Author Topic: zentyal no longer seeing KDC servers  (Read 374 times)

dashwell

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
zentyal no longer seeing KDC servers
« on: October 03, 2022, 09:47:43 pm »
My Zentyal box is no longer seeing the other servers for replication. If I go through samba-tools drs show-repl it reports it can't see the KDC servers on the domain controller.
Please can someone help me


ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:hangarserver.dummy.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
Cannot reach a KDC we require to contact (null) : kinit for HANGARSERVER$@dummy.local failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/HANGARSERVER.dummy.local failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
Cannot reach a KDC we require to contact (null) : kinit for HANGARSERVER$@dummy.local failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/hangarserver.dummy.local failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Default-First-Site-Name\HANGARSERVER
DSA Options: 0x00000001
DSA object GUID: a14123e4-7784-4b37-bcc3-21a705a98a31
DSA invocationId: 86acb60f-bc0d-48ff-8686-a4929a99662c

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:00:53 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13313 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:02:39 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                15187 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

CN=Schema,CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:04:24 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                101163 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

DC=DomainDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:06:09 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13452 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:31 2021 SAST

DC=ForestDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 17:59:08 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13314 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:24:29 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                448611 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:36 2022 SAST

DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:25:09 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                828531 consecutive failure(s).
                Last success @ Wed Jan 12 12:21:00 2022 SAST

CN=Schema,CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:25:49 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                43778 consecutive failure(s).
                Last success @ Mon Feb 28 05:53:29 2022 SAST

DC=DomainDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:23:08 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                829934 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:35 2022 SAST

DC=ForestDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:23:48 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                816051 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:36 2022 SAST

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 8d40d461-5748-416f-ba56-453127e5f850
        Enabled        : TRUE
        Server DNS name : SERVER.dummy.local
        Server DN name  : CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dummy,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

turalyon

  • Zen Warrior
  • ***
  • Posts: 139
  • Karma: +13/-0
    • View Profile
Re: zentyal no longer seeing KDC servers
« Reply #1 on: October 04, 2022, 12:34:06 pm »
Hi,

If you are using Zentyal 6.2 or 7.0, run the following script to get a system report and pay special attention to the Domain controller output:

Code: [Select]
sudo /usr/share/zentyal/smart-admin-report

NOTE: If you want to post the output here, make sure that your rename the sensitive information that the report might have.

However, according to the output, it seems that you do not have any additional domain controller in your environment.

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

cforker

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: zentyal no longer seeing KDC servers
« Reply #2 on: October 08, 2022, 06:41:59 pm »
Hi guys,

What are your symptoms on this issue, meaning I did an 22H2 upgrade on a Windows11 joined machine connected to Zentyal 7.0. After that I get the message that my username and password isn't correct. Machines which couldn't update don't have theses problems. Myself and also my clients do run many Windows11 machines so this is a big problem at the moment. Is that related?

Chris
« Last Edit: October 08, 2022, 06:44:04 pm by cforker »

dashwell

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: zentyal no longer seeing KDC servers
« Reply #3 on: October 20, 2022, 04:00:28 pm »
Hi,

If you are using Zentyal 6.2 or 7.0, run the following script to get a system report and pay special attention to the Domain controller output:

Code: [Select]
sudo /usr/share/zentyal/smart-admin-report

NOTE: If you want to post the output here, make sure that your rename the sensitive information that the report might have.

However, according to the output, it seems that you do not have any additional domain controller in your environment.

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

Good Day, Sorry that this reply has been so long...
This was a server joined to an existing AD DOMAIN to be part of the domain servers group.
here is that report.
Subject: System report


##################
# GENERAL CHECKS #
##################

########
## Hostname
########

hangarserver.js.local

########
## Hosts
########

127.0.0.1       localhost.localdomain localhost
#127.0.1.1      hangarserver.js.local hangarserver
192.168.100.2   hangarserver.js.local hangarserver
192.168.0.1     server.js.local server
192.168.0.247   server1.js.local        server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

########
## Resolv
########

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 127.0.0.1
search js.local

########
## Version of Zentyal and Ubuntu
########

Zentyal 6.1.6
Ubuntu 18.04.6 LTS

########
## Zentyal's modules installed
########

ii zentyal-core 6.1.6
ii zentyal-dns 6.1.2
ii zentyal-firewall 6.1
ii zentyal-network 6.1.1
ii zentyal-ntp 6.1
ii zentyal-samba 6.1.2
ii zentyal-software 6.1.1

########
## Modules which are enabled
########

Zentyal module network:                 [ ENABLED ]
Zentyal module firewall:                        [ DISABLED ]
Zentyal module audit:                   [ DISABLED ]
Zentyal module dns:                     [ ENABLED ]
Zentyal module logs:                    [ ENABLED ]
Zentyal module ntp:                     [ ENABLED ]
Zentyal module samba:                   [ ENABLED ]
Zentyal module webadmin:                        [ ENABLED ]

########
## Zentyal Commercial Edition
########

The server doesn't have a license key.

########
## Uptime
########

Uptime's server: up 8 hours, 36 minutes

########
## Memory
########

Total memory: 15914 MB
Memory usage: 11.52%
SWAP usage: 0 MB

########
## CPU
########

Total cores:  4
CPU load average (1m,5m,15m): 2.23. 1.87. 1.83

########
## Hard Drives and partitions
########

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 465.8G  0 disk
├─sda1   8:1    0   512M  0 part /boot/efi
└─sda2   8:2    0 465.3G  0 part /
sdb      8:16   0   1.8T  0 disk
└─sdb1   8:17   0   1.8T  0 part /share
sr0     11:0    1  1024M  0 rom

## Disk usage:

Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/sda2      ext4      457G   73G  361G  17% /
/dev/sdb1      ext4      1.8T  1.5T  290G  84% /share
/dev/sda1      vfat      511M  9.6M  502M   2% /boot/efi

########
## Network Interfaces
########

## Interfaces available:

eth0

## IPs configured:

 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.100.2/24 brd 192.168.100.255 scope global eth0

## Network Interfaces where were 'Down':

turalyon

  • Zen Warrior
  • ***
  • Posts: 139
  • Karma: +13/-0
    • View Profile
Re: zentyal no longer seeing KDC servers
« Reply #4 on: October 21, 2022, 04:05:34 pm »
Hi,

The domain controller is missing in the output you provide. Basically, the following function must be executed so I can see if something is wrong with the domain controller module.

* https://github.com/zentyal/zentyal/blob/master/main/core/src/scripts/smart-admin-report#L194

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".