[Samba] Samba KDC not running

Mon Sep 5 08:34:44 UTC 2016

Hi,

I have an issues that involves KDC, it is quite complex so I'll try to 
be really specific.

I was running Samba42 with a secondary server replicating all was 
working fine. After we upgrade to Samba43 we start with the issues:

1. Replication wasn't working anymore error (WERR_LOGON_FAILURE)
2. Kerberos is also broken. On the Primary DC wouldn't allow me to to a 
kinit administrator error:
krb5_get_init_creds: Client (administrator at DOMAIN.NAME) unknown
3. When I try to run klist I get this error:
klist: No ticket file: /tmp/krb5cc_0

In the logs I have found the following errors:

samba_dnsupdate: RuntimeError: kinit for SERVER1$@DOMAIN.NAME failed 
(Client not found in Kerberos database)

So my issue is that the DNS is also broken, so users are authenticating 
login against server2 and the fileshare on server1

I found out about this because I run:

#host -t SRV _ldap._tcp.dc._msdcs.DOMAIN.NAME
_ldap._tcp.dc._msdcs.domain.name has SRV record 0 100 389 
server2.domain.name.

So basically I have to create users on both servers one for login to the 
workstation and the other to connect to the fileshare as it is bind to 
its ipaddress and the data is on server1

My /etc/krb5.conf

[libdefaults]
         default_realm = DOMAIN.NAME
         dns_lookup_realm = false
         dns_lookup_kdc = true

My /etc/nsswitch

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

I have also found that on server one the task (kdc) is not running when 
I do a ps ax

Server1

39850  -  Ss        0:00.45 /usr/local/sbin/samba --daemon 
--configfile=/usr/local/etc/smb4.conf
39856  -  I         0:00.00 samba: task[s3fs_parent] (samba)
39857  -  S         0:00.51 samba: task[dcesrv] (samba)
39859  -  S         0:00.00 samba: task wrepl server_id[39859] (samba)
39860  -  S         0:03.31 samba: task[ldapsrv] (samba)
39861  -  S         0:00.01 samba: task[cldapd] (samba)
39863  -  S         0:00.88 samba: task[dreplsrv] (samba)
39864  -  I         0:00.01 samba: task[winbindd_parent] (samba)
39865  -  S         0:00.01 samba: task[ntp_signd] (samba)
39867  -  S         0:00.63 samba: task[kccsrv] (samba)
39868  -  S         0:00.07 samba: task[dnsupdate] (samba)
39869  -  S         0:00.12 samba: task[dns] (samba)

Server2

30986  -  Ss        0:00.48 /usr/local/sbin/samba --daemon 
--configfile=/usr/local/etc/smb4.conf
30987  -  I         0:00.00 samba: task[s3fs_parent] (samba)
30988  -  S         0:51.85 samba: task[dcesrv] (samba)
30990  -  S         0:00.01 samba: task wrepl server_id[30990] (samba)
30991  -  S         0:49.22 samba: task[ldapsrv] (samba)
30992  -  S         0:19.96 samba: task[cldapd] (samba)
30993  -  S         3:53.15 samba: task[kdc] (samba)
30994  -  R        40:23.14 samba: task[dreplsrv] (samba)
30995  -  I         0:00.00 samba: task[winbindd_parent] (samba)
30996  -  S         0:00.01 samba: task[ntp_signd] (samba)
30998  -  I         0:03.72 samba: task[kccsrv] (samba)
30999  -  I         0:00.42 samba: task[dnsupdate] (samba)
31000  -  S         0:00.16 samba: task[dns] (samba)

I've been working today about 8 hours on this and I have run out of 
ideas. This looks quite complex, do you guys have any other ideas or 
test I can run to determinate first why KDC is not running on Server1 or 
how to get it back? I appreciate your help.

Thanks,

-- 
Juan Garcia