Author Topic: [SOLVED] Unable to reach any KDC  (Read 28510 times)

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
[SOLVED] Unable to reach any KDC
« on: January 30, 2013, 02:44:31 pm »
I downloaded the latest zent iso from the website 3.0-1 and proceeded to do a clean install of everything to see if I finally can get this working for once.

I followed step by step the instructions on http://trac.zentyal.org/wiki/Documentation/Community/Development/singlez on a brand new VM and set up my main server.

Joined a windows 8 computer to the domain to test and it worked just fine.

Then I followed the steps on http://trac.zentyal.org/wiki/Documentation/Community/Development/multiplez and set up my second box, and when I get to the point I enabled my file sharing module I get an error message "The following modules failed while saving their changes, their state is unknown: samba" so I go check the last couple lines on /var/log/zentyal/zentyal.log and see this:

Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm MYREALM.LAN

I've followed the instructions to the letter, so DNS is set up properly, both are on the same domain, different hostnames, can ping each other by their hostnames just fine.

I am really at a loss about what to do to get this working. If even following the devs directions I cant get it to work what should I do?
« Last Edit: January 31, 2013, 04:53:55 pm by argais »

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #1 on: January 30, 2013, 02:50:58 pm »
A more complete log entry
Code: [Select]
2013/01/30 11:47:08 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: samba
2013/01/30 11:47:08 INFO> Samba.pm:958 EBox::Samba::__ANON__ - Joining to domain 'myrealm.lan' as DC
2013/01/30 11:47:08 INFO> Samba.pm:974 EBox::Samba::__ANON__ - Trying to contact 'servidor-001.myrealm.lan'
2013/01/30 11:47:08 INFO> Samba.pm:986 EBox::Samba::__ANON__ - Trying to get a kerberos ticket for principal 'my.adminuser@MYREALM.LAN'
2013/01/30 11:47:08 ERROR> Sudo.pm:234 EBox::Sudo::_rootError - root command kinit -e arcfour-hmac-md5 --password-file='/var/lib/zentyal/tmp/VihChz' my.adminuser@MYREALM.LAN failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm MYREALM.LAN

Command output: .
Exit value: 1
2013/01/30 11:47:08 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dns
2013/01/30 11:47:10 ERROR> GlobalImpl.pm:643 EBox::GlobalImpl::__ANON__ - Failed to save changes in module samba: root command kinit -e arcfour-hmac-md5 --password-file='/var/lib/zentyal/tmp/VihChz' my.adminuser@MYREALM.LAN failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm MYREALM.LAN

Command output: .
Exit value: 1
2013/01/30 11:47:10 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: dns
2013/01/30 11:47:11 INFO> Base.pm:229 EBox::Module::Base::save - Restarting service for module: logs
2013/01/30 11:47:12 ERROR> GlobalImpl.pm:700 EBox::GlobalImpl::saveAllModules - The following modules failed while saving their changes, their state is unknown: samba

christian

  • Guest
Re: Unable to reach any KDC
« Reply #2 on: January 30, 2013, 02:59:45 pm »
Did you check time alignment ? (NTP  ;))

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #3 on: January 30, 2013, 03:03:24 pm »
Yup. main server has ntp running and secondary server has it set to sync with main one.
I also checked manually on the terminal.

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: Unable to reach any KDC
« Reply #4 on: January 30, 2013, 04:35:58 pm »
Hello aragais:

Perhaps you should nmap/telnet/check connectivity with the KDC server on port 88 by hand. If there is no connectivity, then check firewall, routing tables etc

Cheers

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #5 on: January 30, 2013, 04:48:26 pm »
You are right, the port is closed, but why does zentyal define the kerberos service on ports 8880 and 8464 by default on the firewall?

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #6 on: January 30, 2013, 04:59:40 pm »
So on both servers I created a service called Kerberos Ticket, assigned port 88 tcp/udp to it, and on firewall -> packet filtering -> Internal networks to zentyal, I made a new rule allowing any to this new service, nmap from one server to another still shows the port as closed :/

iptables -L -n  shows: (relavant part)
Code: [Select]
Chain iglobal (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:88 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:88 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:67:68 dpts:67:68 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:69 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6895 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:88 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:88 state NEW


nmap from main server to secondary server

Code: [Select]
Not shown: 987 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   open   domain
88/tcp   closed kerberos-sec
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
389/tcp  closed ldap
443/tcp  open   https
445/tcp  closed microsoft-ds
464/tcp  closed kpasswd5
636/tcp  closed ldapssl
1024/tcp closed kdm
3268/tcp closed globalcatLDAP
3269/tcp closed globalcatLDAPssl


from secondary to main
Code: [Select]
Not shown: 987 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   open   domain
88/tcp   closed kerberos-sec
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
389/tcp  open   ldap
443/tcp  open   https
445/tcp  open   microsoft-ds
464/tcp  closed kpasswd5
636/tcp  open   ldapssl
1024/tcp open   kdm
3268/tcp open   globalcatLDAP
3269/tcp open   globalcatLDAPssl

dejanfc

  • Zen Apprentice
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #7 on: January 31, 2013, 08:34:47 am »
On my install I had to recreate every service in DNS -> services, it's basically a copypaste job of default configuration. For some reason I couldn't get it to work without this. http://i.imgur.com/GDpLJoM.jpg

If you check the dns entries with _kerberos._tcp it will list the default one as 88 with weight of 0, even though it's listed as 8880 - 100 on the config screen.
« Last Edit: January 31, 2013, 08:36:21 am by dejanfc »

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #8 on: January 31, 2013, 12:00:53 pm »
Thanks dejanfc, I'll try that. It just boggles my mind why this wouldn't be setup to work by default @_@  :-\

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
[SOLVED] Unable to reach any KDC
« Reply #9 on: January 31, 2013, 12:41:15 pm »
Worked just fine now, my secondary box can connect to the main one without a single hitch.

Any devs that could comment on why do we need to enter those duplicate entries?

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #10 on: January 31, 2013, 01:44:17 pm »
Removed the solved tag, cause while I can reach the KDC now it is not syncing anything after the initial sync and I found new errors in the log that might be related to it,... or not...

Code: [Select]
2013/01/31 10:38:34 INFO> Samba.pm:788 EBox::Samba::importSysvolFromDC - Syncing sysvol from 'servidor-001.myrealm.lan'
2013/01/31 10:38:34 ERROR> Sudo.pm:234 EBox::Sudo::_rootError - root command set -e
kinit --keytab=/var/lib/samba/private/secrets.keytab GATEWAY-01$
mount.cifs //servidor-001.myrealm.lan/sysvol /tmp/sysvolxi_Q -o sec=krb5i,ro
mount --make-unbindable /tmp/sysvolxi_Q
rsync -av --delete --exclude 'DO_NOT_REMOVE_NtFrs_PreInstall_Directory' /tmp/sysvolxi_Q/ /var/lib/samba/sysvol/ failed.
Error output: kinit: krb5_get_init_creds: Client (GATEWAY-01$@MYREALM.LAN) unknown

Command output: .
Exit value: 1
2013/01/31 10:38:34 ERROR> Samba.pm:811 EBox::Samba::__ANON__ - Could not sync sysvol from servidor-001.escriba.com.br: root command set -e
kinit --keytab=/var/lib/samba/private/secrets.keytab GATEWAY-01$
mount.cifs //servidor-001.myrealm.lan/sysvol /tmp/sysvolxi_Q -o sec=krb5i,ro
mount --make-unbindable /tmp/sysvolxi_Q
rsync -av --delete --exclude 'DO_NOT_REMOVE_NtFrs_PreInstall_Directory' /tmp/sysvolxi_Q/ /var/lib/samba/sysvol/ failed.
Error output: kinit: krb5_get_init_creds: Client (GATEWAY-01$@MYREALM.LAN) unknown

Command output: .
Exit value: 1
2013/01/31 10:38:34 ERROR> Sudo.pm:234 EBox::Sudo::_rootError - root command umount '/tmp/sysvolxi_Q' failed.
Error output: umount: /tmp/sysvolxi_Q: not mounted

Command output: .
Exit value: 1
2013/01/31 10:38:34 INFO> Samba.pm:728 EBox::Samba::resetSysvolACL - Reseting sysvol ACLs to defaults

servidor-001 is the main server
gateway-01 is the secondary server

this log is from gateway-01 /var/log/zentyal/zentyal.log

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #11 on: January 31, 2013, 02:07:57 pm »
The error message repeats itself around every 10 minutes. I supose it happens when gateway-01 tries to sync with servidor-001

argais

  • Zen Monk
  • **
  • Posts: 57
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #12 on: January 31, 2013, 04:53:35 pm »
A service restart solved the issue, just like windows :P

meaje

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +2/-0
    • View Profile
Re: Unable to reach any KDC
« Reply #13 on: April 22, 2014, 03:04:43 pm »
On my install I had to recreate every service in DNS -> services, it's basically a copypaste job of default configuration. For some reason I couldn't get it to work without this. http://i.imgur.com/GDpLJoM.jpg

If you check the dns entries with _kerberos._tcp it will list the default one as 88 with weight of 0, even though it's listed as 8880 - 100 on the config screen.

I'm seeing something really similar I think and was wondering how I would go about recreating the DNS SRV records for my domain? I'm using Zentyal 3.4 as a fresh install.

Thanks in advance  :-)
--Jeff M

aarcos

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] Unable to reach any KDC
« Reply #14 on: December 17, 2015, 07:07:48 pm »
The same problem on Zentyal 4.0 DC with Openchange, can not connect DC-OpenChange with Outlook 2003 over Windows 8.1

Port 135 closed but samba is running, after restart service appears open port 135 and the connection work fine!!