Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: dashwell on October 03, 2022, 09:47:43 pm

Title: zentyal no longer seeing KDC servers
Post by: dashwell on October 03, 2022, 09:47:43 pm
My Zentyal box is no longer seeing the other servers for replication. If I go through samba-tools drs show-repl it reports it can't see the KDC servers on the domain controller.
Please can someone help me


ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:hangarserver.dummy.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
Cannot reach a KDC we require to contact (null) : kinit for HANGARSERVER$@dummy.local failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/HANGARSERVER.dummy.local failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
resolve_lmhosts: Attempting lmhosts lookup for name hangarserver.dummy.local<0x20>
Cannot reach a KDC we require to contact (null) : kinit for HANGARSERVER$@dummy.local failed (Cannot contact any KDC for requested realm)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/hangarserver.dummy.local failed (next[ntlmssp]): NT_STATUS_NO_LOGON_SERVERS
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Default-First-Site-Name\HANGARSERVER
DSA Options: 0x00000001
DSA object GUID: a14123e4-7784-4b37-bcc3-21a705a98a31
DSA invocationId: 86acb60f-bc0d-48ff-8686-a4929a99662c

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:00:53 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13313 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:02:39 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                15187 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

CN=Schema,CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:04:24 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                101163 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

DC=DomainDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 18:06:09 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13452 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:31 2021 SAST

DC=ForestDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 17:59:08 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                13314 consecutive failure(s).
                Last success @ Fri Dec 17 15:02:32 2021 SAST

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:24:29 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                448611 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:36 2022 SAST

DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:25:09 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                828531 consecutive failure(s).
                Last success @ Wed Jan 12 12:21:00 2022 SAST

CN=Schema,CN=Configuration,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:25:49 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                43778 consecutive failure(s).
                Last success @ Mon Feb 28 05:53:29 2022 SAST

DC=DomainDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:23:08 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                829934 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:35 2022 SAST

DC=ForestDnsZones,DC=dummy,DC=local
        Default-First-Site-Name\SERVER via RPC
                DSA object GUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
                Last attempt @ Mon Oct  3 21:23:48 2022 SAST failed, result 1311 (WERR_NO_LOGON_SERVERS)
                816051 consecutive failure(s).
                Last success @ Wed Jan 12 11:33:36 2022 SAST

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 8d40d461-5748-416f-ba56-453127e5f850
        Enabled        : TRUE
        Server DNS name : SERVER.dummy.local
        Server DN name  : CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dummy,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Title: Re: zentyal no longer seeing KDC servers
Post by: turalyon on October 04, 2022, 12:34:06 pm
Hi,

If you are using Zentyal 6.2 or 7.0, run the following script to get a system report and pay special attention to the Domain controller output:

Code: [Select]
sudo /usr/share/zentyal/smart-admin-report

NOTE: If you want to post the output here, make sure that your rename the sensitive information that the report might have.

However, according to the output, it seems that you do not have any additional domain controller in your environment.

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".
Title: Re: zentyal no longer seeing KDC servers
Post by: cforker on October 08, 2022, 06:41:59 pm
Hi guys,

What are your symptoms on this issue, meaning I did an 22H2 upgrade on a Windows11 joined machine connected to Zentyal 7.0. After that I get the message that my username and password isn't correct. Machines which couldn't update don't have theses problems. Myself and also my clients do run many Windows11 machines so this is a big problem at the moment. Is that related?

Chris
Title: Re: zentyal no longer seeing KDC servers
Post by: dashwell on October 20, 2022, 04:00:28 pm
Hi,

If you are using Zentyal 6.2 or 7.0, run the following script to get a system report and pay special attention to the Domain controller output:

Code: [Select]
sudo /usr/share/zentyal/smart-admin-report

NOTE: If you want to post the output here, make sure that your rename the sensitive information that the report might have.

However, according to the output, it seems that you do not have any additional domain controller in your environment.

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

Good Day, Sorry that this reply has been so long...
This was a server joined to an existing AD DOMAIN to be part of the domain servers group.
here is that report.
Subject: System report


##################
# GENERAL CHECKS #
##################

########
## Hostname
########

hangarserver.js.local

########
## Hosts
########

127.0.0.1       localhost.localdomain localhost
#127.0.1.1      hangarserver.js.local hangarserver
192.168.100.2   hangarserver.js.local hangarserver
192.168.0.1     server.js.local server
192.168.0.247   server1.js.local        server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

########
## Resolv
########

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 127.0.0.1
search js.local

########
## Version of Zentyal and Ubuntu
########

Zentyal 6.1.6
Ubuntu 18.04.6 LTS

########
## Zentyal's modules installed
########

ii zentyal-core 6.1.6
ii zentyal-dns 6.1.2
ii zentyal-firewall 6.1
ii zentyal-network 6.1.1
ii zentyal-ntp 6.1
ii zentyal-samba 6.1.2
ii zentyal-software 6.1.1

########
## Modules which are enabled
########

Zentyal module network:                 [ ENABLED ]
Zentyal module firewall:                        [ DISABLED ]
Zentyal module audit:                   [ DISABLED ]
Zentyal module dns:                     [ ENABLED ]
Zentyal module logs:                    [ ENABLED ]
Zentyal module ntp:                     [ ENABLED ]
Zentyal module samba:                   [ ENABLED ]
Zentyal module webadmin:                        [ ENABLED ]

########
## Zentyal Commercial Edition
########

The server doesn't have a license key.

########
## Uptime
########

Uptime's server: up 8 hours, 36 minutes

########
## Memory
########

Total memory: 15914 MB
Memory usage: 11.52%
SWAP usage: 0 MB

########
## CPU
########

Total cores:  4
CPU load average (1m,5m,15m): 2.23. 1.87. 1.83

########
## Hard Drives and partitions
########

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 465.8G  0 disk
├─sda1   8:1    0   512M  0 part /boot/efi
└─sda2   8:2    0 465.3G  0 part /
sdb      8:16   0   1.8T  0 disk
└─sdb1   8:17   0   1.8T  0 part /share
sr0     11:0    1  1024M  0 rom

## Disk usage:

Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/sda2      ext4      457G   73G  361G  17% /
/dev/sdb1      ext4      1.8T  1.5T  290G  84% /share
/dev/sda1      vfat      511M  9.6M  502M   2% /boot/efi

########
## Network Interfaces
########

## Interfaces available:

eth0

## IPs configured:

 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.100.2/24 brd 192.168.100.255 scope global eth0

## Network Interfaces where were 'Down':
Title: Re: zentyal no longer seeing KDC servers
Post by: turalyon on October 21, 2022, 04:05:34 pm
Hi,

The domain controller is missing in the output you provide. Basically, the following function must be executed so I can see if something is wrong with the domain controller module.

* https://github.com/zentyal/zentyal/blob/master/main/core/src/scripts/smart-admin-report#L194

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".
Title: Re: zentyal no longer seeing KDC servers
Post by: dashwell on January 05, 2023, 08:15:30 pm
Good evening,

I'm still digging into this as this server is being referenced still for some AD Lookups and I'd really like to get this fixed.. Please find the attached log made fresh this evening.


Subject: System report


##################
# GENERAL CHECKS #
##################

########
## Hostname
########

hangarserver.js.local

########
## Hosts
########

127.0.0.1       localhost.localdomain localhost
#127.0.1.1      hangarserver.js.local hangarserver
192.168.100.2   hangarserver.js.local hangarserver
192.168.0.1     server.js.local server
192.168.0.247   server1.js.local        server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

########
## Resolv
########

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 127.0.0.1
search js.local

########
## Version of Zentyal and Ubuntu
########

Zentyal 6.1.6
Ubuntu 18.04.6 LTS

########
## Zentyal's modules installed
########

ii zentyal-core 6.1.6
ii zentyal-dns 6.1.2
ii zentyal-firewall 6.1
ii zentyal-network 6.1.1
ii zentyal-ntp 6.1
ii zentyal-samba 6.1.2
ii zentyal-software 6.1.1

########
## Modules which are enabled
########

Zentyal module network:                 [ ENABLED ]
Zentyal module firewall:                        [ DISABLED ]
Zentyal module audit:                   [ DISABLED ]
Zentyal module dns:                     [ ENABLED ]
Zentyal module logs:                    [ ENABLED ]
Zentyal module ntp:                     [ ENABLED ]
Zentyal module samba:                   [ ENABLED ]
Zentyal module webadmin:                        [ ENABLED ]

########
## Zentyal Commercial Edition
########

The server doesn't have a license key.

########
## Uptime
########

Uptime's server: up 8 hours, 30 minutes

########
## Memory
########

Total memory: 15914 MB
Memory usage: 7.50%
SWAP usage: 0 MB

########
## CPU
########

Total cores:  4
CPU load average (1m,5m,15m): 0.54. 0.42. 0.42

########
## Hard Drives and partitions
########

NAME      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda         8:0    0 238.5G  0 disk
├─sda1      8:1    0   512M  0 part  /boot/efi
└─sda2      8:2    0 164.7G  0 part  /
sdb         8:16   0   3.7T  0 disk
└─sdb1      8:17   0   3.7T  0 part
  └─md127   9:127  0   3.7T  0 raid1 /share
sdc         8:32   0   3.7T  0 disk
└─sdc1      8:33   0   3.7T  0 part
  └─md127   9:127  0   3.7T  0 raid1 /share

## Disk usage:

Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/sda2      ext4      162G   15G  139G  10% /
/dev/sda1      vfat      511M  9.6M  502M   2% /boot/efi
/dev/md127     ext4      3.6T  1.5T  2.0T  43% /share

########
## Network Interfaces
########

## Interfaces available:

eth0

## IPs configured:

 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.100.2/24 brd 192.168.100.255 scope global eth0

## Network Interfaces where were 'Down': 0

########
## Server packages
########

Broken packages: 0
Upgradable packages:

250 updates can be applied immediately.
221 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Last update by Zentyal:

########
## Repositories
########

## Repositorios configured:
deb http://za.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://za.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://za.archive.ubuntu.com/ubuntu/ bionic universe
deb http://za.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://za.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://za.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://za.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://packages.zentyal.org/zentyal 6.1 main extra
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse

## Custom repositories:

/etc/apt/sources.list.d/dropbox.list
deb [arch=i386,amd64] http://linux.dropbox.com/ubuntu bionic main

/etc/apt/sources.list.d/owncloud.list
deb https://download.owncloud.com/desktop/ownCloud/stable/2.9.2.6206/linux/Ubuntu_18.04/ /

/etc/apt/sources.list.d/openvpn3.list
deb https://swupdate.openvpn.net/community/openvpn3/repos bionic main


########
## System emails
########


########
## Mysql daemon
########

active

########
## Mysql databases
########


## Databases available:

+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| zentyal            |
+--------------------+

## Mysql databases check:

mysql.columns_priv                                 OK
mysql.db                                           OK
mysql.engine_cost                                  OK
mysql.event                                        OK
mysql.func                                         OK
mysql.general_log                                  OK
mysql.gtid_executed                                OK
mysql.help_category                                OK
mysql.help_keyword                                 OK
mysql.help_relation                                OK
mysql.help_topic                                   OK
mysql.innodb_index_stats                           OK
mysql.innodb_table_stats                           OK
mysql.ndb_binlog_index                             OK
mysql.plugin                                       OK
mysql.proc                                         OK
mysql.procs_priv                                   OK
mysql.proxies_priv                                 OK
mysql.server_cost                                  OK
mysql.servers                                      OK
mysql.slave_master_info                            OK
mysql.slave_relay_log_info                         OK
mysql.slave_worker_info                            OK
mysql.slow_log                                     OK
mysql.tables_priv                                  OK
mysql.time_zone                                    OK
mysql.time_zone_leap_second                        OK
mysql.time_zone_name                               OK
mysql.time_zone_transition                         OK
mysql.time_zone_transition_type                    OK
mysql.user                                         OK
sys.sys_config                                     OK
zentyal.audit_actions                              OK
zentyal.audit_sessions                             OK
zentyal.firewall                                   OK
zentyal.firewall_report                            OK
zentyal.samba_access                               OK
zentyal.samba_access_report                        OK
zentyal.samba_disk_usage                           OK
zentyal.samba_disk_usage_report                    OK
zentyal.samba_quarantine                           OK

###################
# Login accesses #
###################

Successful accesses to the Zentyal Admin Interface: 4
Failed accesses to the Zentyal Admin Interface: 0

Successful accesses from SSH: 3
Failed accesses from SSH: 1

#####################
# ZENTYAL LOG FILE  #
#####################

## Errors and Warnings found from '2022/10/03' to '2023/01/05'

## Errors found:
ntp                                 0
dhcp                                0
openvpn                             0
network                             1
ipsec                               0
squid                               0
firewall                            0
mysql                               0
samba                               11
sogo                                0
ejabber                             0
logs                                0
dns                                 12
mail                                0

## Warnings found:
ntp                                 3
dhcp                                0
openvpn                             0
network                             0
ipsec                               0
squid                               0
firewall                            0
mysql                               0
samba                               1
sogo                                0
ejabber                             0
logs                                0
dns                                 0
mail                                0

############################
# DOMAIN CONTROLLER CHECKS #
############################

########
## DNS user
########

dns-HANGARSERVER

## DNS users on DnsAdmins:

dns-HANGARSERVER

########
## DNS user password flags
########

Usuario: dns-HANGARSERVER -> U

########
## DNS user ticket
########

Skipping the check for Kerberos ticket for 'dns-hangarserver' because its password isn't set as 'noexpiry'.

########
## Status of old Samba daemon
########

## Daemons' information:
Status of the daemon: 'smbd': inactive
State of the daemon: 'smbd': disabled

Status of the daemon: 'nmbd': inactive
State of the daemon: 'nmbd': disabled

Status of the daemon: 'winbind': inactive
State of the daemon: 'winbind': disabled

Status of the daemon: 'sssd': inactive
State of the daemon: 'sssd':

########
## Samba database check
########

Checked 7581 objects (51 errors)

########
## FSMO OWNER
########

SchemaMasterRole owner: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
InfrastructureMasterRole owner: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
RidAllocationMasterRole owner: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
DomainNamingMasterRole owner: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local

########
## Domain Controllers configured
########

dn: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
objectGUID: 06b2d19c-ffe4-45e3-be6f-183540b1c68b
dn: CN=NTDS Settings,CN=HANGARSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=js,DC=local
objectGUID: a14123e4-7784-4b37-bcc3-21a705a98a31

########
## DNS alias
########

06b2d19c-ffe4-45e3-be6f-183540b1c68b._msdcs.js.local is an alias for server.js.local.
a14123e4-7784-4b37-bcc3-21a705a98a31._msdcs.js.local is an alias for hangarserver.js.local.

########
## DNS Errors on log file
########

Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm JS.LOCAL

--
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-HANGARSERVER failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm JS.LOCAL

--
2022/12/22 15:39:57 ERROR> GlobalImpl.pm:652 EBox::GlobalImpl::saveAllModules - Failed to save changes in module dns: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-HANGARSERVER failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm JS.LOCAL


I've got three KDC points, all of them I can ping without an issue on either name or IP Address.
The error i'm seeing pop up is that it can't resolve hangarserver.js.local via lmhosts.
I can ping hangarserver.js.local and hangarserver and they both respond perfectly with the correct IP Address.

Any help would be fantastic. I did have to update this unit's IP Address a long time back and I've adjusted the DNS to see the correct IP address, I don't know if that's what's causing this issue.

Many thanks to everyone for help on this matter.
Duane
Title: Re: zentyal no longer seeing KDC servers
Post by: turalyon on January 09, 2023, 01:06:22 pm
Hi,

According to your output, there are a few things to analyze:

1. It is not recommended to set the IP address of any hostname rather than the '127.0.0.1' and '127.0.1.1' in the configuration file '/etc/hosts'. The three records you have must be set up in the DNS module.

Code: [Select]
192.168.100.2   hangarserver.js.local hangarserver
192.168.0.1     server.js.local server
192.168.0.247   server1.js.local        server1

2. Your Zentyal server has 250 packages to update. This shouldn't cause the issue, but I think it is interesting to mention.

Code: [Select]
250 updates can be applied immediately.
221 of these updates are standard security updates

3. The internal database of Samba has 51 errors, this could be the cause of the replication issue.

Code: [Select]
Checked 7581 objects (51 errors)

The fix for the third point is explained here: https://wiki.samba.org/index.php/Dbcheck

Related to the IP change a long time back, this can also be the issue, check the following:

1. Domain controller is listening to the new IP address.

Code: [Select]
sudo ss -tunpl | grep :389

2. The DNS entries were correctly updated, here you have another link: https://wiki.samba.org/index.php/DNS_Administration#Listing_zone_records

Code: [Select]
## An example
samba-tool dns query 127.0.0.1 js.local @ ALL -U administrator

Finally, did you check the log files: '/var/log/zentyal/zentyal.log' and '/var/log/syslog'? And also, did you check what errors you get related to the replication as this link explains: https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses ?

NOTE: What operating system uses the other domain controller?
--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".