Web lists-archives.com

Re: [Samba] Kerberos not working after moving Samba AD DC to new server





On 09/03/18 11:22, Rob Thoman wrote:
Check the kr5b.conf and confirm DNS is working

After taking the entire server apart, upgrading all the packages, re-compiling Bind several times over against MIT Kerberos and then against Heimdal Kerberos, transferring over the Samba configs and databases again from the old server and running line by line through every single test in the Samba wiki I could find, it turns out that it was simply the interface option in smb.conf. The old server was using eth1 for the internal lan, while the new one was using a bridge on br0 (which ties eth1 as well), because there are some virtual machines there as well. So the new server was trying to bind Samba to eth1, which didn't have its own IP.

It is strange though that I have not seen a single error message in 8 hours of troubleshooting to hint at the interface configuration being the problem. Samba is setup to listen on the loop interface as well, but I guess the Kerberos dns entries were pointing specifically to the LAN IP of the server.

Oh well, just another day at the office :-)




On Fri, Mar 9, 2018 at 9:20 PM, Sebastian Arcus via samba <samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>> wrote:


    On 09/03/18 10:52, Sebastian Arcus via samba wrote:

        I am moving a Samba AD DC to a new server (I am merging two
        different hardware servers serving different functions). The new
        server has the same name as the old one, and same IP addresses
        on the network interfaces. I have moved the following directories:

        /var/lib/samba
        /var/cache/samba
        /etc/samba/
        /var/named/

        Samba will start, Bind starts (I'm using the Bind backend), the
        dns tests from Samba wiki work fine, but the following doesn't
        work and I can't figure out why:

        # kinit Administrator
        kinit: Cannot contact any KDC for realm 'MYDOMAIN.LAN' while
        getting initial credentials

        The domain name above is correct, but for some reason Kerberos
        doesn't seem to be working. Does the Kerberos side of things
        need any other files which I should have copied from the old server?


    Sorry for the confusion - I just checked the old server and I get
    the same error. Is there any way of troubleshooting Kerberos further?


-- To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/options/samba
    <https://lists.samba.org/mailman/options/samba>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba