Cannot contact any KDC for requested realm

[RayRay72]

For the last few days I have been taking a butt whooping trying to get a FreeNAS server to reconnect to Active Directory. We have 2 FreeNAS 9.3 servers, both fully upgraded, one in the corporate office and one at our replication site. We have a single domain controller in the corporate site. I initially setup both FreeNAS servers here at the corporate office and everything worked fine including the connection to active directory for the CIFS shares. Once I moved one of the FreeNAS servers to the replication site, it could no longer fully connect to the domain controller.

The replication site is connected to corporate using an IPSEC tunnel. I have a 2012 R2 server core and a Win 7 client, which both connected to the domain controller just fine. I was able to join the domain from the replication site on both. The FreeNAS server can also join the domain from the replication site. The problem is, when I try to connect with FreeNAS’ “Active Directory” settings, it times out and I get a “Cannot contact any KDC for requested realm”.

I only see errors on the FreeNAS side. There are no errors I can find on the domain controller. I do see successful Kerberos authentication ticket TGT requests on the DC. Which I can also see the TGT on the FreeNAS server doing a ‘klist’ command. What I fail to see is the next step of Kerberos (I believe) where FreeNAS requests a Kerberos Service ticket. The FreeNAS in corporate does this after the TGT, but there is nothing in the Event viewer showing the replication site FreeNAS attempts this.

I have read many posts on here and other sites and have tried a lot of things. Here are the main ones I can think of.

• If I type a bad password in, I get an Invalid Credentials error.
• I can ping the DC by name, FQDN, and IP, as well as ping the domain itself from the replication FreeNAS server. I can also ping the replication FreeNAS from the DC using name and FQDN.
• I have shut down all firewalls for testing, and can telnet from the replication FreeNAS to the domain controller on all the ports Kerberos uses when the firewalls are up.
• I have the subnet of the replication site setup as a site in AD.
• I am using the DC as the NTP server for the FreeNAS and time is accurate.
• I have manually created the FreeNAS object in AD, as well as let FreeNAS auto-create it. I can also disable the AD object from FreeNAS.
• I can manually do a ‘kinit’ command and get a successful ticket.

Here is my krb5.conf file, I have tried both using IP entries as well as setting ‘dns_lookup_kdc = false’:

Code:

[appdefaults]
            pam = {
                forwardable = true
                ticket_lifetime = 86400
                renew_lifetime = 86400
            }

[libdefaults]
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            clockskew = 300
            forwardable = yes

[domain_realm]
            xyz.local = XYZ.LOCAL
            .xyz.local = XYZ.LOCAL
            XYZ.LOCAL = XYZ.LOCAL
            .XYZ.LOCAL = XYZ.LOCAL

[realms]
        XYZ.LOCAL = {
            kdc = xyz-dc.xyz.local:88
            admin_server = xyz-dc.xyz.local:88
            kpasswd_server = xyz-dc.xyz.local:464
            default_domain = XYZ.LOCAL
        }

[logging]
            default = SYSLOG:INFO:LOCAL7

 

[dlavigne]

Do you get any errors if you run through the instructions at http://doc.freenas.org/9.3/freenas_directoryservice.html#if-the-system-will-not-join-the-domain?

 

[RayRay72]

Here are my results. I didn't think I got any errors when I ran it previously, but I am unsure if the last result is an error or not.

Code:

[root@Repl-NAS1] ~# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"
[root@Repl-NAS1] ~# echo $?
0
[root@Repl-NAS1] ~# service ix-kerberos start
[root@Repl-NAS1] ~# service ix-nsswitch start
[root@Repl-NAS1] ~# service ix-kinit start
[root@Repl-NAS1] ~# service ix-kinit status
[root@Repl-NAS1] ~# echo $?
0
[root@Repl-NAS1] ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: freenasadm@XYZ.LOCAL

  Issued           Expires          Principal
Mar  9 12:09:23  Mar  9 22:09:23  krbtgt/XYZ.LOCAL@XYZ.LOCAL
[root@Repl-NAS1] ~# python /usr/local/www/freenasUI/middleware/notifier.py start cifs
True
[root@Repl-NAS1] ~# service ix-activedirectory start
Using short domain name -- XYZ
Joined 'REPL-NAS1' to dns domain 'XYZ.local'
[root@Repl-NAS1] ~# service ix-activedirectory status
[root@Repl-NAS1] ~# echo $?
0
[root@Repl-NAS1] ~# python /usr/local/www/freenasUI/middleware/notifier.py restart cifs
True
[root@Repl-NAS1] ~# service ix-pam start
[root@Repl-NAS1] ~# service ix-cache start &
[1] 71284
[root@Repl-NAS1] ~#

 

[dlavigne]

Nope, no errors. Guess it's time to create a bug report that includes all of the info in this thread. Please create one at bugs.freenas.org and post the issue number here.

 

[RayRay72]

Thank you dlavigne.

Bug #14019

 

[RayRay72]

So I finally got this resolved. I hate to admit it, but it turned out to be a firewall issue. The first thing I checked in fact. All ports were open just fine, but our UTM was blocking content part way through the Kerberos handshake. The bad thing is I disabled this Firewall as soon as I started troubleshooting. Apparently, even disabled it still blocked it. I bypassed the UTM this morning and everything works fine.

 

[Mirfster]

Thanks for posting a follow-up.