[Samba] kinit failure

Rowland Penny rpenny at samba.org
Fri May 10 11:55:32 UTC 2024 

On Fri, 10 May 2024 23:19:32 +1200
"Samba @ Pegasusnz via samba" <samba at lists.samba.org> wrote:

> Hi
> 
> Due to putting a DVD in my Virtual Machine Host Computer which then
> filled the logs with errors and subsequently filled the drive
> crashing all vms. 

So, to all intents and purposes, your domain was dead.

> Luckily I had a backup of the DC image which I
> restored 

In an instance like this, you should be backing up the domain with
samba-tool, not backing up an individual DC. If you had a domain
backup, you could recreate your domain.
But you have what you have.

> and some machines just worked and some can’t find KDC
> kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM' while
> getting initial credentials I have tried leaving the domain and
> deleting computer if it still remained on DC I have installed samba
> and friends But on some machines this has not fixed the problem
> 
> DC2 is online 192.168.50.15

I suggest you do this:

Seize all the FSMO roles to DC2, if it doesn't already hold them.
Forcibly demote any other DCs and then join new ones to replace them.

> DC9 is offline 192.168.50.17
> DC4 is trashed
> 
> On the machine that fail to rejoin they normally time out and give
> this error
> 
> ERROR(runtime): uncaught exception - (31, 'Failed to set machine spn:
> Time limit exceeded\nDo you have sufficient permissions to create
> machine accounts?') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279,
> in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> line 121, in run (sid, domain_name) =
> s3_net.join_member(netbios_name, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Any domain clients that are not working should be removed by running
'net ads leave -U administrator' and then joined again with 'net ads
join -U administrator' (after you have checked that they can connect to
a DC)
 
> 
> Joining the domain partial log
> 
> Bind RPC Pipe: host dc2.balewan.unicorn.com auth_type 0, auth_level 1
> rpc_api_pipe: host dc2.balewan.unicorn.com
> signed SMB2 message (sign_algo_id=2)
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host dc2.balewan.unicorn.com
> signed SMB2 message (sign_algo_id=2)
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host dc2.balewan.unicorn.com
> signed SMB2 message (sign_algo_id=2)
> rpc_read_send: data_to_read: 232
> rpc_api_pipe: host dc2.balewan.unicorn.com
> signed SMB2 message (sign_algo_id=2)
> rpc_read_send: data_to_read: 32
> signed SMB2 message (sign_algo_id=2)
> saf_fetch: failed to find server for "balewan.unicorn.com" domain
> get_dc_list: preferred server list: ", *"
> resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using
> DNS dns_rr_srv_fill_done: async DNS A lookup for
> dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com ->
> 192.168.50.15 dns_rr_srv_fill_done: async DNS AAAA lookup for
> dc2.balewan.unicorn.com returned 0 addresses. dns_rr_srv_fill_done:
> async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3
> dns_rr_srv_fill_done: async DNS AAAA lookup for
> dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done:
> async DNS A lookup for dc9.balewan.unicorn.com [0] got
> dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async
> DNS AAAA lookup for dc9.balewan.unicorn.com [0] got
> dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
> check_negative_conn_cache returning result 0 for domain
> balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache
> returning result 0 for domain balewan.unicorn.com server
> 192.168.50.17 check_negative_conn_cache returning result 0 for domain
> balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
> get_dc_list: returning 3 ip addresses in an ordered list get_dc_list:
> 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
> saf_fetch: failed to find server for "balewan.unicorn.com" domain
> get_dc_list: preferred server list: ", *" resolve_ads: Attempting to
> resolve KDCs for balewan.unicorn.com using DNS dns_rr_srv_fill_done:
> async DNS A lookup for dc2.balewan.unicorn.com [0] got
> dc2.balewan.unicorn.com -> 192.168.50.15 dns_rr_srv_fill_done: async
> DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses.
> dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com
> returned DNS code 3 dns_rr_srv_fill_done: async DNS AAAA lookup for
> dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done:
> async DNS A lookup for dc9.balewan.unicorn.com [0] got
> dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async
> DNS AAAA lookup for dc9.balewan.unicorn.com [0] got
> dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
> check_negative_conn_cache returning result 0 for domain
> balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache
> returning result 0 for domain balewan.unicorn.com server
> 192.168.50.17 check_negative_conn_cache returning result 0 for domain
> balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
> get_dc_list: returning 3 ip addresses in an ordered list get_dc_list:
> 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
> cldap_multi_netlogon_send: cldap_socket_init failed for
> ipv6:fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad:389  error
> NT_STATUS_ADDRESS_NOT_ASSOCIATED
> create_local_private_krb5_conf_for_domain: wrote file
> /run/samba/smb_krb5/krb5.conf.BALEWAN with realm BALEWAN.unicorn.COM
> KDC list: kdc = 192.168.50.15
> 
> sitename_fetch: Returning sitename for realm 'BALEWAN.unicorn.COM':
> "Balewan-Stable" namecache_fetch: name dc2.balewan.unicorn.com#20
> found. ads_try_connect: ads_try_connect: sending CLDAP request to
> 192.168.50.15 (realm: balewan.unicorn.com) Successfully contacted
> LDAP server 192.168.50.15 Connecting to 192.168.50.15 at port 389
> Connected to LDAP server dc2.balewan.unicorn.com
> KDC time offset is 0 seconds
> Found SASL mechanism GSS-SPNEGO
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> kerberos_kinit_password Administrator at BALEWAN.unicorn.COM failed:
> Cannot contact any KDC for requested realm ads_sasl_spnego_bind: SASL
> bind with Kerberos failed for ldap/dc2.balewan.unicorn.com -
> user[Administrator], realm[BALEWAN.unicorn.COM]: Cannot contact any
> KDC for requested realm, try to fallback to NTLMSSP Starting GENSEC
> mechanism spnego Starting GENSEC submechanism ntlmssp
> 
> Thanks for any help
> 
> Callum

I think your problem is that your AD dns is still supplying records for
DCs that no longer work.

Rowland

More information about the samba mailing list