Hi Rowland, I made the change you suggested to auto refresh kerberos. It didn't seem to fix the issue unfortunately, even after a machine restart. Following your line of reasoning that it is a Kerberos issue, I then tried to grab a new kerberos ticket on the server in question which appears to fail though. Perhaps this gives some further insight? pi at fs1:~ $ kinit administrator at samdom.example.com Password for administrator at samdom.example.com: kinit: KDC reply did not match expectations while getting initial credentials Thanks Stephen
On Fri, 5 Apr 2019 15:53:53 +0100 Stephen via samba <samba at lists.samba.org> wrote:> Hi Rowland, I made the change you suggested to auto refresh kerberos. > It didn't seem to fix the issue unfortunately, even after a machine > restart. Following your line of reasoning that it is a Kerberos > issue, I then tried to grab a new kerberos ticket on the server in > question which appears to fail though. Perhaps this gives some > further insight? > > pi at fs1:~ $ kinit administrator at samdom.example.com > Password for administrator at samdom.example.com: > kinit: KDC reply did not match expectations while getting initial > credentials >Yes, it tells me you do not really understand kerberos :-) rowland at devstation:$ kinit administrator at samdom.example.com Password for administrator at samdom.example.com: kinit: KDC reply did not match expectations while getting initial credentials rowland at devstation:$ kinit administrator at SAMDOM.EXAMPLE.COM Password for administrator at SAMDOM.EXAMPLE.COM: rowland at devstation:$ Whenever you enter the REALM, you must enter it in UPPERCASE Can you post the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf Is the time on all the domain machines the same ? Rowland
Can you post the following files:
/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf
pi at fs1:/var/log/apache2 $ cat /etc/resolv.conf
# Generated by resolvconf
search samdom.example.com
nameserver 192.168.1.229
nameserver 192.168.1.228
nameserver X.X.X.X
nameserver X.X.X.X
nameserver 8.8.8.8
pi at fs1:/var/log/apache2 $ cat /etc/hostname
fs1
pi at fs1:/var/log/apache2 $ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.229 ad1.samdom.example.com ad1
192.168.1.228 ad2.samdom.example.com ad2
192.168.1.227 fs1.samdom.example.com fs1
pi at fs1:/var/log/apache2 $ cat /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
> Is the time on all the domain machines the same ?
pi at fs1:/var/log/apache2 $ date
Fri 5 Apr 16:22:36 BST 2019
pi at ad1:~ $ date
Fri 5 Apr 16:22:25 BST 2019
Thanks
Stephen Ellwood