Author Topic: kinit error  (Read 1343 times)

kauto

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
kinit error
« on: February 09, 2017, 11:55:08 am »
Zentyal 5
Been getting these errors when restarting dns from web interface, also having issues adding after joining a hyperv server to the domain, getting winRM cannot process the request when trying to add it in hyperv manager.

ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.

ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.
Error output: Password has expired


BerT666

  • Zen Warrior
  • ***
  • Posts: 215
  • Karma: +6/-0
    • View Profile
Re: kinit error
« Reply #1 on: February 13, 2017, 01:53:36 pm »
Hi

you should check the password (my guess: the windows Administrator), if it has expired...

Regards

Thomas

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: kinit error
« Reply #2 on: June 13, 2017, 06:22:36 pm »
I'm getting this same error(s). The domains "Administrator" account is set to never expire. Same with my domain admin account.

I noticed that the dns-[hostname] user account that is created when zentyal installed doesn't have the password set to never expire. I have no idea what the password was set to for this account though and I would expect zentyal to configure the account CORRECTLY without intervention from the user.

I've also just noticed that krbtgt account is "Disabled" and I'm not sure why exactly that would be the case. I know I didn't do it though.

Anyone have a clue?

This is on a Zentyal server that has been upgraded through multiple versions. I actually just started up a fresh Zentyal 5 install with a Win10 PC as a client and the DNS module restarted without error. So sounds like either an issue caused through upgrades or time (and potentially an expiring password).

Code: [Select]
2017/06/13 12:10:25 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/13 12:10:27 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/13 12:10:32 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .
Exit value: 1
2017/06/13 12:10:32 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .
Exit value: 1
« Last Edit: June 13, 2017, 06:31:02 pm by jgould »

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: kinit error
« Reply #3 on: June 14, 2017, 03:40:04 pm »
Seems like this is pretty widespread.
https://forum.zentyal.org/index.php?topic=30747.0
https://forum.zentyal.org/index.php/topic,30864.0.html

I did some testing and figured out a few things.

For my initial error, "Error output: Password has expired", I found that the user account (dns-[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
Code: [Select]
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputer
These two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.

This seemed to remove the Error output: Password has expired error, but now started to show the problem that other members are having. That being;
Code: [Select]
Exit value: 2 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/[randomfile] failed.
Error output: update failed: REFUSED

And any attempt I make to resolve this error using recommendations here in the linked threads or following the Samba wiki results in either STILL getting the REFUSED error or;
Code: [Select]
Error output: dns_tkey_negotiategss: TKEY is unacceptable
I even went as far as to follow THESE INSTRUCTIONS on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run samba_upgradedns --dns-backend=BIND9_DLZ. It still failed.

This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.
« Last Edit: June 14, 2017, 03:45:58 pm by jgould »

sangamc

  • Zen Monk
  • **
  • Posts: 53
  • Karma: +2/-0
    • View Profile
Re: kinit error
« Reply #4 on: August 29, 2019, 02:54:10 pm »
wow, 3 years later and we are still praying for a solution

doncamilo

  • Zen Warrior
  • ***
  • Posts: 168
  • Karma: +31/-0
    • View Profile
Re: kinit error
« Reply #5 on: September 03, 2019, 05:55:59 pm »
 :)

Code: [Select]
sudo samba-tool user setexpiry dns-domainname --noexpiry

Cheers