problems with Samba 4.7 in existing (Samba 4.2 based) domain

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

problems with Samba 4.7 in existing (Samba 4.2 based) domain

Samba - General mailing list
I'd like to get rid of our old Samba 4.2 servers (based on SerNet packages on CentOS6) acting as DC and installed a third server with new Samba 4.7.0 on Fedora 4.7.

Initially I had problems joining with problems described here https://bugzilla.samba.org/show_bug.cgi?id=12398
Using the quick hack from https://forge.univention.org/bugzilla/attachment.cgi?id=8448&action=diff allowed me to join though (I don't think it's related to my problem, but I thought I better mention it anyway, I had several isCriticalSystemObject=TRUE entries in parent OUs without the flag)


After a successful join using samba-tool I get error message like that on both ends and replication is not successful:

Last attempt @ Thu Dec  7 11:59:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)

newly joined DC7:
[2017/12/07 11:50:49.982738,  0] ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.1.13[1024,seal,krb5,target_hostname=552f9859-59d5-41e8-bbd4-77c70ad391ee._msdcs.my.internal.domain,target_principal=GC/dc3.my.internal.domain/my.internal.domain,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.25] NT_STATUS_UNSUCCESSFUL

old DC3:
[2017/12/07 11:53:19.630671,  0] ../source4/librpc/rpc/dcerpc_util.c:729(dcerpc_pipe_auth_recv)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.1.25[49152,seal,krb5,target_hostname=16588a00-78c4-4e9a-bfdc-eb488bec38a4._msdcs.my.internal.domain,target_principal=GC/dc7.my.internal.domain/my.internal.domain,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.13] NT_STATUS_UNSUCCESSFUL

This looks like an auth (Kerberos) error, maybe related to:
Dec 07 11:55:49 dc7.my.internal.domain krb5kdc[22191](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.11.25: NEEDED_PREAUTH: DC7$@MY.INTERNAL.DOMAIN for krbtgt/[hidden email], Additional pre-authentication required


Any ideas what's going wrong here?

(I already went through the usual first steps, time is in sync, dns entries were created and can be resolved properly)



Thanks!
   Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba