[Samba] kinit: Cannot contact any KDC for realm 'MY.LOCAL.' while getting initial credentials

Rowland Penny rowlandpenny241155 at gmail.com
Tue Sep 15 14:42:06 UTC 2015 

On 15/09/15 13:58, James wrote:
> On 9/15/2015 8:30 AM, Lluís Danés wrote:
>> Solved! It was related to .local TLD. (perhaps avahi (I have an
>> avahi-daemon running)... I don't know since I have never used it and I
>> don't know what is)
>>
>> Since I've replaced by a new one (ad.example.com using EXAMPLE NetBIOS
>> domain) all works again and kinit administrator at AD.EXAMPLE.COM works again.
>>
>> Thanks
>>
>>
>> 2015-09-15 12:21 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>>
>>> On 15/09/15 10:59, Lluís Danés wrote:
>>>
>>>> 2015-09-15 11:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com
>>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>>
>>>>      On 15/09/15 09:40, Lluís Danés wrote:
>>>>
>>>>          Well, I downloaded it manually without using git. I've
>>>>          compiled it with the "--with-acl-support" because I thought it
>>>>          was not included as default (I remember that I read it from
>>>>          the wiki that it was said to build samba by yourself if you
>>>>          want to use windows ACL's).
>>>>
>>>>
>>>>      Can you remember just where on the wiki it said that ?
>>>>      You can use distro packages (well except red-hat packages and only
>>>>      then if you want to setup a DC) or the packages from Sernet.
>>>>
>>>>
>>>> I read this wiki
>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs  This line:
>>>> "To use the advanced features of Samba, it has to be compiled with ACL
>>>> support (e. g. RHEL requires the libacl-devel to be installed, when
>>>> compiling)." confused me.
>>>>
>>> Would you have understood this better:
>>>
>>> To use the advanced features of Samba, it needs to have been compiled with
>>> ACL support. As far as is known, all available Samba 4 packages are
>>> compiled in this way. Unfortunately there are no Samba 4 RHEL AD DC distro
>>> packages available at this time, so if you require to install an AD DC on a
>>> RHEL based system you will need to compile Samba4 yourself, or use the
>>> Sernet packages. If you do compile Samba 4, you will need to install the
>>> relevant libacl development package for your distro (e.g. RHEL requires the
>>> libacl-devel package to be installed).
>>>
>>> Rowland
>>>
>>>
>>>
>>>>          How can I see the default options before run ./configure?
>>>>
>>>>
>>>>      ./configure --help
>>>>
>>>>      You usually don't have to add anything, unless you need to specify
>>>>      something that isn't a default or is different from the default
>>>>      i.e. use a different prefix.
>>>>
>>>>
>>>>
>>>>          Otherwise, I've a dot on my realm MY.LOCAL. but it was a
>>>>          mistake when I create this mail. I've the same problem without
>>>>          the dot. This dot was introduced because I've tried it using a
>>>>          dot without success.  So if I've
>>>>
>>>>          /etc/krb5.conf
>>>>          [libdefaults]
>>>>                  default_realm = MY.LOCAL
>>>>                  dns_lookup_realm = false
>>>>                  dns_lookup_kdc = true
>>>>
>>>>
>>>>          and then i run: kinit administrator at MY.LOCAL
>>>>          I get: kinit: Cannot contact any KDC for realm 'MY.LOCAL'
>>>>          while getting initial credentials
>>>>
>>>>
>>>>      Is your 'TLD' actually '.local' and if so, try stopping avahi
>>>>
>>>>
>>>> Yes, its my TLD. I will check by stopping avahi.Perhaps .LOCAL is a bad
>>>> TLD for samba as I've read right now.
>>>>
>>>>      Is Samba running at this stage ? if it isn't, then your KDC isn't
>>>>      either.
>>>>
>>>>
>>>>   Samba is running. These 2 commands also works:
>>>> smbclient -L localhost -U%
>>>> smbclient //localhost/netlogon -UAdministrator -c 'ls'
>>>>
>>>>
>>>>
>>>>      Rowland
>>>>
>>>>      --     To unsubscribe from this list go to the following URL and read
>>>> the
>>>>      instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Lluís Danés
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
> I ran into this problem on a member server. I searched but didn't find
> mention of Avahi and .local in the Wiki. Could this be added to
>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> Under 'Testing Kerberos' as a note if possible failure? I wish I didn't
> use .local when I started.
>

I don't know just when you last looked at the wiki, but if you goto :

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

Look under the 'Preconditions' header, there is a link to the 'Active 
Directory Naming FAQ' :

https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ

There is an heading 'Using an invalid TLD' , it is all explained there.

Rowland

More information about the samba mailing list