Problems setting up a Samba AD DC with MIT Kerberos

Maurofolc

New Member
Joined
May 15, 2020
Messages
7
Reaction score
0
Credits
164
I have problems in setting up a kerberos authentication with samba 4.

I followed the steps detailed in the page:


I added a user to the samba database, using:

# samba-tool user create myuser

I can see this user in the list:

# samba-tool user list | grep myuser
myuser

# samba-tool domain exportkeytab /var/lib/samba/private/secrets.keytab --principal=myuser
Export one principal to /var/lib/samba/private/secrets.keytab

# klist -ekt /var/lib/samba/private/secrets.keytab | grep myuser
2 15/05/2020 16:26:45 [email protected] (aes256-cts-hmac-sha1-96)
2 15/05/2020 16:26:45 [email protected] (aes128-cts-hmac-sha1-96)
2 15/05/2020 16:26:45 [email protected] (DEPRECATED:arcfour-hmac)


Here is my krb5.conf file:

[libdefaults]
default_realm = MYDOMAIN.IT
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
MYDOMAIN.IT = {
default_domain = mydomain.it
}

[domain_realm]
aecdomain = MYDOMAIN.IT



Here is my /var/kerberos/krb5kdc/kdc.conf file:

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
kadmind_port = 464

[realms]
MYDOMAIN.IT = {
database_name = /var/kerberos/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /var/kerberos/krb5kdc/kadm5.acl
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
key_stash_file = /var/kerberos/krb5kdc/.k5.MYDOMAIN.IT
}

mydomain.it = {
}

MYDOMAIN = {
}

[dbmodules]
db_module_dir = /usr/lib64/krb5/plugins/kdb

MYDOMAIN.IT = {
db_library = samba
}

mydomain.it = {
db_library = samba
}

MYDOMAIN = {
db_library = samba
}

[logging]
kdc = FILE:/var/log/samba/mit_kdc.log
admin_server = FILE:/var/log/samba/mit_kadmin.log



The first problem is in kinit :


# KRB5_TRACE=/dev/stderr kinit -V -t /var/lib/samba/private/secrets.keytab [email protected]
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
Using keytab: /var/lib/samba/private/secrets.keytab
[18519] 1589556379.754626: Getting initial credentials for [email protected]
[18519] 1589556379.754627: Looked up etypes in keytab: aes256-cts, aes128-cts, rc4-hmac
[18519] 1589556379.754629: Sending unauthenticated request
[18519] 1589556379.754630: Sending request (176 bytes) to MYDOMAIN.IT
[18519] 1589556379.754631: Sending DNS URI query for _kerberos.MYDOMAIN.IT.
[18519] 1589556379.754632: No URI records found
[18519] 1589556379.754633: Sending DNS SRV query for _kerberos._udp.MYDOMAIN.IT.
[18519] 1589556379.754634: SRV answer: 0 100 88 "aecdomain.mydomain.it."
[18519] 1589556379.754635: Sending DNS SRV query for _kerberos._tcp.MYDOMAIN.IT.
[18519] 1589556379.754636: SRV answer: 0 100 88 "aecdomain.mydomain.it."
[18519] 1589556379.754637: Resolving hostname aecdomain.mydomain.it.
[18519] 1589556379.754638: Sending initial UDP request to dgram 192.168.2.9:88
[18519] 1589556379.754639: Received answer (147 bytes) from dgram 192.168.2.9:88
[18519] 1589556379.754640: Sending DNS URI query for _kerberos.MYDOMAIN.IT.
[18519] 1589556379.754641: No URI records found
[18519] 1589556379.754642: Sending DNS SRV query for _kerberos-master._udp.MYDOMAIN.IT.
[18519] 1589556379.754643: SRV answer: 0 100 88 "aecdomain.mydomain.it."
[18519] 1589556379.754644: Response was from master KDC
[18519] 1589556379.754645: Received error from KDC: -1765328324/Generic error (see e-text)
kinit: Generic error (see e-text) while getting initial credentials


The second problem in samba log; I see a lot of messages of this kind:

/usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
[2020/05/15 17:28:10.688901, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/lib64/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
[2020/05/15 17:28:10.689062, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs)
[2020/05/15 17:28:10.689307, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/lib64/python3.7/site-packages/samba/netcmd/dns.py", line 945, in run
[2020/05/15 17:28:10.689473, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: raise e
[2020/05/15 17:28:10.689683, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/lib64/python3.7/site-packages/samba/netcmd/dns.py", line 941, in run
[2020/05/15 17:28:10.689872, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: 0, server, zone, name, add_rec_buf, None)
[2020/05/15 17:28:10.700511, 0] ../../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
dnsupdate_nameupdate_done: Failed DNS update with exit code 24

Can you please help me fix?
 


I solved this. I had to better check the /etc/resolv.conf and /etc/hosts files.

Network Manager had replaced my /etc/resolv.conf.

Thank you
 

Members online


Latest posts

Top