Bug 8808 - samba_dnsupdate crashed with RuntimeError in get_credentials(): kinit for MACHINE$@REALM failed (Cannot contact any KDC for requested realm)
Summary: samba_dnsupdate crashed with RuntimeError in get_credentials(): kinit for MAC...
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0 alpha 17
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2012-03-12 17:56 UTC by Jelmer Vernooij
Modified: 2020-12-11 11:35 UTC (History)
4 users (show)

See Also:

Command 'samba_dnsupdate' results (10.35 KB, text/plain)
2015-06-25 08:20 UTC, Artur Yarosh
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jelmer Vernooij 2012-03-12 17:56:02 UTC
Several Ubuntu users are hitting this with various alphas:

Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 408, in <module>
  File "/usr/sbin/samba_dnsupdate", line 107, in get_credentials
    creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for MACHINE$@REALM failed (Cannot contact any KDC for requested realm)
Comment 1 John Marco 2013-02-26 09:08:07 UTC
Posted this to the Ubuntu lists, because I solved this issue myself by fixing my DNS settings.  If this is the case with others, this bug is more of a confusing error message than anything else:
Not using ubuntu, but this issue is happening to me and seemingly to a lot of folks.
I think I've found the cause.

In my case, it was a matter of incorrectly configured DNS causing creds.get_named_ccache() 
to fail to find the KDC with which to obtain credentials.  No core is being dumped in my case;
I was just getting this famous stack dump when trying to do:
    /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
as is suggested in the how-to I was reading to set up Samba.

A couple minutes with strace revealed that it was trying to look up vmnet-dc1.vmnet.us
using my upstream ISP's name server.  At first I just put in the /etc/krb.conf for
the kdc and admin_server settings in the [realms] section.  This got me past the stacktrace
but I was stilling getting a lot of '. .. blah blah blah not found' errors.  Then I realized that
I had left my ISP DNS in /etc/resolv.conf when I was wget-ing a needed source tarball, and
forgot to set it back to (to use the samba-populated DNS server locally).
Herp derp derp!  :)  So I set resolv.conf to point at and set krb5.conf to use the
correct DNS names for kdc, etc.  Bingo!  It now works perfectly. 

Bottom line with this "bug" I think is that you need to be VERY careful to set up DNS
right or things will fail.  (DNS tends to be that way)

------------ snip snip -------------------
search vmnet.us
------------ snip snip -------------------

------------ snip snip -------------------
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = VMNET.US
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

  kdc = vmnet-dc1.vmnet.us
  admin_server = vmnet-dc1.vmnet.us

 .vmnet.us = VMNET.US
 vmnet.us = VMNET.US
------------ snip snip -------------------
Comment 2 wolfgang peer 2013-08-28 13:54:01 UTC
this bug is still persistent in release 4.0.9.
Sometimes it leads into a crash if copying data from share to windows client.
In my tests it always failed after copying  around 250 MB of files.
It also has the effect that on my debian system ver.6.0.7 , if this error situation occours , i have to restart the systems network 
(i have to "invoke-rc.d networking restart") 

It would be nice if this could be solved.
Comment 3 Artur Yarosh 2015-06-25 08:20:05 UTC
Created attachment 11196 [details]
Command 'samba_dnsupdate' results
Comment 4 Artur Yarosh 2015-06-25 08:36:13 UTC
Comment on attachment 11196 [details]
Command 'samba_dnsupdate' results

I had the same error on my CentOS 7.1.1503 (Core) and Samba 4.2.2 (compiled from the sources) when I used kinit or samba_dnsupdate commands.

I've configured my domain zone (DEV.LOC) manually within the MIT Kerberos recommends
$TTL 86400
@		IN	SOA	brooklyn.dev.loc. hostmaster.dev.loc. (
		IN	NS	brooklyn.dev.loc.
brooklyn	IN	A

_kerberos		TXT	"DEV.LOC"

ns			CNAME	brooklyn.dev.loc.
kerberos		CNAME	brooklyn.dev.loc.
ldap			CNAME	brooklyn.dev.loc.
_ldap._tcp		SRV	0 0 389	brooklyn.dev.loc.
_kerberos._udp		SRV	0 0 88	brooklyn.dev.loc.
_kerberos-master._udp	SRV	0 0 88	brooklyn.dev.loc.
_kerberos-adm._tcp	SRV	0 0 749	brooklyn.dev.loc.
_kpasswd._udp		SRV	0 0 464	brooklyn.dev.loc.

After that I've added the firewalld rules for ports: 53/udp, 88/udp, 389/tcp and 464/tcp.

And I have made the SELinux changes:
samba_domain_controller --> on
named_write_master_zones --> on
kerberos_enabled --> on
chcon -t named_conf_t /usr/local/samba/private/dns.keytab
chcon -t named_conf_t /usr/local/samba/private/named.conf.update
chcon -t named_var_run_t /usr/local/samba/private/dns
chcon -t named_var_run_t /usr/local/samba/private/dns/DEV.LOC.zone
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/DEV.LOC.zone
Comment 5 Björn Jacke 2020-12-11 11:35:20 UTC
this is probably not an issue any more.