I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
Samba was installed from source and provisioned with internal DNS as PDC of
the domain domain.local. Users were mapped through pam.
I created a new user (user@domain.local) and joined a winxp workstation
(workstation.domain.local). It seems kerberos is working since user can log
to workstation without any problem using user@domain.local. Same with DNS;
if I try to "ping pdc.domain.local", I get name resolved correctly, as well
as with just "ping pdc".
However, if I run "ping workstation.domain.local" from pdc, I get "unknown
host", though "ping workstation" works. Similarly, if I run "kinit user", I
get a ticket, but
"kinit user@domain.local"
produces
"Cannot contact any KDC for realm 'domain.local' while getting initial
credentials".
Probably related issue is with samba_dnsupdate. Running
"sudo /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
gives
"RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any KDC
for requested realm)".
"sudo host -t SRV _kerberos._udp.domain.local."
gives
"_kerberos._udp.domain.local has SRV record 0 100 88 pdc.domain.local."
so it seems there is a correct record for kdc in dns. I've read that this
issue can be caused by wrong dns setting in resolv.conf.
My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
domain domain.local
nameserver 127.0.0.1
and my /etc/hosts:
127.0.0.1 localhost.localdomain localhost
127.0.1.1 pdc.domain.local pdc
#network interface eth0:
192.168.1.67 pdc.domain.local pdc
So even here everything looks ok
My krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = true
[realms]
DOMAIN.LOCAL = {
kdc = pdc.domain.local
admin_server = pdc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
My smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
netbios name = PDC
server role = active directory domain controller
server role check:inhibit = yes
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
template shell = /bin/bash
security = user
map to guest = bad user
guest account = nobody
encrypt passwords = yes
allow dns updates = True
dns forwarder = 217.119.113.244
interfaces = 127.0.1.1/8 eth0 lo
bind interfaces only = yes
logon path = \\%L\profiles\%U\%a
logon drive = P:
wins support = yes
name resolve order = wins host bcast
load printers = yes
printing = cups
printcap name = cups
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
--
View this message in context:
http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
