Hey folks - running into an issue with Samba DCs after upgrading from FreeBSD 13.x to 14.2-RELEASE.
TL;DR - Upgraded to 14.2; migrated from Heimdal to MIT; DCs rejoin successfully but
First, this is complex and I know folks will want to suggest the entire upgrade path was a mistake. I'm sure that's true, but we're in rescue mode at this point so I'd appreciate help troubleshooting.
Background
Since Heimdal is deprecated in FreeBSD 14.x, I built Samba 4.20, BIND 9.20, and FreeRADIUS3 from ports using MIT Kerberos. The builds were successful and each DC was demoted then re-promoted. Upon rejoin, everything syncs initially, but replication status checks fail.
The Problem
On FreeBSD 14.2 DCs:
However:
What I've Tried
1. Moved base Heimdal utilities out of the way:
2. Verified MIT Kerberos is in use:
3. Can authenticate using the keytab when forcing a specific KDC:
4. RPC services are running and responsive:
Key Observations
The ONLY difference between working and non-working DCs:
Both have identical Samba builds and dependencies (verified with
The Error Pattern
Questions
TL;DR - Upgraded to 14.2; migrated from Heimdal to MIT; DCs rejoin successfully but
showrepl fails with Kerberos errors. Only working DC is still on 13.4.First, this is complex and I know folks will want to suggest the entire upgrade path was a mistake. I'm sure that's true, but we're in rescue mode at this point so I'd appreciate help troubleshooting.
Background
Since Heimdal is deprecated in FreeBSD 14.x, I built Samba 4.20, BIND 9.20, and FreeRADIUS3 from ports using MIT Kerberos. The builds were successful and each DC was demoted then re-promoted. Upon rejoin, everything syncs initially, but replication status checks fail.
The Problem
On FreeBSD 14.2 DCs:
Code:
# samba-tool drs showrepl
Wrong username or password: kinit for YELLOWSTONE$@DZSEC.NET failed (Client not found in Kerberos database)
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (3221356597, 'The operation cannot be performed.')However:
- The machine account exists and has correct SPNs
- Manual replication works:
samba-tool drs replicate yellowstone showdown DC=dzsec,DC=netsucceeds - Basic domain operations work (authentication, user management, etc.)
- The keytab contains all required principals with proper encryption types
What I've Tried
1. Moved base Heimdal utilities out of the way:
Code:
mv /usr/bin/kinit /usr/bin/kinit.heimdal
mv /usr/bin/klist /usr/bin/klist.heimdal
mv /usr/bin/krb5-config /usr/bin/krb5-config.heimdal2. Verified MIT Kerberos is in use:
Code:
# which kinit
/usr/local/bin/kinit3. Can authenticate using the keytab when forcing a specific KDC:
Code:
# export KRB5_CONFIG=/tmp/krb5.conf # Points to working DC
# kinit -k -t /var/db/samba4/private/secrets.keytab YELLOWSTONE\$@DZSEC.NET
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: YELLOWSTONE$@DZSEC.NET4. RPC services are running and responsive:
Code:
# rpcclient -U administrator localhost -c "enumdomains"
name:[DZSEC] idx:[0x0]
name:[BUILTIN] idx:[0x1]Key Observations
The ONLY difference between working and non-working DCs:
- Working DC: FreeBSD 13.4 with OpenSSL 1.1.1w
- Non-working DCs: FreeBSD 14.2 with OpenSSL 3.0.16
Both have identical Samba builds and dependencies (verified with
pkg info -d samba420).The Error Pattern
- Local KDC doesn't recognize its own machine account
- DRS RPC interface fails with NT_STATUS_UNSUCCESSFUL
showreplfails but actual replication might be working- Error in logs: "DsReplicaGetInfo: Failed to forward request to kccsrv task"
Questions
- Could this be an OpenSSL 3.0 compatibility issue with Samba's RPC/DRS services?
- Has anyone successfully run Samba DCs on FreeBSD 14.x?
- Is there a way to build Samba against openssl111 on FreeBSD 14.x?
- Any other troubleshooting suggestions?