[Samba] dns update failt (kerberos)

Thomas Zeitinger

unread,

Sep 4, 2013, 5:13:43 AM9/4/13

to

Hi there,

I am struggling with samba4 and the internal dns and kerberos.

It seems that DNS is the problem.

When I aske for kerberos dns entrys on my workstation, I get this
(11.22.33.202 is the samba4 server):

root@lit2:~# dig _kerberos._udp.DOMAIN.LOCAL @11.22.33.202

; <<>> DiG 9.7.3 <<>> _kerberos._udp.DOMAIN.LOCAL @11.22.33.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3733
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;_kerberos._udp.DOMAIN.LOCAL. IN A

;; Query time: 1 msec
;; SERVER: 11.22.33.202#53(11.22.33.202)
;; WHEN: Wed Sep 4 10:10:33 2013
;; MSG SIZE rcvd: 48

But if I ask the samba directly:

root@linsrv:~# samba-tool dns query 11.22.33.202 DOMAIN.LOCAL
_kerberos._udp ALL
Password for [Admini...@DOMAIN.LOCAL]:
Name=, Records=1, Children=0
SRV: linsrv.domain.local. (88, 0, 100) (flags=f0, serial=110, ttl=900)

root@linsrv:~# samba-tool dns query 11.22.33.202 DOMAIN.LOCAL linsrv ALL
Password for [Admini...@DOMAIN.LOCAL]:
Name=, Records=1, Children=0
A: 11.22.33.202 (flags=f0, serial=110, ttl=900)

It seems that the entries from the dns database don't get "propagated"
to the dns server and I tried a "samba_dnsupdate --verbose --all-names".

This is the result (with 'debug level = 10'):

root@linsrv:/usr/local/samba# samba_dnsupdate --verbose --all-names
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[profiles]"
Processing section "[homes]"
Processing section "[daten]"
Processing section "[install]"
Processing section "[winupdate]"
pm_process() returned Yes
added interface eth0 ip=11.22.33.202 bcast=11.22.33.255
netmask=255.255.255.0
IPs: ['11.22.33.202']
Security token SIDs (1):
SID[ 0]: S-1-5-18
Privileges (0xFFFFFFFFFFFFFFFF):
Privilege[ 0]: SeMachineAccountPrivilege
Privilege[ 1]: SeTakeOwnershipPrivilege
Privilege[ 2]: SeBackupPrivilege
Privilege[ 3]: SeRestorePrivilege
Privilege[ 4]: SeRemoteShutdownPrivilege
Privilege[ 5]: SePrintOperatorPrivilege
Privilege[ 6]: SeAddUsersPrivilege
Privilege[ 7]: SeDiskOperatorPrivilege
Privilege[ 8]: SeSecurityPrivilege
Privilege[ 9]: SeSystemtimePrivilege
Privilege[ 10]: SeShutdownPrivilege
Privilege[ 11]: SeDebugPrivilege
Privilege[ 12]: SeSystemEnvironmentPrivilege
Privilege[ 13]: SeSystemProfilePrivilege
Privilege[ 14]: SeProfileSingleProcessPrivilege
Privilege[ 15]: SeIncreaseBasePriorityPrivilege
Privilege[ 16]: SeLoadDriverPrivilege
Privilege[ 17]: SeCreatePagefilePrivilege
Privilege[ 18]: SeIncreaseQuotaPrivilege
Privilege[ 19]: SeChangeNotifyPrivilege
Privilege[ 20]: SeUndockPrivilege
Privilege[ 21]: SeManageVolumePrivilege
Privilege[ 22]: SeImpersonatePrivilege
Privilege[ 23]: SeCreateGlobalPrivilege
Privilege[ 24]: SeEnableDelegationPrivilege
Rights (0x 0):
lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[yes] updates allowed[yes]
ldb: ldb_trace_request: SEARCH
dn: @MODULES
scope: base
expr: (@LIST=*)
attr: @LIST
control: <NONE>

ldb: ldb_trace_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x1bc3540

ldb: Added timed event "ltdb_timeout": 0x26e86f0

ldb: Running timer event 0x1bc3540 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: @MODULES
@LIST: samba_secrets

ldb: Destroying timer event 0x26e86f0 "ltdb_timeout"

ldb: Ending timer event 0x1bc3540 "ltdb_callback"

ldb: ldb_trace_request: REGISTER_CONTROL
1.2.840.113556.1.4.1413
control: <NONE>

ldb: ldb_asprintf/set_errstring: unable to find module or backend to
handle operation: request
ldb: ldb_trace_request: SEARCH
dn: <rootDSE>
scope: base
expr: (objectClass=*)
attr: rootDomainNamingContext
attr: configurationNamingContext
attr: schemaNamingContext
attr: defaultNamingContext
control: <NONE>

ldb: ldb_trace_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x2b4a450

ldb: Added timed event "ltdb_timeout": 0x1fc5d10

ldb: Running timer event 0x2b4a450 "ltdb_callback"

ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
ldb: Destroying timer event 0x1fc5d10 "ltdb_timeout"

ldb: Ending timer event 0x2b4a450 "ltdb_callback"

ldb_wrap open of secrets.ldb
ldb: ldb_trace_request: SEARCH
dn: cn=Primary Domains
scope: sub
expr: (&(flatname=DOMAIN)(objectclass=primaryDomain))
attr: <ALL>
control: <NONE>

ldb: ldb_trace_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x238f910

ldb: Added timed event "ltdb_timeout": 0x2948fe0

ldb: Running timer event 0x238f910 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: flatname=DOMAIN,cn=Primary Domains
msDS-KeyVersionNumber: 1
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-1406441594-952197255-810364793
privateKeytab: secrets.keytab
realm: DOMAIN.LOCAL
saltPrincipal: host/linsrv.do...@DOMAIN.LOCAL
samAccountName: LINSRV$
secret:
q~;iioq&Tf$JL6[]94jYps4+P<$$.HHk2vNoM8?&MO-HEfWN:cc<v>$8XJmos;Jbj59[z(
BW=+3wZ>Lra&mBWCZBiUzBQwsBVE]O&XK:X)<JX~OTZwkIRU4j?h]Pj3CND;T@9q$!WDbyew+HTAm
k%F?o@P7GPAj&QnhNKBhK$r
secureChannelType: 6
servicePrincipalName: HOST/linsrv
servicePrincipalName: HOST/linsrv.domain.local
objectGUID: c4f058db-ed80-466a-9b08-1ceb78957aa7
whenCreated: 20130816104951.0Z
whenChanged: 20130816104951.0Z
uSNCreated: 7
uSNChanged: 7
name: DOMAIN
flatname: DOMAIN
distinguishedName: flatname=DOMAIN,cn=Primary Domains

ldb: Destroying timer event 0x2948fe0 "ltdb_timeout"

ldb: Ending timer event 0x238f910 "ltdb_callback"

Traceback (most recent call last):
File "/usr/local/samba/sbin/samba_dnsupdate", line 506, in <module>
get_credentials(lp)
File "/usr/local/samba/sbin/samba_dnsupdate", line 119, in get_credentials
creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for LINSRV$@DOMAIN.LOCAL failed (Cannot contact any
KDC for requested realm)

But Kerberos ist working:

root@linsrv:/usr/local/samba# kinit admini...@DOMAIN.LOCAL
Password for admini...@DOMAIN.LOCAL:
Warning: Your password will expire in 980 days on Wed May 11 12:49:49 2016
root@linsrv:/usr/local/samba# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@DOMAIN.LOCAL

Valid starting Expires Service principal
2013-09-04 11:08:51 2013-09-04 21:08:51 krbtgt/DOMAIN...@DOMAIN.LOCAL
renew until 2013-09-05 11:08:47, Etype (skey, tkt):
arcfour-hmac, arcfour-hmac

I have no idea how to fix it and would be very glad if someone may help.

root@linsrv:/usr/local/samba# samba --version
Version 4.0.9
root@linsrv:/usr/local/samba# cat /etc/debian_version
7.1
root@linsrv:/usr/local/samba# uname -a
Linux linsrv 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux

Best regards!

--
Thomas Zeitinger
Kundenbetreuung

IT-Quadrat EDV Dienstleistungs- und Handels GmbH
Krongasse 8/2 A-1050 Wien
Tel: +43 (1) 311 44 00 - 10
Fax: +43 (1) 311 44 00 - 90
Thomas.Z...@it2.at
www.it2.at

FN 287345t
UID ATU63123113

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Thomas Zeitinger

unread,

Sep 5, 2013, 6:41:51 AM9/5/13

to

re,

found something different, but important:

root@linsrv:~# kinit LINSRV$@DOMAIN.LOCAL
kinit: Client not found in Kerberos database while getting initial
credentials

root@linsrv:~# kinit admini...@DOMAIN.LOCAL
Password for admini...@DOMAIN.LOCAL:
Warning: Your password will expire in 979 days on Wed May 11 12:49:49 2016

-> Kerberos is working, but not for the machine!

But the Account exist:

root@linsrv:~# wbinfo -i LINSRV$
DOMAIN\LINSRV$:*:3000023:3000024::/home/DOMAIN/LINSRV$:/bin/false

I looked for the Kerberos Keytab in /etc/krb5.keytab, but there is none.
So I created a new:

samba-tool domain exportkeytab /etc/krb5.keytab

and did the dnsupdate again:

root@linsrv:~# samba_dnsupdate --verbose --all-names
IPs: ['172.16.0.202']

Traceback (most recent call last):
File "/usr/local/samba/sbin/samba_dnsupdate", line 506, in <module>
get_credentials(lp)
File "/usr/local/samba/sbin/samba_dnsupdate", line 119, in get_credentials
creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for LINSRV$@DOMAIN.LOCAL failed (Cannot contact any
KDC for requested realm)

and again the different error message with kinit:

root@linsrv:~# kinit LINSRV$@ITQUADRAT.LOCAL
kinit: Client not found in Kerberos database while getting initial
credentials

But the account is in the Kerberus DB:

root@linsrv:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 LINSRV$@DOMAIN.LOCAL
1 LINSRV$@DOMAIN.LOCAL
1 LINSRV$@DOMAIN.LOCAL
[...]

So, again no idea :-/ Anybody?

Thanks and best regards
Tom

Thomas Zeitinger

unread,

Sep 5, 2013, 11:41:31 AM9/5/13

to

Hey!

I found another interessting fact:

samba_dnsupdate --verbose --all-names -d 10

shows me:

[...]
privateKeytab: secrets.keytab
[...]

So I tried

root@linsrv:~# klist -t -k /usr/local/samba/private/secrets.keytab
Keytab name: FILE:/usr/local/samba/private/secrets.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
1 2013-08-16 12:49:52 HOST/lin...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/linsrv.do...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 LINSRV$@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/lin...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/linsrv.do...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 LINSRV$@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/lin...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/linsrv.do...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 LINSRV$@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/lin...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/linsrv.do...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 LINSRV$@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/lin...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 HOST/linsrv.do...@DOMAIN.LOCAL
1 2013-08-16 12:49:52 LINSRV$@DOMAIN.LOCAL

Is it a problem that the host is 5 times in the secret.keytab?

How can I verify that?

On 2013-09-05 12:41, Thomas Zeitinger wrote:
> [...]

> root@linsrv:~# samba_dnsupdate --verbose --all-names
> IPs: ['172.16.0.202']
> Traceback (most recent call last):
> File "/usr/local/samba/sbin/samba_dnsupdate", line 506, in <module>
> get_credentials(lp)
> File "/usr/local/samba/sbin/samba_dnsupdate", line 119, in get_credentials
> creds.get_named_ccache(lp, ccachename)
> RuntimeError: kinit for LINSRV$@DOMAIN.LOCAL failed (Cannot contact any
> KDC for requested realm)
>
> and again the different error message with kinit:
>

> [..]

>
> But the account is in the Kerberus DB:
>
> root@linsrv:~# klist -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 LINSRV$@DOMAIN.LOCAL
> 1 LINSRV$@DOMAIN.LOCAL
> 1 LINSRV$@DOMAIN.LOCAL
> [...]

Burgess, Adam

unread,

Sep 5, 2013, 12:07:00 PM9/5/13

to

They will likely be different entries with different kvno and encryption type combinations. Not sure what syntax your klist uses but -e option may give you the encryption type output for example.

Adam

Thomas Zeitinger

unread,

Sep 6, 2013, 3:45:25 AM9/6/13

to

Ah, ok. Your are right:

root@linsrv:/usr/local/samba/private# klist -e -t -k

/usr/local/samba/private/secrets.keytab
Keytab name: FILE:/usr/local/samba/private/secrets.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------

1 2013-08-16 12:49:52 HOST/lin...@DOMAIN.LOCAL (des-cbc-crc)