Zentyal Forum, Linux Small Business Server
Zentyal Server => Other modules => Topic started by: peptoniET on February 08, 2019, 10:05:33 am
-
This is the situation:
Installed Zentyal 6 as main domain controller SRV01
Installed Zentyal 6 on another machine as domain member SRV03
After installing domain memeber SRV03, restarting the DNS module on SRV01 from the web gui, yields error.
Error is:
2019/02/08 07:40:13 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/fP_eCW54tO failed.
2019/02/08 07:40:13 ERROR> Service.pm:969 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/fP_eCW54tO failed.
Error output: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0).
Changes to DNS are saved and visible on web gui, but not really saved to DNS server.
On SRV01 "samba-tool user list" shows "dns-srv01" dissappeared, but "dns-SRV03" exists!
On SRV03 "samba-tool user list" shows "dns-SRV03" exists.
Tried to create user "dns-srv01" on SRV01 and add it to "DnsAdmins" group with no luck, but error is different:
2019/02/08 09:24:08 ERROR> Service.pm:971 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-srv01 failed.
2019/02/08 09:24:08 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-srv01 failed.
Error output: kinit: Password incorrect
-
OK.
So, dns-SRV01 (in other cases dns-SERVERNAME) user had dissappeared. Why? I will never know. Certainly, nothing that i've done so far.
Hope this helps others.
To recreate:
Create user again
samba-tool user create dns-SERVERNAME
Add user to dns admin group
sudo samba-tool group addmembers DnsAdmins dns-SERVERNAME
Rename dns.keytab file
sudo cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
Delete dns.keytab file
sudo rm /var/lib/samba/private/dns.keytab
Re-create dns.keytab file
sudo samba-tool domain exportkeytab --principal=DNS/SERVERNAME.DOMAINNAME.LAN /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=dns-SERVERNAME@DOMAINNAME.LAN /var/lib/samba/private/dns.keytab
Add dns user credentials
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-SERVERNAME
View result file
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
Change group and permissions of the result file
chmod 640 /var/lib/samba/private/dns.keytab
chgrp bind /var/lib/samba/private/dns.keytab
After all these, DNS restart does not give any errors.