[Samba] kinit failure

Rowland Penny rpenny at samba.org
Tue May 14 07:21:28 UTC 2024 

On Tue, 14 May 2024 17:18:28 +1200
"Samba @ Pegasusnz via samba" <samba at lists.samba.org> wrote:

> 
> 
> > On 10 May 2024, at 11:55 PM, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > 
> > On Fri, 10 May 2024 23:19:32 +1200
> > "Samba @ Pegasusnz via samba" <samba at lists.samba.org
> > <mailto:samba at lists.samba.org>> wrote:
> > 
> >> Luckily I had a backup of the DC image which I
> >> restored 
> > 
> > In an instance like this, you should be backing up the domain with
> > samba-tool, not backing up an individual DC. If you had a domain
> > backup, you could recreate your domain.
> > But you have what you have.
> 
> I do have a backup of the domain but since I was moving VMs around I
> thought this option would be easier 

If you have a catastrophic failure, then I would suggest rebuilding the
domain from a domain backup is the best option. To be honest, I would
never restore a single DC from a backup, I would forcibly demote the
dead DC and create a new one.

> > 
> >> and some machines just worked and some can’t find KDC
> >> kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM
> >> <http://balewan.unicorn.com/>' while getting initial credentials I
> >> have tried leaving the domain and deleting computer if it still
> >> remained on DC I have installed samba and friends But on some
> >> machines this has not fixed the problem
> >> 
> >> DC2 is online 192.168.50.15
> > 
> > I suggest you do this:
> > 
> > Seize all the FSMO roles to DC2, if it doesn't already hold them.
> > Forcibly demote any other DCs and then join new ones to replace
> > them.
> 
> That is what I had already done
> 
> > 
> >> DC9 is offline 192.168.50.17
> >> DC4 is trashed
> >> 
> >> On the machine that fail to rejoin they normally time out and give
> >> this error
> >> 
> >> ERROR(runtime): uncaught exception - (31, 'Failed to set machine
> >> spn: Time limit exceeded\nDo you have sufficient permissions to
> >> create machine accounts?') File
> >> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> >> 279, in _run return self.run(*args, **kwargs)
> >> ^^^^^^^^^^^^^^^^^^^^^^^^^ File
> >> "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", line
> >> 121, in run (sid, domain_name) = s3_net.join_member(netbios_name,
> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > 
> > Any domain clients that are not working should be removed by running
> > 'net ads leave -U administrator' and then joined again with 'net ads
> > join -U administrator' (after you have checked that they can
> > connect to a DC)
> 
> It turns out that there is strange behaviour in Virtual Box Debian 12
> Virtual box servers running on the same host seem to have problems
> talking securely It seems if they have established a connection with
> a previous version they will continue to chat
> 
> Not only does it effect kinit but ssh hangs as well

I wasn't aware of that, will have to look into it.

> 
> I reset the mtu with
> Ip link set mtu 1400 dev enp0s3
> 
> And boom kinit and ssh suddenly works
> 
> Also I wanted to deploy a new DC with a updated domain name but

Samba doesn't support changing the domain name.

Rowland

More information about the samba mailing list