Zentyal Forum, Linux Small Business Server

Zentyal Server => Other modules => Topic started by: peptoniET on February 08, 2019, 10:05:33 am

Title: [SOLVED] DNS - user problem - restart
Post by: peptoniET on February 08, 2019, 10:05:33 am
This is the situation:

Installed Zentyal 6 as main domain controller SRV01
Installed Zentyal 6 on another machine as domain member SRV03
After installing domain memeber SRV03, restarting the DNS module on SRV01 from the web gui, yields error.

Error is:
Code: [Select]
2019/02/08 07:40:13 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/fP_eCW54tO failed.
2019/02/08 07:40:13 ERROR> Service.pm:969 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/fP_eCW54tO failed.
Error output: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0).

Changes to DNS are saved and visible on web gui, but not really saved to DNS server.

On SRV01 "samba-tool user list" shows "dns-srv01" dissappeared, but "dns-SRV03" exists!
On SRV03 "samba-tool user list" shows "dns-SRV03" exists.

Tried to create user "dns-srv01" on SRV01 and add it to "DnsAdmins" group with no luck, but error is different:
Code: [Select]
2019/02/08 09:24:08 ERROR> Service.pm:971 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-srv01 failed.
2019/02/08 09:24:08 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-srv01 failed.
Error output: kinit: Password incorrect
Title: Re: DNS - user problem - restart
Post by: peptoniET on February 08, 2019, 12:41:55 pm
OK.

So, dns-SRV01 (in other cases dns-SERVERNAME) user had dissappeared.  Why?  I will never know.  Certainly, nothing that i've done so far.

Hope this helps others.

To recreate:

Create user again
Code: [Select]
samba-tool user create dns-SERVERNAME
Add user to dns admin group
Code: [Select]
sudo samba-tool group addmembers DnsAdmins dns-SERVERNAME
Rename dns.keytab file
Code: [Select]
sudo cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
Delete dns.keytab file
Code: [Select]
sudo rm /var/lib/samba/private/dns.keytab
Re-create dns.keytab file
Code: [Select]
sudo samba-tool domain exportkeytab --principal=DNS/SERVERNAME.DOMAINNAME.LAN /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=dns-SERVERNAME@DOMAINNAME.LAN /var/lib/samba/private/dns.keytab

Add dns user credentials
Code: [Select]
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-SERVERNAME
View result file
Code: [Select]
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
Change group and permissions of the result file
Code: [Select]
chmod 640 /var/lib/samba/private/dns.keytab
chgrp bind /var/lib/samba/private/dns.keytab

After all these, DNS restart does not give any errors.