Rowland Penny
2022-Jun-06 15:08 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On Mon, 2022-06-06 at 07:00 -0700, Matthew Schumacher via samba wrote:> Hello All, > > I have a number of samba servers acting like RODC controllers and > every > few days samba exits because the MIT KDC Daemon dies with exit status > 11: > > [2022/06/04 21:14:29.561323, 0] > ../../source4/dsdb/kcc/scavenge_dns_records.c:523(dns_delete_tombston > es) > dns_delete_tombstones: Failed to delete dns node > kccsrv_dns_zone_tombstone_deletion: DNS tombstone deletion > failed: > NT_STATUS_INTERNAL_ERRORkccsrv_periodic_run: > kccsrv_dns_zone_tombstone_scavenging failed - > NT_STATUS_INTERNAL_ERROR > : Address family not supported by protocol The MIT KDC daemon died > with > exit status 11 > : Address family not supported by protocol task_server_terminate: > task_server_terminate: [mitkdc child process exited] > [2022/06/05 20:18:54.520080, 0] > ../../source4/samba/server.c:391(samba_terminate) > samba_terminate: samba_terminate of samba 714: mitkdc child > process > exited > > in the mit_kdc.log I see: > > Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): TGS_REQ (5 > etypes > {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), > UNSUPPORTED:(-135)}) 172.23.77.6: PROCESS_TGS: authtime 0, etypes > {rep=UNSUPPORTED:(0)} <unknown client> for > krbtgt/ad.domain.net at ad.domain.net, No matching key in entry > Jun 05 20:18:54 host.ad.domain.net krb5kdc[753](info): closing down > fd 21 > > I'm using samba-4.16.1 and krb5-1.19.3. Any thoughts on how to > debug > this issue so that I can report a bug to at least keep it running? > > I can compile an alternate kerberos daemon and rebuild samba against > it, > but it's my understanding that AD mode only works with MIT kerberos. > > schuYou might want to read this: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC Where you will find that using MIT is classed as experimental and running Samba with MIT as an RODC isn't supported. Rowland
Matthew Schumacher
2022-Jun-06 21:13 UTC
[Samba] Samba keeps crashing when in AD mode due to mitkdc exiting.
On 6/6/22 8:08 AM, Rowland Penny via samba wrote:> > You might want to read this: > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > > Where you will find that using MIT is classed as experimental and > running Samba with MIT as an RODC isn't supported. > > Rowland >Thanks for the reply. I looked for documentation on how to convert from MIT to Heimdal, but didn't see anything.? Can I simply rebuild and re-deploy or do I need to demote each domain controller then add it back in again? Thanks, schu