[Samba] Samba 4 Cannot contact any KDC for requested realm

[steve]

On 22/01/12 10:19, Gémes Géza wrote:
> 2012-01-21 09:42 keltezéssel, steve írta:
>> Version 4.0.0alpha18-GIT-957ec28 with dns hh3.site realm SITE
>> After starting samba -i -d3,
>> wbinfo -i someuser
>> gives this:
>>
>> ldb_wrap open of secrets.ldb
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> Cannot reach a KDC we require to contact cifs/hh3.site at SITE : kinit
>> for HH3$@SITE failed (Cannot contact any KDC for requested realm)
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS
>>
>>
>> ldb_wrap open of secrets.ldb
>> schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/HH3
>> Cannot reach a KDC we require to contact host/hh3.site at SITE : kinit
>> for HH3$@SITE failed (Cannot contact any KDC for requested realm)
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>> NT_STATUS_NO_LOGON_SERVERS
>>
>> wbinfo -u works fine and shows a list of users. Subsequent calls to
>> wbinfo do not produce this error. It only happens the first time after
>> samba is started.
>>
>> <dare not mention>
>> This may coincide with yesterday's bind 9 update from openSUSE
>> </dare not mention>
>>
>> This seems OK no?
>> Calling DNS name update script
>> Calling SPN name update script
>> Completed SPN update check OK
>> Completed DNS update check OK
>>
>> and all the dns and kinit test stuff on the wiki checks out too.
>>
>> Any ideas?
>> Thanks,
>> Steve
> Glad you have mentioned bind, in my experience 90% of kerberos related
> problems were caused by failure to look up names. On my test system (I
> haven't used Samba4 in production yet) I use bind9.8 with thedlz
> backend. After I restart samab4 I have to restart bind9 as well, because
> otherwise there is no name resolution possible.
>
> Hope that helps
>
> Geza
Yes. That was it. named doesn't survive a samba restart here either.
openSUSE 12.1
rpm -q bind
bind-9.8.1P1-87.1.i586

Thanks
Steve