Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch




On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote:
> Hello Samba team !
> 
> I'am in a very delicate situation. After an upgrade to debian Stretch
> my DRS stopped working.

Have you ever had MIT krb5 installed, or is krb5kdc now running?

Samba doesn't use /etc/krb5.keytab, so this may be related to some
previous install (or may be related to how you are trying to use NFS). 


> 
> This seem to be a computer account problem. But I can't find any
> problem in Kerberos :
> 
> 
>  --------------------------------
> # kinit -k FICHDC$
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR

Can you do this against the secrets.keytab in Samba's private/ dir?

You can reset the Samba machine account pw with
./source4/scripting/devel/chgtdcpass, but:
 - it wont be packaged so you will have to build Samba and tell it to
operate against the right paths
 - it shouldn't be needed, upgrades shouldn't break this, and
understanding the root cause would be better

Does 'samba-tool time -P' work?  It is any different with 'samba-tool
time -P -k no'?  (It seems you issue is related primarily to kerberos
and a keytab out of sync somehow). 

> Valid starting       Expires              Service principal
> 19/06/2017 22:05:54  20/06/2017 08:05:54
> krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>     renew until 20/06/2017 22:05:54
> # klist -k
> Keytab name: FILE:/etc/krb5.keytab

As I mention above, this is the wrong keytab for a Samba DC.

> A big thank if someone can help me !

I hope this helps, otherwise depending on the urgency you might need to
get some professional guidance.  It gets really stressful when then
network is down and we all know that can lead to mistakes.

Take care,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba