Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch




Hai, 

Just saying samba does not use /etc/krb5.keytab is not totaly correct. 

A lot of setups use the setting : dedicated keytab file = /etc/krb5.keytab 
Because systemd defaults point to /etc/krb5.keytab. 

From his logs: 
Failed to find
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) 

And from his command (klist -k : Keytab name: FILE:/etc/krb5.keytab  ) the above server is found.
Only the HOST/SPN entry is missing. 

This looks like that :
dedicated keytab file = /etc/krb5.keytab  
was in smb.conf but is gone now, or a symlink is replaced by a keytab file /etc
I suspect last one due to the upgrade. 

In this case, export the spn's again and check if host/spn and NETBIOSNAME$@SPN exist. 
use ktutil to import all entries from both keytab files and export the one you need back.


Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Andrew Bartlett via samba
> Verzonden: maandag 19 juni 2017 23:59
> Aan: Prunk Dump; samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from 
> debian Jessie to Stretch
> 
> On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote:
> > Hello Samba team !
> > 
> > I'am in a very delicate situation. After an upgrade to 
> debian Stretch 
> > my DRS stopped working.
> 
> Have you ever had MIT krb5 installed, or is krb5kdc now running?
> 
> Samba doesn't use /etc/krb5.keytab, so this may be related to 
> some previous install (or may be related to how you are 
> trying to use NFS). 
> 
> 
> > 
> > This seem to be a computer account problem. But I can't find any 
> > problem in Kerberos :
> > 
> > 
> >  --------------------------------
> > # kinit -k FICHDC$
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> 
> Can you do this against the secrets.keytab in Samba's private/ dir?
> 
> You can reset the Samba machine account pw with 
> ./source4/scripting/devel/chgtdcpass, but:
>  - it wont be packaged so you will have to build Samba and 
> tell it to operate against the right paths
>  - it shouldn't be needed, upgrades shouldn't break this, and 
> understanding the root cause would be better
> 
> Does 'samba-tool time -P' work?  It is any different with 
> 'samba-tool time -P -k no'?  (It seems you issue is related 
> primarily to kerberos and a keytab out of sync somehow). 
> 
> > Valid starting       Expires              Service principal
> > 19/06/2017 22:05:54  20/06/2017 08:05:54 
> > 
> krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR@xxxxxxx-GUILLAU
> ME-FICHET.AC-GRENOBLE.FR
> >     renew until 20/06/2017 22:05:54
> > # klist -k
> > Keytab name: FILE:/etc/krb5.keytab
> 
> As I mention above, this is the wrong keytab for a Samba DC.
> 
> > A big thank if someone can help me !
> 
> I hope this helps, otherwise depending on the urgency you 
> might need to get some professional guidance.  It gets really 
> stressful when then network is down and we all know that can 
> lead to mistakes.
> 
> Take care,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          
> http://catalyst.net.nz/services/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba