Hi Rowland, I made the change you suggested to auto refresh kerberos. It didn't seem to fix the issue unfortunately, even after a machine restart. Following your line of reasoning that it is a Kerberos issue, I then tried to grab a new kerberos ticket on the server in question which appears to fail though. Perhaps this gives some further insight? pi at fs1:~ $ kinit administrator at samdom.example.com Password for administrator at samdom.example.com: kinit: KDC reply did not match expectations while getting initial credentials Thanks Stephen
On Fri, 5 Apr 2019 15:53:53 +0100 Stephen via samba <samba at lists.samba.org> wrote:> Hi Rowland, I made the change you suggested to auto refresh kerberos. > It didn't seem to fix the issue unfortunately, even after a machine > restart. Following your line of reasoning that it is a Kerberos > issue, I then tried to grab a new kerberos ticket on the server in > question which appears to fail though. Perhaps this gives some > further insight? > > pi at fs1:~ $ kinit administrator at samdom.example.com > Password for administrator at samdom.example.com: > kinit: KDC reply did not match expectations while getting initial > credentials >Yes, it tells me you do not really understand kerberos :-) rowland at devstation:$ kinit administrator at samdom.example.com Password for administrator at samdom.example.com: kinit: KDC reply did not match expectations while getting initial credentials rowland at devstation:$ kinit administrator at SAMDOM.EXAMPLE.COM Password for administrator at SAMDOM.EXAMPLE.COM: rowland at devstation:$ Whenever you enter the REALM, you must enter it in UPPERCASE Can you post the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf Is the time on all the domain machines the same ? Rowland
Can you post the following files: /etc/resolv.conf /etc/hostname /etc/hosts /etc/krb5.conf pi at fs1:/var/log/apache2 $ cat /etc/resolv.conf # Generated by resolvconf search samdom.example.com nameserver 192.168.1.229 nameserver 192.168.1.228 nameserver X.X.X.X nameserver X.X.X.X nameserver 8.8.8.8 pi at fs1:/var/log/apache2 $ cat /etc/hostname fs1 pi at fs1:/var/log/apache2 $ cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.1.229 ad1.samdom.example.com ad1 192.168.1.228 ad2.samdom.example.com ad2 192.168.1.227 fs1.samdom.example.com fs1 pi at fs1:/var/log/apache2 $ cat /etc/krb5.conf [libdefaults] default_realm = SAMDOM.EXAMPLE.COM # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA> Is the time on all the domain machines the same ?pi at fs1:/var/log/apache2 $ date Fri 5 Apr 16:22:36 BST 2019 pi at ad1:~ $ date Fri 5 Apr 16:22:25 BST 2019 Thanks Stephen Ellwood