Samba 4 Active Directory with MIT Kerberos: dbmodule "samba" ?

Maurofolc

New Member
Credits
164
I have a problem in setting up Samba 4 Active Directory with MIT Kerberos.

I followed the steps detailed in the page:


The samba daemon won't start.
../../source4/smbd/server.c:622(binary_smbd_main) samba version 4.11.8 started.
Copyright Andrew Tridgell and the Samba Team 1992-2019
../../source4/smbd/server.c:865(binary_smbd_main) binary_smbd_main: samba: using 'prefork' process model
../../source4/smbd/service_task.c:36(task_server_terminate) task_server_terminate: task_server_terminate: [KDC: Initialize kadm5]
../../lib/util/become_daemon.c:135(daemon_ready) daemon_ready: daemon 'samba' finished starting up and ready to serve connections
../../source4/smbd/server.c:370(samba_terminate) samba_terminate: samba_terminate of samba 2012: KDC: Initialize kadm5

I also found a message about missing Kerberos database :

krb5kdc[1432]: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': File o directory non esistente - while initializing database for realm MYDOMAIN.IT


But if I try to create it, I get an error:

# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MYDOMAIN.IT',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Database type not supported while creating database '/var/kerberos/krb5kdc/principal'

The "samba" database type is not accepted by the kerberos command.
In the [dbmodules] section of kdc.conf configuration file, I see

db_module_dir = /usr/lib64/krb5/plugins/kdb
and
db_library = samba

# ls -l /usr/lib64/krb5/plugins/kdb/samba.so
-rwxr-xr-x 1 root root 45632 28 apr 22.34 /usr/lib64/krb5/plugins/kdb/samba.so

( it exists )

maybe I could remove the [dbmodules] section from the kdc.conf file, using a type of database accepted by MIT Kerberos .... But then I don't know if Samba would still work in the same way



Here is my krb5.conf file:
---------------------------------------------
[libdefaults]
default_realm = MYDOMAIN.IT
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
MYDOMAIN.IT = {
default_domain = MYDOMAIN.IT
}

[domain_realm]
aecdomain = MYDOMAIN.IT
---------------------------------------------


Here is my /var/kerberos/krb5kdc/kdc.conf file:
---------------------------------------------
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
kadmind_port = 464

[realms]
MYDOMAIN.IT = {
}

MYDOMAIN.IT = {
}

MYDOMAIN = {
}

[dbmodules]
db_module_dir = /usr/lib64/krb5/plugins/kdb

MYDOMAIN.IT = {
db_library = samba
}

MYDOMAIN.IT = {
db_library = samba
}

MYDOMAIN = {
db_library = samba
}

[logging]
kdc = FILE:/var/log/samba/mit_kdc.log
admin_server = FILE:/var/log/samba/mit_kadmin.log
---------------------------------------------



Samba version:

samba-4.11.8-0.fc31.x86_64
samba-dc-4.11.8-0.fc31.x86_64
samba-dc-libs-4.11.8-0.fc31.x86_64
samba-dc-provision-4.11.8-0.fc31.noarch


Can you please help me fix?
 


Maurofolc

New Member
Credits
164
Thank you for your answer.

I didn't miss that sentence, but "experimental" and "not working" have two different meanings ...
I thought I could at least install it ... but I couldn't even complete the installation.

Thank you for the advice: I will not use it in production.

Is there anything I can do? Waiting for the project to be more reliable, or is there a fix for the specific problem I found?
 

hortimech

New Member
Credits
44
It should install, and provision, it just has numerous problems that the builtin heimdal doesn't. These problems are being worked on, but when they are going to be fixed, well, your guess is a good as mine.
One thing I can say is, you must not start the MIT kdc manually, you must allow Samba to do this for you.
Have you installed all the available Samba packages, including winbind ?
 

Maurofolc

New Member
Credits
164
(1)
# systemctl status krb5kdc.service
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)

Yes, I don't start krb5kdc.service
I allow Samba to start it for me

(2)
# rpm -qa | grep samba | sort
python3-samba-4.11.8-0.fc31.x86_64
python3-samba-dc-4.11.8-0.fc31.x86_64
samba-4.11.8-0.fc31.x86_64
samba-client-4.11.8-0.fc31.x86_64
samba-client-libs-4.11.8-0.fc31.x86_64
samba-common-4.11.8-0.fc31.noarch
samba-common-libs-4.11.8-0.fc31.x86_64
samba-common-tools-4.11.8-0.fc31.x86_64
samba-dc-4.11.8-0.fc31.x86_64
samba-dc-libs-4.11.8-0.fc31.x86_64
samba-dc-provision-4.11.8-0.fc31.noarch
samba-libs-4.11.8-0.fc31.x86_64
samba-winbind-4.11.8-0.fc31.x86_64
samba-winbind-clients-4.11.8-0.fc31.x86_64
samba-winbind-krb5-locator-4.11.8-0.fc31.x86_64
samba-winbind-modules-4.11.8-0.fc31.x86_64


(3) The file /var/kerberos/krb5kdc/principal is not created

(4) # kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'AECLAN.IT',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Database type not supported while creating database '/var/kerberos/krb5kdc/principal'

This seems to me to be the problem ...
 

hortimech

New Member
Credits
44
OK, you have the correct packages installed, but you do not create /var/kerberos/krb5kdc/principal. You will find the database at /var/lib/samba/private/sam.ldb

It looks like there is something wrong with your setup, if F31 works like F32, as I have it working on F32.

Is Selinux disabled ?
 

hortimech

New Member
Credits
44
Some are ;)
Okay, does /etc/hostname only contain the DC's short hostname ?

Does /etc/hosts look like this:
127.0.0.1 localhost
::1 localhost
192.168.0.25 fedora32.example.com fedora32

Is dnsmasq running ?
I removed it and stopped network manager from using dns, by adding:
dns=none

To the '[main]' section in /etc/NetworkManager/NetworkManager.conf

Did you remove smb.conf before provisioning ?

I provisioned with:
samba-tool domain provision --use-rfc2307 --realm=EXAMPLE.COM --domain=EXAMPLE --server-role=dc --adminpass=Passw0rd*

The provision will create a krb5.conf, copy this to /etc/krb5.conf:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

Change /etc/resolv.conf to look similar to this:

search example.com
nameserver 192.168.0.25

Where 'example.com' is your dns domain and '192.168.0.25' is your DC's ipaddress

At this point, you should be able to start 'samba' and expect it to run.
 

Maurofolc

New Member
Credits
164
(1) I upgraded to fedora 32, removed all ldb and tdb files and began all from the beginning

(2) The /etc/hostname had the "long" hostname. I modified it, to contain the DC's short hostname

(3) The /etc/hosts was ok

(4) No dnsmasq is running on the host

(5) I configured Network Manager as you suggested by adding: dns=none

(6) Yes, smb.conf was removed before provisioning

(7) Yes, the /etc/resolv.conf was OK

And now : ...

# systemctl start samba.service



mag 21 17:02:23 aecdomain samba[2934]: [2020/05/21 17:02:23.377055, 0] ../../source4/smbd/server.c:629(binary_smbd_main)
mag 21 17:02:23 aecdomain samba[2934]: samba version 4.12.2 started.
mag 21 17:02:23 aecdomain samba[2934]: Copyright Andrew Tridgell and the Samba Team 1992-2020
mag 21 17:02:23 aecdomain samba[2934]: [2020/05/21 17:02:23.500789, 0] ../../source4/smbd/server.c:872(binary_smbd_main)
mag 21 17:02:23 aecdomain samba[2934]: binary_smbd_main: samba: using 'prefork' process model
mag 21 17:02:23 aecdomain samba[2958]: [2020/05/21 17:02:23.560864, 0] ../../source4/smbd/service_task.c:36(task_server_terminate)
mag 21 17:02:23 aecdomain samba[2958]: task_server_terminate: task_server_terminate: [KDC: Initialize kadm5]
mag 21 17:02:23 aecdomain samba[2958]: [2020/05/21 17:02:23.567012, 0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
mag 21 17:02:23 aecdomain samba[2958]: /usr/sbin/krb5kdc: krb5kdc: cannot initialize realm MYDOMAIN.IT - see log file for details
mag 21 17:02:23 aecdomain samba[2958]: [2020/05/21 17:02:23.567969, 0] ../../source4/kdc/kdc-service-mit.c:344(mitkdc_server_done)
mag 21 17:02:23 aecdomain samba[2958]: The MIT KDC daemon died with exit status 1
mag 21 17:02:23 aecdomain samba[2958]: [2020/05/21 17:02:23.568029, 0] ../../source4/smbd/service_task.c:36(task_server_terminate)
mag 21 17:02:23 aecdomain samba[2958]: task_server_terminate: task_server_terminate: [mitkdc child process exited]
mag 21 17:02:23 aecdomain samba[2934]: [2020/05/21 17:02:23.637963, 0] ../../source4/smbd/server.c:377(samba_terminate)
mag 21 17:02:23 aecdomain samba[2934]: samba_terminate: samba_terminate of samba 2934: KDC: Initialize kadm5
mag 21 17:02:23 aecdomain systemd[1]: samba.service: Main process exited, code=exited, status=1/FAILURE
-- Un processo ExecStart appartenente all'unità samba.service è uscito.
mag 21 17:02:24 aecdomain systemd[1]: samba.service: Failed with result 'exit-code'.
-- Unità samba.service entrata nello stato 'failed' (fallito) con risultato 'exit-code'.
-- Subject: L'unità samba.service è fallita
-- L'unità samba.service è fallita.
mag 21 17:02:24 aecdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=samba comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
mag 21 17:02:24 aecdomain systemd[1]: samba.service: Consumed 1.409s CPU time.
-- Unità samba.service terminata consumando le indicate risorse.





# journalctl -xe | grep krb
mag 21 16:35:35 aecdomain.mydomain.it systemd-tmpfiles[2479]: /usr/lib/tmpfiles.d/krb5-krb5kdc.conf:1: Line references path below legacy directory /var/run/, updating /var/run/krb5kdc → /run/krb5kdc; please update the tmpfiles.d/ drop-in file accordingly.
mag 21 17:02:23 aecdomain krb5kdc[2961]: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': File o directory non esistente - while initializing database for realm MYDOMAIN.IT
mag 21 17:02:23 aecdomain samba[2958]: /usr/sbin/krb5kdc: krb5kdc: cannot initialize realm MYDOMAIN.IT - see log file for details
 

hortimech

New Member
Credits
44
Sorry, but all I can say is that on a clean install of F32 workstation, it took me less than an hour to create a working DC, I have attached the notes I made during the install.

If all else fails, it might be better if you signed up for the samba mailing here:

We can discuss this better there and other members of the team might be able to help.
 

Attachments



Staff online

Members online


Latest posts

Top