/etc/ix.rc.d/ix-kinit renew reports unable to reach any KDC in realm

[Stuart1]

The cron job which runs at 20:30 calls "/etc/ix.rc.d/ix-kinit renew"

Occasionally this fails and emails the error message

kinit: krb5_get_kdc_cred: unable to reach any KDC in realm DOMAINNAME.LOCAL

(I've replaced real domain name)

The NAS appears to be working correctly and I'm sharing folders over CIFS with Active Directory domain permissions without issues.

We're running Windows 2012R2 domains @ 2003 A/D level if that makes any difference.

 

[cyberjock]

I don't know how to answer your specific problem, but domains shouldn't end in .local. Some RFC spec doesn't allow it anymore. Not sure if you put the .local in there as part of your substitution or not, so this may not even apply to you.

 

[Stuart1]

Agreed the .local thing is historic - but its been in use for the last 8 years here so its not going away anytime soon. DNS is working fine, so no issues with the resolution of domain names etc.

Wonder if its similar to this issue..

https://forums.freenas.org/index.php?threads/ad-and-multiple-kdcs-in-a-domain-picks-wrong-kdc.8602/

 

[cyberjock]

Again, this probably isn't your problem...

I understand you've used it for 8 years. But the problem is the spec actually changed in 2013. It used to "allow" for .local as a peculiarity. But now its expressly not allowed. You may or may not have problems as a result because some programs that follow the spec may reject the input from a .local domain because it's considered to be invalid. I don't know. Just giving you the heads up. It *should* be fixed regardless as you could have problems either now or the future as a result, and you may not even know it. FreeNAS' default config used to be freenas.local and I believe that's been changed now to reflect the actual changes to the spec.


As for the link, I don't know. I don't have much personal experience with that error or what it exactly means. :(

Edit: Asked an iX dev and he said that just means that it can't find the kerberos server. This could mean that kerberos server is down, the DNS is wrong, etc.

 

[Stuart1]

I seem to have removed the error by simply re-confirming the AD username/password in the GUI and saving them again.

I'm operating with two FreeNas devices which are replicating between themselves, the one was behaving normally without error, and running the command...

klist –v

returned the Kerberos ticket info as expected (see below), however the one with the error didn't and had an empty ticket cache.

The symptoms of this problem were random clients unable to connect over CIFS - presumably the ones who could connect still had valid Kerberos tickets which hadn't expired.



Server: cifs/YYYYY.XXXXX.local@XXXXXX.LOCAL

Client: freenasZZZZZ@XXXXXX.LOCAL

Ticket etype: aes256-cts-hmac-sha1-96, kvno 3

Ticket length: 1098

Auth time: Oct 8 17:04:43 2014

Start time: Oct 8 17:04:59 2014

End time: Oct 9 03:04:43 2014

Ticket flags: pre-authenticated, ok-as-delegate

Addresses: addressless