Matthew Schumacher
2022-Jun-06 14:00 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
Hello All,
I have a number of samba servers acting like RODC controllers and every
few days samba exits because the MIT KDC Daemon dies with exit status 11:
[2022/06/04 21:14:29.561323,? 0]
../../source4/dsdb/kcc/scavenge_dns_records.c:523(dns_delete_tombstones)
? dns_delete_tombstones: Failed to delete dns node
? kccsrv_dns_zone_tombstone_deletion: DNS tombstone deletion failed:
NT_STATUS_INTERNAL_ERRORkccsrv_periodic_run:
kccsrv_dns_zone_tombstone_scavenging failed - NT_STATUS_INTERNAL_ERROR
: Address family not supported by protocol The MIT KDC daemon died with
exit status 11
: Address family not supported by protocol task_server_terminate:
task_server_terminate: [mitkdc child process exited]
[2022/06/05 20:18:54.520080,? 0]
../../source4/samba/server.c:391(samba_terminate)
? samba_terminate: samba_terminate of samba 714: mitkdc child process
exited
in the mit_kdc.log I see:
Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): TGS_REQ (5 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135)}) 172.23.77.6: PROCESS_TGS: authtime 0, etypes
{rep=UNSUPPORTED:(0)} <unknown client> for
krbtgt/ad.domain.net at ad.domain.net, No matching key in entry
Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): closing down fd 21
I'm using samba-4.16.1 and krb5-1.19.3.? Any thoughts on how to debug
this issue so that I can report a bug to at least keep it running?
I can compile an alternate kerberos daemon and rebuild samba against it,
but it's my understanding that AD mode only works with MIT kerberos.
schu
Robert Marcano
2022-Jun-06 14:58 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On 6/6/22 10:00 AM, Matthew Schumacher via samba wrote:> Hello All, > > I have a number of samba servers acting like RODC controllers and every > few days samba exits because the MIT KDC Daemon dies with exit status 11: > > [2022/06/04 21:14:29.561323,? 0] > ../../source4/dsdb/kcc/scavenge_dns_records.c:523(dns_delete_tombstones) > ? dns_delete_tombstones: Failed to delete dns node > ? kccsrv_dns_zone_tombstone_deletion: DNS tombstone deletion failed: > NT_STATUS_INTERNAL_ERRORkccsrv_periodic_run: > kccsrv_dns_zone_tombstone_scavenging failed - NT_STATUS_INTERNAL_ERROR > : Address family not supported by protocol The MIT KDC daemon died with > exit status 11 > : Address family not supported by protocol task_server_terminate: > task_server_terminate: [mitkdc child process exited] > [2022/06/05 20:18:54.520080,? 0] > ../../source4/samba/server.c:391(samba_terminate) > ? samba_terminate: samba_terminate of samba 714: mitkdc child process > exited > > in the mit_kdc.log I see: > > Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): TGS_REQ (5 etypes > {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), > UNSUPPORTED:(-135)}) 172.23.77.6: PROCESS_TGS: authtime 0, etypes > {rep=UNSUPPORTED:(0)} <unknown client> for > krbtgt/ad.domain.net at ad.domain.net, No matching key in entry > Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): closing down fd 21 > > I'm using samba-4.16.1 and krb5-1.19.3.? Any thoughts on how to debug > this issue so that I can report a bug to at least keep it running? > > I can compile an alternate kerberos daemon and rebuild samba against it, > but it's my understanding that AD mode only works with MIT kerberos.No Samba AD works with an embedded copy of Heimdal Kerberos too, this is the default and most tested configuration. The MIT configuration flag for AD support is experimental. If your server is a production on I encourage you to use the more tested configuration, otherwise testing the MIT backend is a good thing and reporting bugs and tracking them is good IMHO.
Rowland Penny
2022-Jun-06 15:08 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On Mon, 2022-06-06 at 07:00 -0700, Matthew Schumacher via samba wrote:> Hello All, > > I have a number of samba servers acting like RODC controllers and > every > few days samba exits because the MIT KDC Daemon dies with exit status > 11: > > [2022/06/04 21:14:29.561323, 0] > ../../source4/dsdb/kcc/scavenge_dns_records.c:523(dns_delete_tombston > es) > dns_delete_tombstones: Failed to delete dns node > kccsrv_dns_zone_tombstone_deletion: DNS tombstone deletion > failed: > NT_STATUS_INTERNAL_ERRORkccsrv_periodic_run: > kccsrv_dns_zone_tombstone_scavenging failed - > NT_STATUS_INTERNAL_ERROR > : Address family not supported by protocol The MIT KDC daemon died > with > exit status 11 > : Address family not supported by protocol task_server_terminate: > task_server_terminate: [mitkdc child process exited] > [2022/06/05 20:18:54.520080, 0] > ../../source4/samba/server.c:391(samba_terminate) > samba_terminate: samba_terminate of samba 714: mitkdc child > process > exited > > in the mit_kdc.log I see: > > Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): TGS_REQ (5 > etypes > {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), > UNSUPPORTED:(-135)}) 172.23.77.6: PROCESS_TGS: authtime 0, etypes > {rep=UNSUPPORTED:(0)} <unknown client> for > krbtgt/ad.domain.net at ad.domain.net, No matching key in entry > Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): closing down > fd 21 > > I'm using samba-4.16.1 and krb5-1.19.3. Any thoughts on how to > debug > this issue so that I can report a bug to at least keep it running? > > I can compile an alternate kerberos daemon and rebuild samba against > it, > but it's my understanding that AD mode only works with MIT kerberos. > > schuYou might want to read this: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC Where you will find that using MIT is classed as experimental and running Samba with MIT as an RODC isn't supported. Rowland