Bug 1496307 - krb5kdc does not start only after a restart of samba.service
Summary: krb5kdc does not start only after a restart of samba.service
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 27
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-27 03:50 UTC by linforpros
Modified: 2018-10-04 08:29 UTC (History)
14 users (show)

Fixed In Version: samba-4.8.3-1.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1525230 (view as bug list)
Environment:
Last Closed: 2018-10-04 08:06:52 UTC
Type: Bug


Attachments (Terms of Use)
boot sequence with samba.service with After= standard (199.61 KB, text/x-vhdl)
2017-12-06 18:06 UTC, Dario Lesca
no flags Details
boot sequence with samba.service with After= + NetworkManager.service (167.10 KB, text/x-vhdl)
2017-12-06 18:08 UTC, Dario Lesca
no flags Details
boot sequence with samba.service with After= + named.service (173.49 KB, text/x-vhdl)
2017-12-06 18:08 UTC, Dario Lesca
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Samba Project 13184 0 None None None 2017-12-12 07:40:48 UTC

Description linforpros 2017-09-27 03:50:51 UTC
Description of problem:
"krb5kdc -n" does not get started, only after restarting samba.service.
One has to do that after a reboot at least once. 
Samba service is enabled and starts ok, but "krb5kdc -n" does not show
when called with:

[root@feddc ~]# ps axf | grep samba -A1
 9069 pts/0    S+     0:00              \_ grep --color=auto samba -A1
  568 ?        Ssl    0:00 /usr/lib/polkit-1/polkitd --no-debug
--
 9019 ?        Ss     0:00 /usr/sbin/samba
 9020 ?        S      0:00  \_ /usr/sbin/samba
 9022 ?        S      0:00  |   \_ /usr/sbin/samba
 9026 ?        Ss     0:00  |       \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
--
 9021 ?        S      0:00  \_ /usr/sbin/samba
 9023 ?        S      0:00  \_ /usr/sbin/samba
 9024 ?        S      0:00  \_ /usr/sbin/samba
 9025 ?        S      0:00  \_ /usr/sbin/samba
 9027 ?        S      0:00  \_ /usr/sbin/samba
 9028 ?        S      0:00  \_ /usr/sbin/samba
 9030 ?        S      0:00  |   \_ /usr/sbin/samba
 9032 ?        S      0:00  |       \_ /usr/sbin/krb5kdc -n
 9029 ?        S      0:00  \_ /usr/sbin/samba
 9031 ?        S      0:00  \_ /usr/sbin/samba
 9034 ?        S      0:00  |   \_ /usr/sbin/samba
 9037 ?        Ss     0:00  |       \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
--
 9033 ?        S      0:00  \_ /usr/sbin/samba
 9035 ?        S      0:00  \_ /usr/sbin/samba
 9038 ?        S      0:00  \_ /usr/sbin/samba
 9039 ?        S      0:00  \_ /usr/sbin/samba


The above "grep" example has been executed after a restart of samba.service and shows krb5kdc as running.
Without krb5kdc running it is impossible to do a test of
"kinit administrator" which results in 
[root]#kinit administrator
kinit: Cannot contact any KDC for realm 'DC-STATIC.LUUFORPROS.COM' while
getting initial credentials


Version-Release number of selected component (if applicable):
[root@feddc ~]# rpm -q samba samba-dc krb5-server
samba-4.7.0-12.fc27.x86_64
samba-dc-4.7.0-12.fc27.x86_64
krb5-server-1.15.1-28.fc27.x86_64




How reproducible:


Steps to Reproduce:
1. deploy successfully samba ADDC with samba-tool
2. enable and start samba.service
3. test kinit administrator

Actual results:
no "/usr/sbin/krb5kdc -n" as a child of samba process

Expected results:
\_ /usr/sbin/samba
   \_ /usr/sbin/krb5kdc -n

Additional info:

Without the krb5kdc process started one cannot get KDC contacted and no tickets are distributed.

KRB5_TRACE=/dev/stdout kinit administrator
[842] 1506482982.553135: Getting initial credentials for administrator@DC-STATIC.UOLFORPROS.COM
[842] 1506482982.553137: Sending request (205 bytes) to DC-STATIC.UOLFORPROS.COM
[842] 1506482982.553138: Resolving hostname feddc.dc-static.uolforpros.com.
[842] 1506482982.553139: Sending initial UDP request to dgram 192.168.0.30:88
[842] 1506482982.553140: Resolving hostname feddc.dc-static.uolforpros.com.
[842] 1506482982.553141: Initiating TCP connection to stream 192.168.0.30:88
[842] 1506482982.553142: Terminating TCP connection to stream 192.168.0.30:88
kinit: Cannot contact any KDC for realm 'DC-STATIC.UOLFORPROS.COM' while getting initial credentials

[root@feddc ~]# firewall-cmd --list-ports
80/tcp 88/tcp 389/tcp 389/udp 53/tcp 53/udp 88/udp 135/tcp 137/udp 138/udp 139/tcp 445/tcp 464/tcp 464/udp 636/tcp 49152-65535/tcp 3268/tcp 3269/tcp

Thank for hints or fixes

Comment 1 linforpros 2017-09-27 04:20:50 UTC
Systemctl status samba shows the following as well:

feddc samba[658]:   task_server_terminate: [KDC: no network interfaces configured]

It seems to correspond to samba/source4/kdc/kdc-service-mit.c

/* Load interfaces for kpasswd */
	load_interface_list(task, task->lp_ctx, &ifaces);
	if (iface_list_count(ifaces) == 0) {
		task_server_terminate(task,
				      "KDC: no network interfaces configured",
				      false);
		return;
	}


But I have no skills to fix it

Comment 2 Dario Lesca 2017-11-22 23:41:12 UTC
Same problem here:

[root@server-addc ~]# rpm -q samba samba-dc krb5-server
samba-4.7.1-0.fc27.x86_64
samba-dc-4.7.1-0.fc27.x86_64
krb5-server-1.15.2-4.fc27.x86_64

This happens always after a server reboot:

[root@server-addc ~]# kinit administrator
kinit: Cannot contact any KDC for realm 'DOGMA-TO.LOC' while getting initial credentials
[root@server-addc ~]# klist -e
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@server-addc ~]# systemctl status samba
● samba.service - Samba AD Daemon
   Loaded: loaded (/usr/lib/systemd/system/samba.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-11-23 00:14:26 CET; 1min 1s ago
 Main PID: 816 (samba)
   Status: "smbd: ready to serve connections..."
    Tasks: 18 (limit: 4915)
   CGroup: /system.slice/samba.service
           ├─816 /usr/sbin/samba
           ├─866 /usr/sbin/samba
           ├─867 /usr/sbin/samba
           ├─869 /usr/sbin/samba
           ├─870 /usr/sbin/samba
           ├─871 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─872 /usr/sbin/samba
           ├─875 /usr/sbin/samba
           ├─877 /usr/sbin/samba
           ├─878 /usr/sbin/samba
           ├─879 /usr/sbin/samba
           ├─880 /usr/sbin/samba
           ├─881 /usr/sbin/samba
           ├─882 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─933 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─934 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─935 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           └─936 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground

nov 23 00:14:26 server-addc.dogma-to.loc samba[874]:   task_server_terminate: [KDC: no network interfaces configured]
nov 23 00:14:26 server-addc.dogma-to.loc systemd[1]: Started Samba AD Daemon.
nov 23 00:14:26 server-addc.dogma-to.loc samba[816]: [2017/11/23 00:14:26.839804,  0] ../lib/util/become_daemon.c:124(da
nov 23 00:14:26 server-addc.dogma-to.loc samba[816]:   STATUS=daemon 'samba' finished starting up and ready to serve con
nov 23 00:14:27 server-addc.dogma-to.loc winbindd[882]: [2017/11/23 00:14:27.178668,  0] ../source3/winbindd/winbindd_ca
nov 23 00:14:27 server-addc.dogma-to.loc winbindd[882]:   initialize_winbindd_cache: clearing cache and re-creating with
nov 23 00:14:27 server-addc.dogma-to.loc winbindd[882]: [2017/11/23 00:14:27.488890,  0] ../lib/util/become_daemon.c:124
nov 23 00:14:27 server-addc.dogma-to.loc winbindd[882]:   STATUS=daemon 'winbindd' finished starting up and ready to ser
nov 23 00:14:27 server-addc.dogma-to.loc smbd[871]: [2017/11/23 00:14:27.619248,  0] ../lib/util/become_daemon.c:124(dae
nov 23 00:14:27 server-addc.dogma-to.loc smbd[871]:   STATUS=daemon 'smbd' finished starting up and ready to serve conne


If I restart samba and rerun kinit all work fine:

[root@server-addc ~]# klist -e
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@server-addc ~]# kinit administrator
Password for administrator@DOGMA-TO.LOC: 
[root@server-addc ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOGMA-TO.LOC

Valid starting       Expires              Service principal
23/11/2017 00:18:58  23/11/2017 10:18:58  krbtgt/DOGMA-TO.LOC@DOGMA-TO.LOC
        renew until 24/11/2017 00:18:51, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

Some suggest?

Comment 3 Dario Lesca 2017-11-23 00:10:06 UTC
I have try to modify in samba.service After= parameter like this:

After=syslog.target network.target NetworkManager.service named.service

(wait NetworkManager.service and named.service)

and now when I restart my server samba start property.

Can this simple modify a solution?

Thanks

Dario

Comment 4 Sergio Basto 2017-11-26 18:30:08 UTC
move to the right component , samba4 last commit was in 2012 .

Comment 5 Andreas Schneider 2017-12-06 13:35:42 UTC
Shouldn't network.target be enough?

Comment 6 Dario Lesca 2017-12-06 18:06:50 UTC
Created attachment 1363818 [details]
boot sequence with samba.service with After= standard

Comment 7 Dario Lesca 2017-12-06 18:08:05 UTC
Created attachment 1363819 [details]
boot sequence with samba.service with After= + NetworkManager.service

Comment 8 Dario Lesca 2017-12-06 18:08:52 UTC
Created attachment 1363820 [details]
boot sequence with samba.service with After= + named.service

Comment 9 Dario Lesca 2017-12-06 18:09:29 UTC
No.
I have try to add only NetworkManager.service but it's not sufficient.

The trick is add named.service, (or a pre exec command sleep some second) because MIT kerberos started from samba service, want network interface up.

I have noticed that starting samba after named kerberos fount the interface up and ready. I do not know why the interface become ready after a while...

I attach the 3 kind of boot After standard, After with NM and After with named.

NOTE: SElinux is permissive because there is a selinux conflict between samba + named + winbind
https://bugzilla.redhat.com/show_bug.cgi?id=1476187

Comment 10 Andreas Schneider 2017-12-11 14:19:14 UTC
Could you please test with the following change:

--- a/packaging/systemd/samba.service
+++ b/packaging/systemd/samba.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Samba AD Daemon
-After=syslog.target network.target
+Wants=network-online.target
+After=syslog.target network.target network-online.target
 
 [Service]
 Type=notify

Comment 11 Dario Lesca 2017-12-11 15:09:02 UTC
I have try this patch and now, when I stop/start the server, all work fine.

I have remove my workaround and replace the original samba.service file.

Then I have try to stop and start the addc server: krb5kdc wont start with "KDC: no network interfaces configured" error like as expected.

Then I have add the "network-online.target" string to After= without add the Wants= directive.

Stop the server and start it and krb5kdc start and all work fine.

Then I have add also the Wants= directive, and the story is the same, krb5kdc start correctly.

I thing the first modify (network-online.target) is sufficiet.

At this point I have remove Wants= directive and try to stop/start the server many time and always krb5kdc is started.

NOTE:
a) after all modify to samba.service I have run "systemctl daemon-reload",
b) only a reboot it's not sufficient to check the problem, the server must be stop and started because the server is a Kvm/Qemu virtual server and the problem occur when the host destroy and recreate the interface for the virtual server.

Many thanks Andreas, I hope this help.

Dario

Comment 12 Andreas Schneider 2017-12-12 07:28:56 UTC
Wants= is needed that systemd check that the specified service is running/enabled.

Robbie, I think you want to add the changes from comment #10 also to krb5kdc.service.

Comment 13 Dario Lesca 2017-12-12 08:43:48 UTC
(In reply to Andreas Schneider from comment #12)
> Wants= is needed that systemd check that the specified service is
> running/enabled.

Ok, thank for the clarification.
Now I have also add Wants= to my samba.service.

> External Bug ID: Samba Project 13184
https://bugzilla.samba.org/show_bug.cgi?id=13184

Now I'm waiting for the official fix

Thank
Dario

Comment 14 Dario Lesca 2017-12-13 16:58:22 UTC
On this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1525230
this problem it has been fixed.

When will be fixed also into samba-dc for Fedora 27 ?

Thanks
Dario

Comment 15 Dario Lesca 2018-04-27 15:28:09 UTC
Some news?

Comment 16 Andreas Schneider 2018-08-01 13:54:42 UTC
I think this has only been fixed in f28.

Comment 17 Dario Lesca 2018-08-01 14:46:00 UTC
Yes, I can confirm:

[lesca@dodo ~]$ rpm -q samba-dc
samba-dc-4.8.3-2.fc28.x86_64

[lesca@dodo tmp]$ head /usr/lib/systemd/system/samba.service
[Unit]
Description=Samba AD Daemon
Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=notify
NotifyAccess=all
PIDFile=/run/samba.pid

Many thanks to all

Dario

Comment 18 Anoop C S 2018-10-04 08:06:52 UTC
Closing the bug report based on comment #17


Note You need to log in before you can comment on or make changes to this bug.