invis-server » invisAD-setup

It seems much more difficult as expected. My first try ends up with an running samba AD DC, but without a KDC. ;-(

At first everything looks good, I checked the "old" AD for errors with "samba-tool dbcheck --cross-ncs --fix". There where a few errors around our DHCPD-Schema, but no show stopper.

After starting samba-ad-dc.service I could ask for users and groups with wbinfo -u and wbinfo -g. Looks good, but SSSD couldn't connect to the AD. I found out that theres now KDC process listening on UDP/TCP port 88. The samba log says:

"Jan 19 12:11:13 invis samba[1922]: task_server_terminate: [KDC: Initialize kadm5]
Jan 19 12:11:13 invis samba[1922]: [2019/01/19 12:11:13.188018, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 19 12:11:13 invis samba[1922]: /usr/lib/mit/sbin/krb5kdc: Failed to exec child - Permission denied
Jan 19 12:11:13 invis samba[1922]: [2019/01/19 12:11:13.189664, 0] ../source4/kdc/kdc-service-mit.c:348(mitkdc_server_done)
Jan 19 12:11:13 invis samba[1922]: The MIT KDC daemon died with exit status 255
Jan 19 12:11:13 invis samba[1922]: [2019/01/19 12:11:13.189759, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
Jan 19 12:11:13 invis samba[1922]: task_server_terminate: [mitkdc child process exited]"

or with a higher log-level:

"Jan 19 12:25:40 invis samba[3066]: task_server_terminate: [KDC: Initialize kadm5]
Jan 19 12:25:40 invis krb5kdc[3075]: Cannot open DB2 database '/var/lib/kerberos/krb5kdc/principal': No such file or directory - while initial>
Jan 19 12:25:40 invis samba[3059]: STATUS=daemon 'samba' finished starting up and ready to serve connections
Jan 19 12:25:40 invis samba[3066]: [2019/01/19 12:25:40.644065, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 19 12:25:40 invis samba[3066]: /usr/lib/mit/sbin/krb5kdc: krb5kdc: cannot initialize realm KASSANDRA-NET.LOC - see log file for details
Jan 19 12:25:40 invis samba[3066]: [2019/01/19 12:25:40.650277, 0] ../source4/kdc/kdc-service-mit.c:348(mitkdc_server_done)
Jan 19 12:25:40 invis samba[3066]: The MIT KDC daemon died with exit status 1
Jan 19 12:25:40 invis samba[3066]: [2019/01/19 12:25:40.650375, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
Jan 19 12:25:40 invis samba[3066]: task_server_terminate: [mitkdc child process exited]"

With "/usr/lib/mit/sbin/kdb5_util create -r KASSANDRA-NET.LOC -s" it is possible to create the missing principal database. After that the kdc starts, but the sssd conection fails anyway.

I should mention that on a native installed invis-Server 14.0 there is no principal database in /var/lib/kerberos/krb5kdc, but everything works.

There is the possibility that my upgrade process fails, caused by an active AppArmor Framwork. The new samba-daemon needs updates AppArmor-profiles...

OK, looks better. While migrate from Heimdal to KIT we have to create a kdc.conf manually in /var/lib/samba/private.

Bingo!

It works. The whole invis-Server Upgrade Path from V. 13.5 to 14.0 will be found here:

https://wiki.invis-server.org/doku.php/invis_server_wiki:upgrade:13.5_to_14.0