It turns out that, unless Samba is compiled specifically with config options against MIT Kerberos, it includes automatically its own private Heimdal kerberos code to cover kerberos functionality. I think the Python scripts you've highlighted above are used internally by Samba during setting up/migration. Samba itself sets kerberos up automatically during the configuration of an AD DC.
In my case I was chasing up completely the wrong path - it turned out to be the "interfaces = " option in Samba. The old server used eth1 for the LAN interface, while the new server used a bridge on br0 for its LAN interface. For all the other testing commands for Samba I used 'localhost' - which went through the loopback (which Samba was also listening on) - so they all completed fine. But when I tried to test kerberos, it was trying to reach Samba through the LAN IP - because of the kerberos DNS entry. However, Samba wasn't listening on that, as it wasn't configured correctly to listen on the bridge interface.
It only took 8 hours of troubleshooting, taking the whole server apart, recompiling Bind and running every test from Samba wiki to figure the above out - as none of the error messages mentioned anything to do with the interface :-)
As a side note for anybody setting up Samba AD DC on Slackware, although Samba sets up kerberos automatically, if you want to run the kerberos tests from Samba wiki, you will need to install one of the kerberos packages from SlackBuilds.org to get the necessary command line tools (kinit, klist etc.). krb5 works fine for me. That's another tidbit which took me ages to figure out when I first setup a Samba AD DC.
Last edited by xj25vm; 03-09-2018 at 07:19 AM.
|