Web lists-archives.com

Re: [Samba] win2003 AD migration to SAMBA 4.6 - dnsupdate problem




Hello Denis,

1. KRB - I tried kinit from local terminal and got answer about troubles with encryption, so I findout win 2003 ciphers, and put to krb5.conf 2. from wiki - Verifying the DNS Entries, If you join a Samba DC that runs Samba 4.7 and later, samba-tool created all required DNS entries automatically. To manually create the records on an earlier version, see Verifying and Creating a DC DNS Record - https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

3. yes, resolv.conf is poiting to 127.0.0.1
4. you are right, krb5.conf are not identical, I forgot move it to /var/lib/samba/private

now the situation is with identical krb5.conf files not contenting rc4-hmac and weak cipher enabled, I got error like before, it means troubles with ciphers. If I put lines to both files I got a new error - dns_tkey_negotiategss: TKEY is unacceptable

I have tried to push dns updates, how you wrote - samba_dnsupdate --use-samba-tool - 18 records synchronized, 2 failed with error ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR'), samba_dnsupdate ends with dns_tkey_negotiategss: TKEY is unacceptable, Failed nsupdate: 1, Failed update of 2 entries



I hope I wrote everything important

regards
bB







I want to migrate old 2003 domain to Samba - join SAMBA 4.6(DC2) to win
2003 domain like DC, move sysvol, FSMO, demote old server(DC1), etc.,
etc. -
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory


My problem are DNS Updates, I have kerberos working (added enctypes =
rc4-hmac for compatibility),

May I ask you where did you add that? Where did you read that you had to do that? Could you try to just remove it?

> SAMBA join without errors, I have created
DNS records,

how did you create the records? Could you try the following on your two DCs to force the update without going through the authenticated DNS process
samba_dnsupdate --use-samba-tool

By the way, is your /etc/resolv.conf pointing to yourself? Is your /etc/krb5.conf and /var/lib/samba/private/krb5.conf identical?

Denis

> can move FSMO. But DNS if working only on DC1,  not on DC2,
I have found in logs troubles with dnsupdates. DC1 thinks it is only one
DC in domain.

_ldap._tcp.Default-First-Site._sites.gc._msdcs.test.local. 900 IN SRV 0
100 3268 dc2.test.local.
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = KDC has no support for
encryption type.
Failed nsupdate: 1
Failed update of 20 entries

bB

-- Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

-- To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba