_credentials(lp)
File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
raise e
<http://INTRANET.MAYWEG.NET> failed (Cannot
contact any KDC for requested realm)
I can join the domain with windows & linux machines and administer it and
the dns server with RSAT tools. Neither SELinux nor Apparmor are present.
The dns tests from the samba ad dc howto
<https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#BIND9_DNS_Backend> were
host -t SRV _ldap._tcp.intranet.mayweg.net
<http://tcp.intranet.mayweg.net>.
_ldap._tcp.intranet.mayweg.net
<http://tcp.intranet.mayweg.net> has SRV record 0 100 389
server06.intranet.mayweg.net
<http://server06.intranet.mayweg.net>.
host -t SRV _kerberos._udp.intranet.mayweg.net
<http://udp.intranet.mayweg.net>.
_kerberos._udp.intranet.mayweg.net
<http://udp.intranet.mayweg.net> has SRV record 0 100 88
server06.intranet.mayweg.net
<http://server06.intranet.mayweg.net>.
host -t A server06.intranet.mayweg.net
<http://server06.intranet.mayweg.net>.
server06.intranet.mayweg.net
<http://server06.intranet.mayweg.net> has address 192.168.11.250
I can resolve the server06.intranet.mayweg.net
<http://server06.intranet.mayweg.net> and intranet.mayweg.net
<http://intranet.mayweg.net> on
all machines, but hostnames of machines I joined to the domain are not
resolvable from other domain members. A linux machine that joined had the
Joined 'SERVER13' to realm 'intranet.mayweg.net
<http://intranet.mayweg.net>'
DNS update failed!
I can get kerberos tickets on all machines, and join the domain using net
ads join from all of them but the ad dc itself.
On server06 "net ads join -Uadministrator" returns
Failed to join domain: This operation is only allowed for the PDC of the
domain. Maybe this has something to do with the dns updates not working.
You do not run 'net ads join' on a DC, the provision does it for
you (or as in your case, the upgrade procedure)
I'll follow up with version info and configuration files (interfaces,
resolv.conf, hosts, smb.conf, krb5.conf, named.conf).
Samba version is 4.1.17, BIND 9.9.5. Unnecessarily I had the MIT
implementations of krb5-admin-server and krb5-kdc installed and configured
until I realized Samba4 brings the heimdal implementation of kerberos with
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.11.250
netmask 255.255.255.0
network 192.168.11.0
broadcast 192.168.11.255
nameserver 192.168.11.250 #had 127.0.0.1 before with the same error
domain intranet.mayweg.net <http://intranet.mayweg.net>
127.0.0.1 localhost localhost.localdomain
192.168.11.250 server06.intranet.mayweg.net
<http://server06.intranet.mayweg.net> server06
krb.intranet.mayweg.net <http://krb.intranet.mayweg.net>
kdc.intranet.mayweg.net <http://kdc.intranet.mayweg.net>
intranet.mayweg.net <http://intranet.mayweg.net>
Remove everything from the '192.168.11.250' line from 'krb'
onwards, they shouldn't be there.
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
[global]
workgroup = MAYWEG.NET <http://MAYWEG.NET>
realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
netbios name = SERVER06
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
#added after classicupgrade
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
domain logons = yes
[netlogon]
path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
<http://intranet.mayweg.net/scripts>
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
remove everything you added to smb.conf
[libdefaults]
default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
dns_lookup_realm = true #changed to true
dns_lookup_kdc = true
#added after classicupgrade
[realms]
INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> = {
kdc = krb.intranet.mayweg.net
<http://krb.intranet.mayweg.net>
admin_server = krb.intranet.mayweg.net
<http://krb.intranet.mayweg.net>
default_domain = intranet.mayweg.net
<http://intranet.mayweg.net>
}
[domain_realm]
.intranet.mayweg.net <http://intranet.mayweg.net> =
INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
intranet.mayweg.net <http://intranet.mayweg.net> =
INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
Change krb5.conf back to what it was.
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};
logging {
channel update_debug {
file "/var/log/update_debug.log" versions 3 size 100k;
severity debug;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/security_info.log" versions 1 size 100k;
severity info;
print-severity yes;
print-time yes;
};
channel bind_log {
file "/var/log/bind.log" versions 3 size 1m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category lame-servers { null; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
};
options {
directory "/var/named";
recursion yes;
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain yes;
notify no;
empty-zones-enable no;
allow-query {
127.0.0.1;
192.168.11.0/24 <http://192.168.11.0/24>;
# add other networks you want to allow to query your DNS
};
allow-query-cache {
127.0.0.1;
192.168.11.0/24 <http://192.168.11.0/24>;
# add other networks you want to allow to query your DNS
};
allow-recursion {
192.168.11.0/24 <http://192.168.11.0/24>;
127.0.0.1;
# add other networks you want to allow to do
recursive queries
};
forwarders {
# Google public DNS server here - replace with your
own if necessary
};
allow-transfer {
# this config is for a single master DNS server
none;
};
};
I hope I provided all the necessary information and am
grateful for any
hints on where to look for a fix to this problem.
Greetings,
Timo
Finally, was the version of bind you are using configured with dlopen ?
Rowland