kerberos - How to make kerberos5 client use a specified KDC first, then try DNS?

06
2014-04
  • Magicloud

    Our DNS for KDC is rotating globally and I cannot control that.

    Sometimes, there are kerberos related account issue, that the only solution on clients is to wait a few days for the data to sync between domain controllers.

    Then this came up to me, how to make tools like kinit to use local KDC first, by doing something in krb5.conf?

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    linux - Likewise on Ubuntu - domain user sometimes disappears from Login Screen
  • meowsqueak

    I'm using Likewise to authenticate to a Windows Domain on a laptop running Ubuntu 10.04. Everything seems to be working well, except for one thing.

    Normally, after the machine boots, I am presented with a login screen (gdm, I think) that lists a few accounts. My personal account is not listed in /etc/passwd but it usually appears, and I just click on it, type password, and log in.

    But about 50% of all boots result in my login name missing from the gdm list. If I click "Other..." and enter my username, or my DOMAIN\username, authentication is always denied. I am unable to log in with that user at all, although other 'local' users do work.

    The current workaround seems to be to reboot the laptop and with any luck the next time gdm starts, my username is visible and I can log in.

    I've already tried a few suggestions:

    • set ntp time source to the same server as the Domain Controller, as there are suggestions the Kerberos client is very strict in terms of timing. This didn't seem to resolve the problem
    • create a local user account with the same uid. This results in my name always appearing in the gdm user list, but still about half the time my authentication attempt is denied and I have to reboot

    That second point especially seems to suggest to me that something behind-the-scenes is failing to initialise properly after boot. Leaving it alone for several minutes does not change the behaviour - only a reboot seems to fix it.

    After a failed login, /var/log/auth.log reports:

    gdm-session-worker[1477]: pam_succeed_if(gdm:auth): error retrieving information about user <DOMAIN>\<username>
gdm-session-worker[1477]: pam_unix(gdm:auth): check pass; user unknown
gdm-session-worker[1477]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=

    Also, in /var/log/syslog, I see:

    gdm-session-worker[1477]: [module:pam_lsass]pam_sm_authenticate error [login:<DOMAIN>\<username>][error code:2]

    A little more digging - it seems when the usernames disappear that the lsassd process refused to start. Also, in this situation, trying to restart lsassd fails, but I can't find a way to diagnose this. But it does seem that the above problem is caused (or at least related) to the inability of lsassd to start.

    Later...

    After determining that lsassd isn't starting, I tried running it manually from the console with:

    $ sudo /usr/sbin/lsassd --loglevel debug

    This seems to run for about 12 seconds and produces this output:

    20100804112201:VERBOSE:0x7fd589e03760:[lsassd_main() libmain.c:132] Logging started
20100804112201:INFO:0x7fd589e03760:[LsaSrvVerifyNetLogonStatus() libmain.c:364] LsaSrvVerifyNetLogonStatus call to LWNet API returned 2
20100804112201:DEBUG:0x7fd589e03760:[LsaSrvVerifyNetLogonStatus() libmain.c:365] Error code: 2 (symbol: ERROR_FILE_NOT_FOUND)

 -- repeats 11 times --

20100804112213:ERROR:0x7fd589e03760:[LsaSrvStartupPreCheck() libmain.c:307] LSA start up pre-check failed to be able to use NetLogonD after 12 seconds of waiting [Code:40116]
20100804112213:DEBUG:0x7fd589e03760:[LsaSrvStartupPreCheck() libmain.c:308] Error code: 40116 (symbol: LW_ERROR_FAILED_STARTUP_PREREQUISITE_CHECK)
20100804112213:ERROR:0x7fd589e03760:[LsaSrvStartupPreCheck() libmain.c:350] LSA Process exiting due to error checking hostname at startup [Code:40116]
20100804112213:DEBUG:0x7fd589e03760:[lsassd_main() libmain.c:158] Error code: 40116 (symbol: LW_ERROR_FAILED_STARTUP_PREREQUISITE_CHECK)
20100804112213:ERROR:0x7fd589e03760:[lsassd_main() libmain.c:240] LSA Process exiting due to error [Code:40116]
20100804112213:DEBUG:0x7fd589e03760:[LsaSrvLogServiceFailureEvent() lsaevent.c:338] Error code: 382312514 (symbol: )
20100804112213:VERBOSE:0x7fd589e03760:[LsaSrvLogServiceFailureEvent() lsaevent.c:357] Failed to post service failure event.
20100804112213:VERBOSE:0x7fd589e03760:[LsaSrvLogServiceFailureEvent() lsaevent.c:358] Error code: [382312514]
20100804112213:VERBOSE:0x7fd589e03760:[lsassd_main() libmain.c:208] Lsa main cleaning up
20100804112213:INFO:0x7fd589e03760:[lsassd_main() libmain.c:224] LSA Service exiting...

    Looking at the libmain.c source code, the first error seems to be directly after calling the function:

    LWNetGetCurrentDomain()

    Some sort of problem talking to the Domain Controller perhaps? How would one go about debugging LWNet?


    • Related Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.