Zentyal Forum, Linux Small Business Server
Zentyal Server => Other modules => Topic started by: kauto on February 09, 2017, 11:55:08 am
-
Zentyal 5
Been getting these errors when restarting dns from web interface, also having issues adding after joining a hyperv server to the domain, getting winRM cannot process the request when trying to add it in hyperv manager.
ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.
ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.
Error output: Password has expired
-
Hi
you should check the password (my guess: the windows Administrator), if it has expired...
Regards
Thomas
-
I'm getting this same error(s). The domains "Administrator" account is set to never expire. Same with my domain admin account.
I noticed that the dns-[hostname] user account that is created when zentyal installed doesn't have the password set to never expire. I have no idea what the password was set to for this account though and I would expect zentyal to configure the account CORRECTLY without intervention from the user.
I've also just noticed that krbtgt account is "Disabled" and I'm not sure why exactly that would be the case. I know I didn't do it though.
Anyone have a clue?
This is on a Zentyal server that has been upgraded through multiple versions. I actually just started up a fresh Zentyal 5 install with a Win10 PC as a client and the DNS module restarted without error. So sounds like either an issue caused through upgrades or time (and potentially an expiring password).
2017/06/13 12:10:25 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/13 12:10:27 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/13 12:10:32 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
dns-vdc01@INTERNAL.DOMAIN.COM's Password:
Command output: .
Exit value: 1
2017/06/13 12:10:32 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
dns-vdc01@INTERNAL.DOMAIN.COM's Password:
Command output: .
Exit value: 1
-
Seems like this is pretty widespread.
https://forum.zentyal.org/index.php?topic=30747.0
https://forum.zentyal.org/index.php/topic,30864.0.html
I did some testing and figured out a few things.
For my initial error, "Error output: Password has expired", I found that the user account (dns-[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputerThese two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.
This seemed to remove the Error output: Password has expired error, but now started to show the problem that other members are having. That being;
Exit value: 2 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/[randomfile] failed.
Error output: update failed: REFUSED
And any attempt I make to resolve this error using recommendations here in the linked threads or following the Samba wiki results in either STILL getting the REFUSED error or;
Error output: dns_tkey_negotiategss: TKEY is unacceptable
I even went as far as to follow THESE INSTRUCTIONS (https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC) on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run samba_upgradedns --dns-backend=BIND9_DLZ. It still failed.
This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.
-
wow, 3 years later and we are still praying for a solution
-
:)
sudo samba-tool user setexpiry dns-domainname --noexpiry
Cheers
-
Use Microsoft Windows Tools Active Directory Users and Computers
Unlock the dns-dc-a account and increase the permanent validity of the setup account, dns service will be back to normal