[Samba] kinit failure

Samba @ Pegasusnz samba at pegasusnz.com
Fri May 10 11:19:32 UTC 2024 

Hi

Due to putting a DVD in my Virtual Machine Host Computer which then filled the logs with errors and subsequently filled the drive crashing all vms.
Luckily I had a backup of the DC image which I restored and some machines just worked and some can’t find KDC
kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM' while getting initial credentials
I have tried leaving the domain and deleting computer if it still remained on DC
I have installed samba and friends
But on some machines this has not fixed the problem

DC2 is online 192.168.50.15
DC9 is offline 192.168.50.17
DC4 is trashed

On the machine that fail to rejoin they normally time out and give this error

ERROR(runtime): uncaught exception - (31, 'Failed to set machine spn: Time limit exceeded\nDo you have sufficient permissions to create machine accounts?')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", line 121, in run
    (sid, domain_name) = s3_net.join_member(netbios_name,
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Joining the domain partial log

Bind RPC Pipe: host dc2.balewan.unicorn.com auth_type 0, auth_level 1
rpc_api_pipe: host dc2.balewan.unicorn.com
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host dc2.balewan.unicorn.com
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dc2.balewan.unicorn.com
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 232
rpc_api_pipe: host dc2.balewan.unicorn.com
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
signed SMB2 message (sign_algo_id=2)
saf_fetch: failed to find server for "balewan.unicorn.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using DNS
dns_rr_srv_fill_done: async DNS A lookup for dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com -> 192.168.50.15
dns_rr_srv_fill_done: async DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3
dns_rr_srv_fill_done: async DNS AAAA lookup for dc4.balewan.unicorn.com returned DNS code 3
dns_rr_srv_fill_done: async DNS A lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> 192.168.50.17
dns_rr_srv_fill_done: async DNS AAAA lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.15
check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.17
check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
get_dc_list: returning 3 ip addresses in an ordered list
get_dc_list: 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad 
saf_fetch: failed to find server for "balewan.unicorn.com" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using DNS
dns_rr_srv_fill_done: async DNS A lookup for dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com -> 192.168.50.15
dns_rr_srv_fill_done: async DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses.
dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3
dns_rr_srv_fill_done: async DNS AAAA lookup for dc4.balewan.unicorn.com returned DNS code 3
dns_rr_srv_fill_done: async DNS A lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> 192.168.50.17
dns_rr_srv_fill_done: async DNS AAAA lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.15
check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.17
check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
get_dc_list: returning 3 ip addresses in an ordered list
get_dc_list: 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad 
cldap_multi_netlogon_send: cldap_socket_init failed for ipv6:fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad:389  error NT_STATUS_ADDRESS_NOT_ASSOCIATED
create_local_private_krb5_conf_for_domain: wrote file /run/samba/smb_krb5/krb5.conf.BALEWAN with realm BALEWAN.unicorn.COM KDC list:
		kdc = 192.168.50.15

sitename_fetch: Returning sitename for realm 'BALEWAN.unicorn.COM': "Balewan-Stable"
namecache_fetch: name dc2.balewan.unicorn.com#20 found.
ads_try_connect: ads_try_connect: sending CLDAP request to 192.168.50.15 (realm: balewan.unicorn.com)
Successfully contacted LDAP server 192.168.50.15
Connecting to 192.168.50.15 at port 389
Connected to LDAP server dc2.balewan.unicorn.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password Administrator at BALEWAN.unicorn.COM failed: Cannot contact any KDC for requested realm
ads_sasl_spnego_bind: SASL bind with Kerberos failed for ldap/dc2.balewan.unicorn.com - user[Administrator], realm[BALEWAN.unicorn.COM]: Cannot contact any KDC for requested realm, try to fallback to NTLMSSP
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp

Thanks for any help

Callum

More information about the samba mailing list