trying to resolve kerberos.localdomain

[lsblk]

Currently running Promox 7 on two machines. One is NUC that mounts SMB/CIFS from within Proxmox to the other machine that's rather old but serves mostly as a storage/fileserver (via Samba shares) with Debian 11 and Proxmox 7 installed on top of that due to requirements I have with mdadm raid.
The NUC with Proxmox mounts some of the Samba shares. This way I can mount the share into a CT via Mountpoint.
I've configured it via the Pool View > Datacenter > Storage menu. MP I just did with editing the LXC config of the CT.

I have however notices something rather strange. The Proxmox host (NUC) is sending a lot of DNS queries (I'm pihole to manage DNS resovling running on an pi). About 20~30 requests every 5 seconds. The domains being requested:

• kerberos.localdomain
• _kerberos._tcp.localdomain
• _kerberos._udp.localdomain
• _kerberos._http.localdomain
• kerberos-1.localdomain
• kerberos-2.localdomain
• kerberos-3.localdomain
• kerberos-4.localdomain

Where localdomain is my domain that I configured and does resolve to my homenetwork (even externally). I have not configured kerberos on the Samba server btw.

Unmounted and removed my CIFS storage does stop the requests. I did remove and readd the entry in Storage for the SMB/CIFS mount (leaving the domain option blank, previously this held my domain). That however did not resolve the issue.

Currently using this on my NUC:

• Kernel Version: Linux 5.11.22-5-pve #1 SMP PVE 5.11.22-10 (Tue, 28 Sep 2021 08:15:41 +0200)
• PVE Manager Version: pve-manager/7.0-13/7aa7e488

Any help would be much appreciated.

 

[lundqma1971]

Had this very same issue with pve-7, the NAS used was unRAID.

 

[lsblk]

Had this very same issue with pve-7, the NAS used was unRAID.

Did you resolve it or is it still on going?

 

[lundqma1971]

Did you resolve it or is it still on going?

Worked around the issue, as I was unable to resolve. Shares used by my Proxmox instance are now all NFS. Are you using unRAID, or do you use an other NAS product?

 

[lsblk]

Worked around the issue, as I was unable to resolve. Shares used by my Proxmox instance are now all NFS. Are you using unRAID, or do you use an other NAS product?

Ah yeah I guess that would solve it for you, albeit it not the actually underlying problem itself. I'm using an older server for storage running Debian 11 with Proxmox on top of it. I configured samba myself.

 

[lundqma1971]

Ah yeah I guess that would solve it for you, albeit it not the actually underlying problem itself. I'm using an older server for storage running Debian 11 with Proxmox on top of it. I configured samba mysel

It's a data point though, our NAS environments are different (although both Linux), and we both experience the kerberos issue only with Proxmox, correct? So something with Proxmox' implementation of CIFS, that was not in v6, but started in v7...

 

[lsblk]

It's a data point though, our NAS environments are different (although both Linux), and we both experience the kerberos issue only with Proxmox, correct? So something with Proxmox' implementation of CIFS, that was not in v6, but started in v7...

I never ran v6 but yes to the rest.

 

[lsblk]

Not a lot of help from here (lundqma being the exception), so I made a sort of workaround. I've removed the two CIFS/SMB mounts I had configured via the webinterface (Pool View > Datacenter > Storage menu) and add them manually in the /etc/fstab. Same SMB mounts and settings.
# CIFS/SMB mount //<server>/<share> /mnt/pve/<share> cifs vers=3.0,noauto,uid=1000,gid=1000,x-systemd.automount,credentials=/root/.smbcredentials

The spammy dns requests are gone.

 

[drpsycho]

Edit:

After 12 hrs of running this solution i can absolutely proof that this works.
No more queries since than.

*************

Had the same issue, deleted my two smb shares and no more queries for proxmox.localdomain.

Then i remounted one by another smb share with one exception in the settings: leave the field “Domain”
empty and did not fill it as before with my local domain “fritz.box”.

And that was the solution! No more queries to kerberos.fritz.box.

I think that’s because Proxmox wants to authenticate the full domain and tries to contact
the domain kerberos service witch is not available.

Feel free to do so.

 

[pyr4m1d]

Late to this party but I'm just running into this issue myself. I hadn't noticed it at first because I had proxmox going direct to my pfsense router for DNS resolution, but recently switched my pfsense config to route all DNS traffic through my pihole. Then I saw the thousands of *kerberos* DNS requests when checking the pihole dashboard. I'm running proxmox 7.2-3 / 7.2-4 and using SMB/CIFS to access SMB shares on a TrueNAS Core 13.0 storage server.

Thank you drpsycho! Your simple fix seems to be the cure. Can confirm that once you remove the mapping the requests stop, and recreating the mapping with no domain name filled in stops the requests from returning. Thank you again!

Fix confirmed on:

Kernel Version Linux 5.15.35-1-pve #1 SMP PVE 5.15.35-3 (Wed, 11 May 2022 07:57:51 +0200)

PVE Manager Version pve-manager/7.2-4/ca9d43cc non-production repositories

 

[drpsycho]

Thank you drpsycho! Your simple fix seems to be the cure. Can confirm that once you remove the mapping the requests stop, and recreating the mapping with no domain name filled in stops the requests from returning. Thank you again!

…great that this tiny thing helped you ;-)

drpsycho

 

[Eschin]

Unfortunately, this solution did not work for me. No `Domain` field information, yet still a lot of DNS spam from my ProxMox servers using CIFS/SMB.

I didn't want to switch to NFS, so I just added an entry pointing each domain back to 127.0.0.1 in the server's /etc/hosts file. Essentially "blackholing" the DNS requests. A bit sloppy, but quicker than migrating from CIFS/SMB to NFS.

EDIT: I take it back. They disappeared for a short while, but then reappeared. May be forced to migrate to NFS to rid myself of them, apparently....

 

[Eschin]

Some good news on this;

I recently upgraded from `7.4.17` to `8.1.3` on my proxmox nodes, and these DNS requests seem to have gone way down in frequency. They're still getting sent out, but pre-8.1.3, they were requesting this DNS over 1000 times every 15 minutes. That's down to about 100 now. Improvement