Samba: Could not join to domain, main domain partition problem

[revilop]

SBS2003 R2 DC, trying to get Zentyal to act as additional DC. Followed the steps in the trac docs. When starting the file sharing module on Zentyal CE 3.0.26:

Could not join to domain. The following DNS zones are stored in the main domain partition: 1.0.10.in-addr.arpa, 10.in-addr.arpa. This normally happen when the server is upgraded from Windows Server 2000, and Samba4 will not be able to read these zones. Please, move the zones to the "DomainDnsZones" or "ForestDnsZones" and try again. Check http://technet.microsoft.com/en-us/library/cc730964 for help on how to do that.

The technet article appears to refer to forward lookup zones rather than reverse lookup zones, which 1.0.10.in-addr.arpa and 10.in-addr.arpa located in. I dont have DomainDnsZones and ForestDnsZones in forward zones. SBS2003 R2 AD elevated to Windows Server 2003 from Win2k.

Any ideas or anyone resolved this.

[jbahillo]

Have you tried to follow the mentioned procedure over reverse lookup zone?:

[revilop]

No, I didnt try the change in replication settings, as the technet article didn't mention these, does it work though?

The article applies to Windows Server 2008, Windows Server 2008 R2 but not SBS2003R2 (shouldn't think thats an issue). The community additions at the bottom don't help either, especially the second one about which change button to click

[jbahillo]

The main issue here, is as said in the error that some zone is stored under the main partition, and samba4 cannot read such partition. Thus, you should move whatever DNS zone it being affected to the DomainDnsZones/FoirestDNSZones

[revilop]

So have moved the domains from the main partition and I can see the the Zentyal File sharing is runnning, but now flooding /var/log/zentyal/zentyal.log with:

Code: [Select]

ERROR> SysvolSync.pm::89 EBox::Samba::SysvolSync::__ANON__ - kinit error: could not acquire credentials using an initial credentials context Client (Administrator@CONTOSO.LOCAL) unknown.
Also when trying

Code: [Select]

kinit Administrator
I get:

Code: [Select]

kinit: krb5_get_init_creds: Client (Administrator@CONTOSO.LOCAL) unknown
Is this related to the default AD site being renamed? Or do I need to upgrade zentyal-samba and zentyal-users, as in http://trac.zentyal.org/ticket/7092? If I do need to update the zentyal packages, just do those two?

[jbahillo]

Hi there:

This seems to be related to the kerberos configuration. Is kerberos reachable by 88 port? is there correct kerberos records in DNS for CONTOSO.LOCAL ?

[revilop]

Is kerberos reachable by 88 port? is there correct kerberos records in DNS for CONTOSO.LOCAL ?

I will have to spend the afternoon googling how to find this out

[revilop]

I can

telnet ubuntu 88

I am assuming kerberos is set correctly in the DNS of the SBS2003 server, what steps can I do to check it is correct in Zentyal server?

[jbahillo]

Is the Windows server called Ubuntu? If not, please keep in mind that the issue is reaching the kerberos part of the WIndows server, not the Zentyal one

[revilop]

ubuntu.contoso.local = Zentyal
win.contoso.local = SBS2003 R2

From a Win7 client

Code: [Select]

C:\PortQryV2>portqry -n win.contoso.local -p tcp -e 88

Querying target system called:

 win.contoso.local

Attempting to resolve name to IP address...


Name resolved to 10.0.1.2

querying...

TCP port 88 (kerberos service): LISTENING

C:\PortQryV2>portqry -n win.contoso.local -p udp -e 88

Querying target system called:

 win.contoso.local

Attempting to resolve name to IP address...


Name resolved to 10.0.1.2

querying...

UDP port 88 (kerberos service): LISTENING or FILTERED


[jbahillo]

what's the output of dig axfr contoso.local ?

[revilop]

Command run on ubuntu

Code: [Select]

; <<>> DiG 9.8.1-P1 <<>> axfr contoso.local
;;global options: +cmd
; Transfer failed.

[jbahillo]

Is it the same result if you point to the windows server IP when doing the query?

dig @IP.OF.WINDOWS.SERVER axfr contoso.local?

[revilop]

Yes, similar result,

Code: [Select]

administrator@ubuntu: dig @10.0.1.2 axfr contoso.local
; (1 server found)
;; global options +cmd
; Transfer failed

[revilop]

Perhaps allowing zone transfers from SBS2003 by specifying the IP of ubuntu

http://technet.microsoft.com/en-us/library/cc739056%28v=ws.10%29.aspx

EDIT

Code: [Select]

administrator@ubuntu: dig @10.0.1.2 axfr contoso.local
Gave me back the zone file contents after allowing zone transfers on contoso.local only to ubuntu.contoso.local (10.0.1.9)