[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
Rowland Penny
rpenny at samba.org
Mon Jun 6 15:08:38 UTC 2022
On Mon, 2022-06-06 at 07:00 -0700, Matthew Schumacher via samba wrote:
> Hello All,
>
> I have a number of samba servers acting like RODC controllers and
> every
> few days samba exits because the MIT KDC Daemon dies with exit status
> 11:
>
> [2022/06/04 21:14:29.561323, 0]
> ../../source4/dsdb/kcc/scavenge_dns_records.c:523(dns_delete_tombston
> es)
> dns_delete_tombstones: Failed to delete dns node
> kccsrv_dns_zone_tombstone_deletion: DNS tombstone deletion
> failed:
> NT_STATUS_INTERNAL_ERRORkccsrv_periodic_run:
> kccsrv_dns_zone_tombstone_scavenging failed -
> NT_STATUS_INTERNAL_ERROR
> : Address family not supported by protocol The MIT KDC daemon died
> with
> exit status 11
> : Address family not supported by protocol task_server_terminate:
> task_server_terminate: [mitkdc child process exited]
> [2022/06/05 20:18:54.520080, 0]
> ../../source4/samba/server.c:391(samba_terminate)
> samba_terminate: samba_terminate of samba 714: mitkdc child
> process
> exited
>
> in the mit_kdc.log I see:
>
> Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): TGS_REQ (5
> etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
> UNSUPPORTED:(-135)}) 172.23.77.6: PROCESS_TGS: authtime 0, etypes
> {rep=UNSUPPORTED:(0)} <unknown client> for
> krbtgt/ad.domain.net at ad.domain.net, No matching key in entry
> Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): closing down
> fd 21
>
> I'm using samba-4.16.1 and krb5-1.19.3. Any thoughts on how to
> debug
> this issue so that I can report a bug to at least keep it running?
>
> I can compile an alternate kerberos daemon and rebuild samba against
> it,
> but it's my understanding that AD mode only works with MIT kerberos.
>
> schu
You might want to read this:
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
Where you will find that using MIT is classed as experimental and
running Samba with MIT as an RODC isn't supported.
Rowland
More information about the samba
mailing list