Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch

Hai Andrew,

No, your not blund. 
Its good you correct things like this, since english is not my native language, 
It can be a bit fuzzy to understand what i mean. 

> -----Oorspronkelijk bericht-----
> Van: Andrew Bartlett [mailto:abartlet@xxxxxxxxx] 
> Verzonden: dinsdag 20 juni 2017 21:29
> Aan: L.P.H. van Belle; samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from 
> debian Jessie to Stretch
> On Tue, 2017-06-20 at 10:35 +0200, L.P.H. van Belle via samba wrote:
> > Hai,
> > 
> > Just saying samba does not use /etc/krb5.keytab is not 
> totaly correct. 
> As an AD DC, we don't use it.
> > A lot of setups use the setting : dedicated keytab file = 
> > /etc/krb5.keytab Because systemd defaults point to /etc/krb5.keytab.
> Sure, but that is not used by the AD DC. 
> > From his logs: 
> > Failed to find
> > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> > 
> > And from his command (klist -k : Keytab name: 
> FILE:/etc/krb5.keytab  ) the above server is found.
> > Only the HOST/SPN entry is missing. 
> > 
> > This looks like that :
> > dedicated keytab file = /etc/krb5.keytab was in smb.conf 
> but is gone 
> > now, or a symlink is replaced by a keytab file /etc I 
> suspect last one 
> > due to the upgrade.
> I'm not disputing that the OP may have copied the keytab.  It 
> still won't change what path the Samba AD DC will use. 

Im not disputing that also, but im "guessing" what is changed between jessie and stretch. 
I found one old "thingy" that the debian maint wont fix. 
Example: install winbind only, and you get missing ldb modules thing, not that they are used but still. 
( missing samba-dsdb-modules ) 

Somehow in how the system defaults work and how samba was setup, created the problem at upgrade time. 
I suspect, something like, during the upgrade of jessie to stretch, at samba upgrade, 
Samba is updateing the ADDB, now its unknown how long this takes and what happens if you reboot the server
While the samba AD DB is still being updated.

> > In this case, export the spn's again and check if host/spn 
> and NETBIOSNAME$@SPN exist. 
> > use ktutil to import all entries from both keytab files and 
> export the one you need back.
> That won't change Samba to use /etc/krb5.keytab as an AD DC, 
> nor should it.  It might impact if NFS is in operation, but 
> that is a secondary task at this point. 

Now, i dont run my nfs v4 on my DC's, so did not encounter this. 
Thanks, good to know. 

> I'm being so blunt because:
>  - Samba is internally inconsistent on this point and
>  - Samba folklore spreads like wildfire
> Sorry,
No problems, comments from developers are most welkom and keeps thing more clear.

> Andrew Bartlett
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          
> http://catalyst.net.nz/services/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba