[Samba] kinit failure

Samba @ Pegasusnz samba at pegasusnz.com
Tue May 14 05:18:28 UTC 2024 


> On 10 May 2024, at 11:55 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Fri, 10 May 2024 23:19:32 +1200
> "Samba @ Pegasusnz via samba" <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> 
>> Luckily I had a backup of the DC image which I
>> restored 
> 
> In an instance like this, you should be backing up the domain with
> samba-tool, not backing up an individual DC. If you had a domain
> backup, you could recreate your domain.
> But you have what you have.

I do have a backup of the domain but since I was moving VMs around I thought this option would be easier 
> 
>> and some machines just worked and some can’t find KDC
>> kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM <http://balewan.unicorn.com/>' while
>> getting initial credentials I have tried leaving the domain and
>> deleting computer if it still remained on DC I have installed samba
>> and friends But on some machines this has not fixed the problem
>> 
>> DC2 is online 192.168.50.15
> 
> I suggest you do this:
> 
> Seize all the FSMO roles to DC2, if it doesn't already hold them.
> Forcibly demote any other DCs and then join new ones to replace them.

That is what I had already done

> 
>> DC9 is offline 192.168.50.17
>> DC4 is trashed
>> 
>> On the machine that fail to rejoin they normally time out and give
>> this error
>> 
>> ERROR(runtime): uncaught exception - (31, 'Failed to set machine spn:
>> Time limit exceeded\nDo you have sufficient permissions to create
>> machine accounts?') File
>> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279,
>> in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^
>> File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
>> line 121, in run (sid, domain_name) =
>> s3_net.join_member(netbios_name, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Any domain clients that are not working should be removed by running
> 'net ads leave -U administrator' and then joined again with 'net ads
> join -U administrator' (after you have checked that they can connect to
> a DC)

It turns out that there is strange behaviour in Virtual Box Debian 12
Virtual box servers running on the same host seem to have problems talking securely
It seems if they have established a connection with a previous version they will continue to chat

Not only does it effect kinit but ssh hangs as well

I reset the mtu with
Ip link set mtu 1400 dev enp0s3

And boom kinit and ssh suddenly works

Also I wanted to deploy a new DC with a updated domain name but Debian 12 Samba 4.16 would hang on deploy maybe the same reason
When I installed the back ports version everything was fine

 HTH Some poor sole in the future


> 
>> 
>> Joining the domain partial log
>> 
>> Bind RPC Pipe: host dc2.balewan.unicorn.com auth_type 0, auth_level 1
>> rpc_api_pipe: host dc2.balewan.unicorn.com
>> signed SMB2 message (sign_algo_id=2)
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host dc2.balewan.unicorn.com
>> signed SMB2 message (sign_algo_id=2)
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host dc2.balewan.unicorn.com
>> signed SMB2 message (sign_algo_id=2)
>> rpc_read_send: data_to_read: 232
>> rpc_api_pipe: host dc2.balewan.unicorn.com
>> signed SMB2 message (sign_algo_id=2)
>> rpc_read_send: data_to_read: 32
>> signed SMB2 message (sign_algo_id=2)
>> saf_fetch: failed to find server for "balewan.unicorn.com" domain
>> get_dc_list: preferred server list: ", *"
>> resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using
>> DNS dns_rr_srv_fill_done: async DNS A lookup for
>> dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com ->
>> 192.168.50.15 dns_rr_srv_fill_done: async DNS AAAA lookup for
>> dc2.balewan.unicorn.com returned 0 addresses. dns_rr_srv_fill_done:
>> async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3
>> dns_rr_srv_fill_done: async DNS AAAA lookup for
>> dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done:
>> async DNS A lookup for dc9.balewan.unicorn.com [0] got
>> dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async
>> DNS AAAA lookup for dc9.balewan.unicorn.com [0] got
>> dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
>> check_negative_conn_cache returning result 0 for domain
>> balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache
>> returning result 0 for domain balewan.unicorn.com server
>> 192.168.50.17 check_negative_conn_cache returning result 0 for domain
>> balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
>> get_dc_list: returning 3 ip addresses in an ordered list get_dc_list:
>> 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
>> saf_fetch: failed to find server for "balewan.unicorn.com" domain
>> get_dc_list: preferred server list: ", *" resolve_ads: Attempting to
>> resolve KDCs for balewan.unicorn.com using DNS dns_rr_srv_fill_done:
>> async DNS A lookup for dc2.balewan.unicorn.com [0] got
>> dc2.balewan.unicorn.com -> 192.168.50.15 dns_rr_srv_fill_done: async
>> DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses.
>> dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com
>> returned DNS code 3 dns_rr_srv_fill_done: async DNS AAAA lookup for
>> dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done:
>> async DNS A lookup for dc9.balewan.unicorn.com [0] got
>> dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async
>> DNS AAAA lookup for dc9.balewan.unicorn.com [0] got
>> dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
>> check_negative_conn_cache returning result 0 for domain
>> balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache
>> returning result 0 for domain balewan.unicorn.com server
>> 192.168.50.17 check_negative_conn_cache returning result 0 for domain
>> balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
>> get_dc_list: returning 3 ip addresses in an ordered list get_dc_list:
>> 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad
>> cldap_multi_netlogon_send: cldap_socket_init failed for
>> ipv6:fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad:389  error
>> NT_STATUS_ADDRESS_NOT_ASSOCIATED
>> create_local_private_krb5_conf_for_domain: wrote file
>> /run/samba/smb_krb5/krb5.conf.BALEWAN with realm BALEWAN.unicorn.COM
>> KDC list: kdc = 192.168.50.15
>> 
>> sitename_fetch: Returning sitename for realm 'BALEWAN.unicorn.COM':
>> "Balewan-Stable" namecache_fetch: name dc2.balewan.unicorn.com#20
>> found. ads_try_connect: ads_try_connect: sending CLDAP request to
>> 192.168.50.15 (realm: balewan.unicorn.com) Successfully contacted
>> LDAP server 192.168.50.15 Connecting to 192.168.50.15 at port 389
>> Connected to LDAP server dc2.balewan.unicorn.com
>> KDC time offset is 0 seconds
>> Found SASL mechanism GSS-SPNEGO
>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
>> kerberos_kinit_password Administrator at BALEWAN.unicorn.COM failed:
>> Cannot contact any KDC for requested realm ads_sasl_spnego_bind: SASL
>> bind with Kerberos failed for ldap/dc2.balewan.unicorn.com -
>> user[Administrator], realm[BALEWAN.unicorn.COM]: Cannot contact any
>> KDC for requested realm, try to fallback to NTLMSSP Starting GENSEC
>> mechanism spnego Starting GENSEC submechanism ntlmssp
>> 
>> Thanks for any help
>> 
>> Callum
> 
> I think your problem is that your AD dns is still supplying records for
> DCs that no longer work.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list