8808 – samba_dnsupdate crashed with RuntimeError in get_credentials(): kinit for MACHINE$@REALM failed (Cannot contact any KDC for requested realm)

Bug 8808 - samba_dnsupdate crashed with RuntimeError in get_credentials(): kinit for MACHINE$@REALM failed (Cannot contact any KDC for requested realm)

Summary: samba_dnsupdate crashed with RuntimeError in get_credentials(): kinit for MAC...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.0 alpha 17
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	samba4-qa@samba.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-03-12 17:56 UTC by Jelmer Vernooij
Modified:	2020-12-11 11:35 UTC (History)
CC List:	4 users (show)

See Also:	https://launchpad.net/bugs/809638

Attachments
Command 'samba_dnsupdate' results (10.35 KB, text/plain) 2015-06-25 08:20 UTC, Artur Yarosh	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jelmer Vernooij 2012-03-12 17:56:02 UTC

Several Ubuntu users are hitting this with various alphas:

Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 408, in <module>
    get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 107, in get_credentials
    creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for MACHINE$@REALM failed (Cannot contact any KDC for requested realm)

Comment 1 John Marco 2013-02-26 09:08:07 UTC

Posted this to the Ubuntu lists, because I solved this issue myself by fixing my DNS settings.  If this is the case with others, this bug is more of a confusing error message than anything else:
-----------------
Not using ubuntu, but this issue is happening to me and seemingly to a lot of folks.
I think I've found the cause.

In my case, it was a matter of incorrectly configured DNS causing creds.get_named_ccache() 
to fail to find the KDC with which to obtain credentials.  No core is being dumped in my case;
I was just getting this famous stack dump when trying to do:
    /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
as is suggested in the how-to I was reading to set up Samba.

A couple minutes with strace revealed that it was trying to look up vmnet-dc1.vmnet.us
using my upstream ISP's name server.  At first I just put 127.0.0.1 in the /etc/krb.conf for
the kdc and admin_server settings in the [realms] section.  This got me past the stacktrace
but I was stilling getting a lot of '. .. blah blah blah not found' errors.  Then I realized that
I had left my ISP DNS in /etc/resolv.conf when I was wget-ing a needed source tarball, and
forgot to set it back to 127.0.0.1 (to use the samba-populated DNS server locally).
Herp derp derp!  :)  So I set resolv.conf to point at 127.0.0.1 and set krb5.conf to use the
correct DNS names for kdc, etc.  Bingo!  It now works perfectly. 

Bottom line with this "bug" I think is that you need to be VERY careful to set up DNS
right or things will fail.  (DNS tends to be that way)

/etc/resolv.conf:
------------ snip snip -------------------
search vmnet.us
nameserver 127.0.0.1
------------ snip snip -------------------

/etc/krb5.conf
------------ snip snip -------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = VMNET.US
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 VMNET.US = {
  kdc = vmnet-dc1.vmnet.us
  admin_server = vmnet-dc1.vmnet.us
 }

[domain_realm]
 .vmnet.us = VMNET.US
 vmnet.us = VMNET.US
------------ snip snip -------------------

Comment 2 wolfgang peer 2013-08-28 13:54:01 UTC

this bug is still persistent in release 4.0.9.
Sometimes it leads into a crash if copying data from share to windows client.
In my tests it always failed after copying  around 250 MB of files.
It also has the effect that on my debian system ver.6.0.7 , if this error situation occours , i have to restart the systems network 
(i have to "invoke-rc.d networking restart") 

It would be nice if this could be solved.

Comment 3 Artur Yarosh 2015-06-25 08:20:05 UTC

Created attachment 11196 [details]
Command 'samba_dnsupdate' results

Comment 4 Artur Yarosh 2015-06-25 08:36:13 UTC

Comment on attachment 11196 [details]
Command 'samba_dnsupdate' results

I had the same error on my CentOS 7.1.1503 (Core) and Samba 4.2.2 (compiled from the sources) when I used kinit or samba_dnsupdate commands.

I've configured my domain zone (DEV.LOC) manually within the MIT Kerberos recommends
--
$TTL 86400
@		IN	SOA	brooklyn.dev.loc. hostmaster.dev.loc. (
				2015062300;
				3H;
				2H;
				1W;
				3H);
		IN	NS	brooklyn.dev.loc.
brooklyn	IN	A	172.16.1.151

_kerberos		TXT	"DEV.LOC"

ns			CNAME	brooklyn.dev.loc.
kerberos		CNAME	brooklyn.dev.loc.
ldap			CNAME	brooklyn.dev.loc.
_ldap._tcp		SRV	0 0 389	brooklyn.dev.loc.
_kerberos._udp		SRV	0 0 88	brooklyn.dev.loc.
_kerberos-master._udp	SRV	0 0 88	brooklyn.dev.loc.
_kerberos-adm._tcp	SRV	0 0 749	brooklyn.dev.loc.
_kpasswd._udp		SRV	0 0 464	brooklyn.dev.loc.

After that I've added the firewalld rules for ports: 53/udp, 88/udp, 389/tcp and 464/tcp.

And I have made the SELinux changes:
samba_domain_controller --> on
named_write_master_zones --> on
kerberos_enabled --> on
chcon -t named_conf_t /usr/local/samba/private/dns.keytab
chcon -t named_conf_t /usr/local/samba/private/named.conf.update
chcon -t named_var_run_t /usr/local/samba/private/dns
chcon -t named_var_run_t /usr/local/samba/private/dns/DEV.LOC.zone
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/DEV.LOC.zone

Comment 5 Björn Jacke 2020-12-11 11:35:20 UTC

this is probably not an issue any more.