Samba4 Internal Kerberos fails to start on FreeBSD 9.1-Prerelease

Dewayne dewayne.geraghty at heuristicsystems.com.au
Wed Nov 28 00:33:25 MST 2012


Following the guidance at https://wiki.samba.org/index.php/Samba4/HOWTO and accepting all defaults met with partial success,
Kerberos failed to start.

The following resulted in a successful build and start of most samba4 processes:
# Create and enter a fresh guest system using IP 10.0.5.245
cd /packages/All
pkg_add perl-threaded-5.16.0.tbz python27-2.7.3_3.tbz bind99-base-9.9.1.3 heimdal-1.5.2_4 
cd /data       # where we'll build the software
fetch http://ftp.samba.org/pub/samba/rc/samba-4.0.0rc5.tar.gz
cd samba-4.0.0rc5
./configure --enable-debug --enable-selftest
make 
make install
/usr/local/samba/bin/samba-tool domain provision --realm=hs.local  \
  --domain=HS --adminpass='AnAdmin1' --server-role=dc

/usr/local/samba/sbin/samba -d 2 --maximum-runtime=600
# The following commands worked correctly
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'AnAdmin1' -c 'ls'
/usr/local/samba/bin/wbinfo -t
/usr/local/samba/bin/wbinfo -u
/usr/local/samba/bin/wbinfo -g
nslookup -type=SRV _ldap._tcp.hs.local.
nslookup -type=SRV _kerberos._tcp.hs.local.
ldapsearch -x -H ldap://10.0.5.245:389/ -D "cn=Administrator,cn=Users,dc=HS,dc=local" -w "AnAdmin1" -b 'dc=hs,dc=local'

Unfortunately, the internal kerberos failed to start
kinit administrator at HS
kinit: krb5_get_init_creds: unable to reach any KDC in realm HS

Reviewing the logs revealed
...
[2012/11/28 17:30:39,  0] ../source4/kdc/kdc.c:690(kdc_add_socket)
  Failed to bind to 10.0.5.245:88 UDP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
...
[2012/11/28 17:30:39,  0] ../source4/cldap_server/cldap_server.c:134(cldapd_add_socket)
  Failed to bind to ipv4:10.0.5.245:389 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

Which is "interesting" because the ldap queries provide correct responses.

Prior to invoking /usr/local/samba/sbin/samba, 
netstat -na | egrep "tcp|udp"  # revealed
tcp4       0     52 10.0.5.240.22          10.0.5.2.1294          ESTABLISHED
tcp4       0      0 10.0.5.240.22          10.0.5.2.1182          ESTABLISHED
tcp4       0      0 *.22                   *.*                    LISTEN
udp4       0      0 10.0.5.245.514         *.*
udp4       0      0 *.514                  *.*

During samba running, 
netstat -na | egrep "tcp|udp"
tcp4       0      0 10.0.5.245.53          *.*                    LISTEN
tcp4       0      0 10.0.5.245.3268        *.*                    LISTEN
tcp4       0      0 10.0.5.245.389         *.*                    LISTEN
tcp4       0      0 10.0.5.245.135         *.*                    LISTEN
tcp4       0      0 10.0.5.245.1024        *.*                    LISTEN
tcp4       0      0 10.0.5.245.139         *.*                    LISTEN
tcp4       0      0 10.0.5.245.445         *.*                    LISTEN
tcp4       0     52 10.0.5.240.22          10.0.5.2.1294          ESTABLISHED
tcp4       0      0 10.0.5.240.22          10.0.5.2.1182          ESTABLISHED
tcp4       0      0 *.22                   *.*                    LISTEN
udp4       0      0 10.0.5.245.53          *.*
udp4       0      0 10.0.5.245.514         *.*
udp4       0      0 *.514                  *.*

There are no firewall rules active, no routing pecularities. And for those familiar with jails, raw sockets are enabled and bpf
devices are visible.

Key auxilliary files: 
/etc/resolv.conf
search hs.local
nameserver 10.0.5.245

/etc/krb5.conf
[libdefaults]
        default_realm = HS
        dns_lookup_realm = false
        dns_lookup_kdc = true

Platform: FreeBSD built 17th Nov.  
A fresh FreeBSD jail was created using IPv4 of 10.0.5.245, all services on the host system were stopped with the exception of ssh &
syslog.
The jails are custom and contain the only the core operating system and relying upon packages for their "character".

I'm really excited to have gotten this far, and the build was extremely convenient.  
I welcome any advise or happy to act as someone's fingers in resolving the situation.

I was pleasantly surprised that the service ntp_signed started successfully, which I thought would be a blocker, because ntpd fails
within a jail due to the mlockall syscall. 

Kind regards, Dewayne.



More information about the samba-technical mailing list