Active directory problem with /etc/ix.rc.d/ix-kinit renew

[NickBarrett]

I keep getting an email saying the following

Subject: /etc/ix.rc.d/ix-kinit renew
Message: kinit: krb5_get_kdc_cred: Matching credential (krbtgt/NOTMYREALDOMAIN.COM@NOTMYREALDOMAIN.COM) not found

(I use my actual active directory domain name instead of NOTMYREALDOMAIN.COM, but it is an actual .com domain, just in case that matters)

If I go to "Services"->"Directory Services"->"Active Directory" and put the "Domain Account Password" again and click "OK" then restart the server, the problem goes away for a week.

I'm running 9.2.1.2-RELEASE-x64 (002022c). I didn't used to get this problem on earlier versions. I did have (and reported https://bugs.freenas.org/issues/4133) a problem with my server name having a hyphen in it, but that was resolved in the build I am currently running.

Apologies if I simply haven't configured things correctly.

Any help would be much appreciated.

 

[dlavigne]

Check to see if any of the following are culprits:

If all the computers in the realm do not have synchronized time settings, authentication may fail. Check that the NTP settings are using the same NTP servers as the rest of the domain.

Check the DNS settings for the network to make sure that valid A and PTR records exist for the FreeNAS system.

Check that the ticket lifetime for the host principal. For example, if the user principal has a lifetime of a week but the host being connected to has a lifetime of nine hours, the user cache will have an expired host principal and the ticket cache will not work as expected.

 

[Jason Navarrete]

I"m also seeing this problem, and it's new since upgrading to FreeNAS-9.2.1.2-RELEASE-x64 (002022c).

 

[Jason Navarrete]

I"m also seeing this problem, and it's new since upgrading to FreeNAS-9.2.1.2-RELEASE-x64 (002022c).

I haven't had this email reoccur since upgrading to 9.2.1.3, but will update if that changes.

 

[NickBarrett]

I haven't had this email reoccur since upgrading to 9.2.1.3, but will update if that changes.

Likewise =)

 

[andrew0401]

Had the message before upgrading to 9.2.1.3 - all fine for 72hours and now the emails are back.

Trying the previous "fix" - service ix-kinit start

All timing is set by our own GPS based time server - and no obvious error in DNS setup (but checking again)

Andrew

 

[Willem M]

Hi all,

Just to say we are having the same issue. Previous "fix" "service ix-kinit start" worked too. After upgrading to 9.2.1.3 message was gone for about a week I think, but the mails started again this afternoon.
We're going to try the same fix again and see if that "cures" it again.

Willem

 

[Jason Navarrete]

Same boat as everyone else. Started getting errors today. I wasn't aware of trying (re)start the ix-kinit service, but I'll see what that does for me.

 

[mstrent]

Getting these errors constantly in our AD environment, too. I've tried unjoin/rejoin of the FreeNAS box. Clocks are synched, DNS is good, and everything else in our AD environment works great (20+ servers, 500+ clients, multiple campuses).

The bug report: https://bugs.freenas.org/issues/4579 has been closed, so hopefully after trying the "service ix-kinit start" workaround and being on the latest nightly, we'll be good to go. ;-)

 

[andrew0401]

This was mentioned earlier.

Check that the ticket lifetime for the host principal. For example, if the user principal has a lifetime of a week but the host being connected to has a lifetime of nine hours, the user cache will have an expired host principal and the ticket cache will not work as expected.

Has anyone found succesful values for Freenas and a windows 2008 domain? Tried shortening/lengthening - but a few hours the message is back.

Running latest stable build

Andrew

 

[mstrent]

Seems strange that something like changing ticket lifetimes would be needed, you know? 1) I'm sure many of us reporting this issue have standard Active Directory environments with many, many other domain-joined machines that don't exhibit this behavior without anything like changing ticket lifetimes. 2) FreeNAS used to not have this problem (or at least wasn't reporting it). Seems to me this is something that needs to be resolved on the FreeNAS side.

BTW, I did receive the krb5_get_kdc_cred email again this morning. I'm on the 4/1 nightly and have tried "service ix-kinit start", and join/unjoin of the FreeNAS box. So this bug is definitely not resolved.

 

[mstrent]

From https://bugs.freenas.org/issues/4715:
Updated by John Hixson about 18 hours ago

• Status changed from Unscreened to Fix In Progress

A fix is being worked on. For now, it can be worked around by:
1. Disabling the cron job all together (comment line in /etc/crontab, restart cron, cp to /conf/base/etc/crontab if you want to persist across reboots)
2. Changing the cron job from ix-kinit renew to ix-kinit start

 

[John Hixson]

This issue is resolved and will work correctly in the upcoming 9.2.1.4 release. The problem was that the cron job for doing ticket renewals was not paying attention to the ticket lifetime. So once the ticket expired (default is a week), when the renew was attempted, it would spit out the lovely message you are all seeing.

 

[mstrent]

Thanks so much, John and the FreeNAS team!!

 

[Nikos1821]

Hi all,

I 'm using FreeNAS-9.2.1.9-RELEASE-x64 and I gotten an admin email "kinit: krb5_get_kdc_cred: Password has expired". After that the system it fails to start Directory Services. Can I revive the expired password? How can I overcome the problem?
My apologies, if I have posted to a not proper place.
Thank you so much for the help.

 

[John Hixson]

Hi all,

I 'm using FreeNAS-9.2.1.9-RELEASE-x64 and I gotten an admin email "kinit: krb5_get_kdc_cred: Password has expired". After that the system it fails to start Directory Services. Can I revive the expired password? How can I overcome the problem?
My apologies, if I have posted to a not proper place.
Thank you so much for the help.

Have you tried updating your password? This error is pretty specific. You need to update the password for the account you are using to join AD, it has expired.

 

[Nikos1821]

I updated the password on the AD and now it is OK. Thank you a lot!