Hi, I have deinstalled bind99 and re-made Samba4But still, Samba4 not
working.The following are what I did.Looks like it is the dnsupdate problem.
This time, it is the samba4's dnsupdate problem.
Do I have to initialize kdc server?
Those are copied from FreeBSD handbook for Kerberos 5.
.....Note that this /etc/krb5.conf file implies that your KDC will have the
fully-qualified hostname of kerberos.example.org. You will need to add a CNAME
(alias) entry to your zone file to accomplish this if your KDC has a different
hostname.Note: For large networks with a properly configured BIND DNS server,
the above example could be trimmed to:[libdefaults]
default_realm = EXAMPLE.ORG
With the following lines being appended to the example.org
zonefile:_kerberos._udp IN SRV 01 00 88 kerberos.example.org.
_kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
_kpasswd._udp IN SRV 01 00 464 kerberos.example.org.
_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.
_kerberos IN TXT EXAMPLE.ORG
Note: For clients to be able to find the Kerberos services, you must have
either a fully configured /etc/krb5.conf or a minimally configured
/etc/krb5.conf and a properly configured DNS server.Next we will create the
Kerberos database. This database contains the keys of all principals encrypted
with a master password. You are not required to remember this password, it will
be stored in a file (/var/heimdal/m-key). To create the master key, run kstash
and enter a password.Once the master key has been created, you can initialize
the database using the kadmin program with the -l option (standing for
“local”). This option instructs kadmin to modify the database files directly
rather than going through the kadmind network service. This handles the
chicken-and-egg problem of trying to connect to the database before it is
created. Once you have the kadmin prompt, use the init command to create your
realms initial database.Lastly, while still in kadmin, create your first
principal using the add command. Stick to the defaults options for the
principal for now, you can always change them later with the modify command.
Note that you can use the ? command at any prompt to see the available
options.A sample database creation session is shown below:# kstash
Master key: xxxxxxxx
Verifying password - Master key: xxxxxxxx
# kadmin -l
kadmin> init EXAMPLE.ORG
Realm max ticket life [unlimited]:
kadmin> add tillman
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []:
Password: xxxxxxxx
Verifying password - Password: xxxxxxxx
Now it is time to start up the KDC services. Run /etc/rc.d/kerberos start and
/etc/rc.d/kadmind start to bring up the services. Note that you will not have
any kerberized daemons running at this point but you should be able to confirm
that the KDC is functioning by obtaining and listing a ticket for the principal
(user) that you just created from the command-line of the KDC itself:% kinit
tillman
till...@example.org's Password:
% klist
Credentials cache: FILE:/tmp/krb5cc_500
Principal: till...@example.org
Issued Expires Principal
Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/example....@example.org
The ticket can then be revoked when you have finished:% kdestroy
================================......I did not do anything about Kerberos5. I
am assuming Samba4 taking care about it.
root@f10:/etc # cd /usr/ports/dns/bind99root@f10:/usr/ports/dns/bind99 # make
deinstall ===> Deinstalling for dns/bind99===> Deinstalling bind99-9.9.2The
following packages will be deinstalled:
bind99-9.9.2
The deinstallation will free 33 MBDeleting bind99-9.9.2...
doneroot@f10:/usr/ports/dns/bind99 # make clean===> Cleaning for
bind99-9.9.2root@f10:/etc # cd
/usr/local/samba-masterroot@f10:/usr/local/samba-master # git pullAlready
up-to-date.root@f10:/usr/local/samba-master # make cleanWAF_MAKE=1 python
./buildtools/bin/waf clean Selected embedded Heimdal build'clean' finished
successfully (8.929s)root@f10:/usr/local/samba-master # make && make
installWAF_MAKE=1 python ./buildtools/bin/waf buildWaf: Entering directory
`/usr/local/samba-master/bin' Selected embedded Heimdal build[ 1/3814]
Generating replace.vscript......[3814/3814] Parse::Pidl::Wireshark::NDR.3:
pidl/lib/Parse/Pidl/Wireshark/NDR.pm ->
bin/default/pidl/Parse::Pidl::Wireshark::NDR.3Waf: Leaving directory
`/usr/local/samba-master/bin''build' finished successfully
(1h5m44.673s)WAF_MAKE=1 python ./buildtools/bin/waf installWaf: Entering
directory `/usr/local/samba-master/bin'* creating /usr/local/samba/etc*
creating /usr/local/samba/private* creating /usr/local/samba/var* creating
/usr/local/samba/private* creating /usr/local/samba/var/lib* creating
/usr/local/samba/var/locks* creating /usr/local/samba/var/cache* creating
/usr/local/samba/var/lock* creating /usr/local/samba/var/run* creating
/usr/local/samba/var/run Selected embedded Heimdal buildChecking project
rules ...Project rules pass[ 1/4121] Generating replace.vscript......*
installing bin/default/pidl/Parse::Pidl::Wireshark::NDR.3 as
/usr/local/samba/share/man/man3/Parse::Pidl::Wireshark::NDR.3Waf: Leaving
directory `/usr/local/samba-master/bin''install' finished successfully
(13m48.405s)root@f10:/usr/local/samba-master #
rehashroot@f10:/usr/local/samba-master # cd ..root@f10:/usr/local # rm
/usr/local/samba/etc/smb.conf root@f10:/usr/local # cd samba
root@f10:/usr/local/samba/bin # ./samba-tool domain provision
--realm=f10.pccom.ca --domain=dcf10 --adminpass='small@1'
--server-role=dcLooking up IPv4 addressesLooking up IPv6 addressesMore than one
IPv6 address found. Using fe80:1::92e6:baff:fe88:db31
....Adding DNS accountsCreating
CN=MicrosoftDNS,CN=System,DC=f10,DC=pccom,DC=caCreating DomainDnsZones and
ForestDnsZones partitionsPopulating DomainDnsZones and ForestDnsZones
partitionsSetting up sam.ldb rootDSE marking as synchronizedFixing provision
GUIDsA Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.confOnce the above files are installed, your
Samba4 server will be ready to useServer Role: active directory
domain controllerHostname: f10NetBIOS Domain: DCF10DNS
Domain: f10.pccom.caDOMAIN SID:
S-1-5-21-2143356390-769797765-818328211root@f10:/usr/local/samba/bin # cp
/usr/local/samba/private/krb5.conf /etc
root@f10:/usr/local/samba/sbin # ./samba -i -M singlesamba version
4.1.0pre1-GIT-e6a100e started.Copyright Andrew Tridgell and the Samba Team
1992-2012samba: using 'single' process
model/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call
last):/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 507, in
<module>/usr/local/samba/sbin/samba_dnsupdate:
get_credentials(lp)/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 121, in
get_credentials/usr/local/samba/sbin/samba_dnsupdate:
creds.get_named_ccache(lp, ccachename)/usr/local/samba/sbin/samba_dnsupdate:
RuntimeError: kinit for F10$@F10.PCCOM.CA failed (Cannot contact any KDC for
requested realm)/usr/local/samba/sbin/samba_dnsupdate:
../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
NT_STATUS_ACCESS_DENIED^C
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
