[Samba] Problems runing kinit on a (wannabe) secondary DC

Rowland Penny rpenny at samba.org
Thu Jul 14 07:23:13 UTC 2022

On Thu, 2022-07-14 at 08:43 +0200, Lorenzo Milesi via samba wrote:
> I've installed a DC on Ubuntu 20.04 with Samba 4.15 using Van Belle's
> repos.
> The DC is used for LDAP auth and working fine. It hasn't been tested
> for Windows clients auth, yet.
> I'm attempting to configure a secondary DC, on a remote VPS withe
> same specs as above, but I'm unable to initialize kerberos
> communications. On the client I get the "classic" 'Cannot contact any
> KDC for realm ... while getting initial credentials', while from
> debug I'm unable to figure out what's going bad.
> Active DC: Samba 4.15.7-Ubuntu (dc-contabo)
> Secondary DC: Samba 4.15.7-Ubuntu (dc-lan)

No, that is: first DC and another DC, all DC's are equal except for the
FSMO roles.

> root at dc-lan:~# KRB5_TRACE=/dev/stdout kinit Administrator
> [987] 1657780070.241479: Getting initial credentials for 
> Administrator at WDC.DOMAIN.IT
> kinit: Cannot contact any KDC for realm 'WDC.DOMAIN.IT' while getting
> initial credentials

Obviously your prospective second DC cannot contact your first DC.

> Primary smb.conf:
> # Global parameters
> [global]
>         dns forwarder =
>         netbios name = DC-CONTABO
>         realm = WDC.DOMAIN.IT
>         server role = active directory domain controller
>         workgroup = DOMAIN
>         allow dns updates = disabled

Why have you disabled dns updates ?

>         interfaces = eth1
>         bind interfaces only = yes
>         server services = -dns

As you seem to be using Bind9, why is a dns forwarder set ?

Can you ping the first DC from the second DC ?

I suggest you go here: 

Download the script and run it on both your DC's and post the output
into a reply to this.


More information about the samba mailing list