[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.

Matthew Schumacher matt.s at aptalaska.net
Wed Jun 8 23:05:49 UTC 2022

On 6/7/22 12:27 AM, Rowland Penny via samba wrote:
>> Thanks for the reply.
>> I looked for documentation on how to convert from MIT to Heimdal,
>> but
>> didn't see anything.  Can I simply rebuild and re-deploy or do I need
>> to
>> demote each domain controller then add it back in again?
>> Thanks,
>> schu
> Just add another DC that uses Heimdal and then demote one of your
> existing DCs, repeat until you have no DCs running MIT.
> Rowland

I took some time to recompile and test out.  This page 
suggests you call kinit before you you join the domain but kinit is from 
my OS now since kerberos is internal.  I think this might have something 
to do with the next error which is I can't join the domain with 

I get the following:

root at auth:/var/lib/samba/private# samba-tool domain join 
admin.domain.net DC -U"ADMIN\administrator" --dns-backend=BIND9_DLZ 
--server masterdc
Password for [ADMIN\administrator]:
INFO 2022-06-08 21:58:18,008 pid:750 
/usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is ADMIN
INFO 2022-06-08 21:58:18,008 pid:750 
/usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is 
Adding CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
Adding CN=NTDS 
Adding SPNs to CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
Setting account password for AUTH$
Enabling account
Adding DNS account CN=dns-AUTH,CN=Users,DC=admin,DC=domain,DC=net with 
dns/ SPN
Join failed - cleaning up
Deleted CN=AUTH,OU=Domain Controllers,DC=admin,DC=domain,DC=net
Deleted CN=NTDS 
ERROR(ldb): uncaught exception - LDAP error 80 LDAP_OTHER - <00000523: 
SysErr: DSID-031A1255, problem 22 (Invalid argument), data 0
 > <>
   File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", 
line 186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python3.9/site-packages/samba/netcmd/domain.py", 
line 702, in run
     join_DC(logger=logger, server=server, creds=creds, lp=lp, 
   File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1543, 
in join_DC
   File "/usr/lib64/python3.9/site-packages/samba/join.py", line 1431, 
in do_join
   File "/usr/lib64/python3.9/site-packages/samba/join.py", line 780, in 

If I join the domain without BIND9, it works fine, but it appears to 
skip the DNS install:

samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" 
--server masterdc

What is interesting is that I can demote this controller then immediatly 
add it back with bind9:

samba-tool domain demote  -U"ADMIN\administrator" --server masterdc
samba-tool domain join admin.domain.net DC -U"ADMIN\administrator" 
--dns-backend=BIND9_DLZ --server masterdc

It works, but samba binds it's own internal DNS to port 53 and bind9 
can't be started.  I also figured out that if I add a krb5.conf file in 
my samba/private directory I can get it to join the domain even with 
"--dns-backend=BIND9_DLZ" but the result is the same in that samba 
appears to use it's own DNS server.

Is there a way to use the internal kerberos and external DNS or should I 
try to setup bind as a caching forwarder to internal DNS bound to a 
different IP or port?

I looked around in the documentation but didn't see anything obvious 
regarding how different DNS systems depend on different Kerberos systems.


More information about the samba mailing list