Hi,
I have an issues that involves KDC, it is quite complex so I'll try to
be really specific.
I was running Samba42 with a secondary server replicating all was
working fine. After we upgrade to Samba43 we start with the issues:
1. Replication wasn't working anymore error (WERR_LOGON_FAILURE)
2. Kerberos is also broken. On the Primary DC wouldn't allow me to to a
kinit administrator error:
krb5_get_init_creds: Client (administrator at DOMAIN.NAME) unknown
3. When I try to run klist I get this error:
klist: No ticket file: /tmp/krb5cc_0
In the logs I have found the following errors:
samba_dnsupdate: RuntimeError: kinit for SERVER1$@DOMAIN.NAME failed
(Client not found in Kerberos database)
So my issue is that the DNS is also broken, so users are authenticating
login against server2 and the fileshare on server1
I found out about this because I run:
#host -t SRV _ldap._tcp.dc._msdcs.DOMAIN.NAME
_ldap._tcp.dc._msdcs.domain.name has SRV record 0 100 389
server2.domain.name.
So basically I have to create users on both servers one for login to the
workstation and the other to connect to the fileshare as it is bind to
its ipaddress and the data is on server1
My /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.NAME
dns_lookup_realm = false
dns_lookup_kdc = true
My /etc/nsswitch
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
I have also found that on server one the task (kdc) is not running when
I do a ps ax
Server1
39850 - Ss 0:00.45 /usr/local/sbin/samba --daemon
--configfile=/usr/local/etc/smb4.conf
39856 - I 0:00.00 samba: task[s3fs_parent] (samba)
39857 - S 0:00.51 samba: task[dcesrv] (samba)
39859 - S 0:00.00 samba: task wrepl server_id[39859] (samba)
39860 - S 0:03.31 samba: task[ldapsrv] (samba)
39861 - S 0:00.01 samba: task[cldapd] (samba)
39863 - S 0:00.88 samba: task[dreplsrv] (samba)
39864 - I 0:00.01 samba: task[winbindd_parent] (samba)
39865 - S 0:00.01 samba: task[ntp_signd] (samba)
39867 - S 0:00.63 samba: task[kccsrv] (samba)
39868 - S 0:00.07 samba: task[dnsupdate] (samba)
39869 - S 0:00.12 samba: task[dns] (samba)
Server2
30986 - Ss 0:00.48 /usr/local/sbin/samba --daemon
--configfile=/usr/local/etc/smb4.conf
30987 - I 0:00.00 samba: task[s3fs_parent] (samba)
30988 - S 0:51.85 samba: task[dcesrv] (samba)
30990 - S 0:00.01 samba: task wrepl server_id[30990] (samba)
30991 - S 0:49.22 samba: task[ldapsrv] (samba)
30992 - S 0:19.96 samba: task[cldapd] (samba)
30993 - S 3:53.15 samba: task[kdc] (samba)
30994 - R 40:23.14 samba: task[dreplsrv] (samba)
30995 - I 0:00.00 samba: task[winbindd_parent] (samba)
30996 - S 0:00.01 samba: task[ntp_signd] (samba)
30998 - I 0:03.72 samba: task[kccsrv] (samba)
30999 - I 0:00.42 samba: task[dnsupdate] (samba)
31000 - S 0:00.16 samba: task[dns] (samba)
I've been working today about 8 hours on this and I have run out of
ideas. This looks quite complex, do you guys have any other ideas or
test I can run to determinate first why KDC is not running on Server1 or
how to get it back? I appreciate your help.
Thanks,
--
Juan Garcia
On Mon, 2016-09-05 at 18:34 +1000, Juan Garcia via samba wrote:> > I've been working today about 8 hours on this and I have run out of > ideas. This looks quite complex, do you guys have any other ideas or > test I can run to determinate first why KDC is not running on Server1 > or > how to get it back? I appreciate your help.I suggest turning up the log level and see if there are any more clues. Try eg 3, then 5 or 7 until you find something interesting. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba