[Samba] kinit: Cannot contact any KDC for realm 'MY.LOCAL.' while getting initial credentials

James lingpanda101 at gmail.com
Tue Sep 15 15:54:24 UTC 2015 

On 9/15/2015 10:42 AM, Rowland Penny wrote:
> On 15/09/15 13:58, James wrote:
>> On 9/15/2015 8:30 AM, Lluís Danés wrote:
>>> Solved! It was related to .local TLD. (perhaps avahi (I have an
>>> avahi-daemon running)... I don't know since I have never used it and I
>>> don't know what is)
>>>
>>> Since I've replaced by a new one (ad.example.com using EXAMPLE NetBIOS
>>> domain) all works again and kinit administrator at AD.EXAMPLE.COM works
>>> again.
>>>
>>> Thanks
>>>
>>>
>>> 2015-09-15 12:21 GMT+02:00 Rowland Penny
>>> <rowlandpenny241155 at gmail.com>:
>>>
>>>> On 15/09/15 10:59, Lluís Danés wrote:
>>>>
>>>>> 2015-09-15 11:39 GMT+02:00 Rowland Penny
>>>>> <rowlandpenny241155 at gmail.com
>>>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>>>
>>>>>      On 15/09/15 09:40, Lluís Danés wrote:
>>>>>
>>>>>          Well, I downloaded it manually without using git. I've
>>>>>          compiled it with the "--with-acl-support" because I
>>>>> thought it
>>>>>          was not included as default (I remember that I read it from
>>>>>          the wiki that it was said to build samba by yourself if you
>>>>>          want to use windows ACL's).
>>>>>
>>>>>
>>>>>      Can you remember just where on the wiki it said that ?
>>>>>      You can use distro packages (well except red-hat packages and
>>>>> only
>>>>>      then if you want to setup a DC) or the packages from Sernet.
>>>>>
>>>>>
>>>>> I read this wiki
>>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs  This line:
>>>>> "To use the advanced features of Samba, it has to be compiled with
>>>>> ACL
>>>>> support (e. g. RHEL requires the libacl-devel to be installed, when
>>>>> compiling)." confused me.
>>>>>
>>>> Would you have understood this better:
>>>>
>>>> To use the advanced features of Samba, it needs to have been
>>>> compiled with
>>>> ACL support. As far as is known, all available Samba 4 packages are
>>>> compiled in this way. Unfortunately there are no Samba 4 RHEL AD DC
>>>> distro
>>>> packages available at this time, so if you require to install an AD
>>>> DC on a
>>>> RHEL based system you will need to compile Samba4 yourself, or use the
>>>> Sernet packages. If you do compile Samba 4, you will need to
>>>> install the
>>>> relevant libacl development package for your distro (e.g. RHEL
>>>> requires the
>>>> libacl-devel package to be installed).
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>>          How can I see the default options before run ./configure?
>>>>>
>>>>>
>>>>>      ./configure --help
>>>>>
>>>>>      You usually don't have to add anything, unless you need to
>>>>> specify
>>>>>      something that isn't a default or is different from the default
>>>>>      i.e. use a different prefix.
>>>>>
>>>>>
>>>>>
>>>>>          Otherwise, I've a dot on my realm MY.LOCAL. but it was a
>>>>>          mistake when I create this mail. I've the same problem
>>>>> without
>>>>>          the dot. This dot was introduced because I've tried it
>>>>> using a
>>>>>          dot without success.  So if I've
>>>>>
>>>>>          /etc/krb5.conf
>>>>>          [libdefaults]
>>>>>                  default_realm = MY.LOCAL
>>>>>                  dns_lookup_realm = false
>>>>>                  dns_lookup_kdc = true
>>>>>
>>>>>
>>>>>          and then i run: kinit administrator at MY.LOCAL
>>>>>          I get: kinit: Cannot contact any KDC for realm 'MY.LOCAL'
>>>>>          while getting initial credentials
>>>>>
>>>>>
>>>>>      Is your 'TLD' actually '.local' and if so, try stopping avahi
>>>>>
>>>>>
>>>>> Yes, its my TLD. I will check by stopping avahi.Perhaps .LOCAL is
>>>>> a bad
>>>>> TLD for samba as I've read right now.
>>>>>
>>>>>      Is Samba running at this stage ? if it isn't, then your KDC
>>>>> isn't
>>>>>      either.
>>>>>
>>>>>
>>>>>   Samba is running. These 2 commands also works:
>>>>> smbclient -L localhost -U%
>>>>> smbclient //localhost/netlogon -UAdministrator -c 'ls'
>>>>>
>>>>>
>>>>>
>>>>>      Rowland
>>>>>
>>>>>      --     To unsubscribe from this list go to the following URL
>>>>> and read
>>>>> the
>>>>>      instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> Lluís Danés
>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>> I ran into this problem on a member server. I searched but didn't find
>> mention of Avahi and .local in the Wiki. Could this be added to
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>
>>
>> Under 'Testing Kerberos' as a note if possible failure? I wish I didn't
>> use .local when I started.
>>
>
> I don't know just when you last looked at the wiki, but if you goto :
>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
>
> Look under the 'Preconditions' header, there is a link to the 'Active
> Directory Naming FAQ' :
>
> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
>
> There is an heading 'Using an invalid TLD' , it is all explained there.
>
> Rowland
>
>
I was searching the wiki for 'avahi' and seen no mention. There is a bit
of a contradiction in this section.

"*It is possible that the invalid TLD you are now using, could become a
valid TLD in the future.* While .local is reserved by ICANN, the TLD
system is currently scheduled to undergo a vast expansion of the generic
TLD (gTLD) it supports, from 22 to over a thousand new names. This trend
is likely to continue. "

It appears to me the leave the door open for someone choosing '.local'
as a TLD.

-- 
-James

More information about the samba mailing list