[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.

Robert Marcano robert at marcanoonline.com
Mon Jun 6 14:58:03 UTC 2022

On 6/6/22 10:00 AM, Matthew Schumacher via samba wrote:
> Hello All,
> I have a number of samba servers acting like RODC controllers and every 
> few days samba exits because the MIT KDC Daemon dies with exit status 11:
> [2022/06/04 21:14:29.561323,  0] 
> ../../source4/dsdb/kcc/scavenge_dns_records.c:523(dns_delete_tombstones)
>    dns_delete_tombstones: Failed to delete dns node
>    kccsrv_dns_zone_tombstone_deletion: DNS tombstone deletion failed: 
> NT_STATUS_INTERNAL_ERRORkccsrv_periodic_run: 
> kccsrv_dns_zone_tombstone_scavenging failed - NT_STATUS_INTERNAL_ERROR
> : Address family not supported by protocol The MIT KDC daemon died with 
> exit status 11
> : Address family not supported by protocol task_server_terminate: 
> task_server_terminate: [mitkdc child process exited]
> [2022/06/05 20:18:54.520080,  0] 
> ../../source4/samba/server.c:391(samba_terminate)
>    samba_terminate: samba_terminate of samba 714: mitkdc child process 
> exited
> in the mit_kdc.log I see:
> Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): TGS_REQ (5 etypes 
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
> DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), 
> UNSUPPORTED:(-135)}) PROCESS_TGS: authtime 0, etypes 
> {rep=UNSUPPORTED:(0)} <unknown client> for 
> krbtgt/ad.domain.net at ad.domain.net, No matching key in entry
> Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): closing down fd 21
> I'm using samba-4.16.1 and krb5-1.19.3.  Any thoughts on how to debug 
> this issue so that I can report a bug to at least keep it running?
> I can compile an alternate kerberos daemon and rebuild samba against it, 
> but it's my understanding that AD mode only works with MIT kerberos.

No Samba AD works with an embedded copy of Heimdal Kerberos too, this is 
the default and most tested configuration. The MIT configuration flag 
for AD support is experimental.

If your server is a production on I encourage you to use the more tested 
configuration, otherwise testing the MIT backend is a good thing and 
reporting bugs and tracking them is good IMHO.

More information about the samba mailing list