domain join stuck at krb5_get_init_creds_password

Shilpa K shilpa.krishnareddy at
Thu Apr 29 12:37:12 UTC 2021

Hi Jeremy,

Thanks for the response. I do not have the network traces. In this case, we
were using 'net ads join -k' and 'net ads testuser -k'. But what I got to
know was that there was a firewall for one of the KDCs and Samba tried to
connect to it and the function krb5_sendto() got blocked in connect(). It
appears like the timeout value for connect() was 60seconds. As there were
multiple attempts to connect(), it added to the delay. I tested a fix from
heimdal which uses non blocking connect with timeout and this seems to help.


On Thu, Apr 29, 2021 at 9:14 AM Jeremy Allison <jra at> wrote:

> On Thu, Apr 29, 2021 at 05:55:33AM +0530, Shilpa K via samba-technical
> wrote:
> >Hello,
> >
> >In one of the cases, we had a situation where KDC was not reachable during
> >domain join. In this case, we found that  krb5_get_init_creds_password()
> >will be stuck for about 6minutes. Is there a way I can reduce the timeout
> >value for  krb5_get_init_creds_password() so that domain join will not be
> >waiting on this call for too long?
> Where in krb5_get_init_creds_password() is it stuck ?
> Is it the DNS resolution, or in the connect() call ?
> Can you give more data on what you see in this situation
> in wireshark please, and what Samba binary is calling
> krb5_get_init_creds_password(). That will help a lot
> in debugging this.

More information about the samba-technical mailing list