Web lists-archives.com

[Samba] KVNO in secrets.keytab for AD DC




Hello,

Some time ago I asked about updating from 4.5 -> 4.7 for DC's.

I've done it "the long way" and - maybe not the safest.

What worries me is this:

I added those DC with same names they were previously (basically dc1 -> demote ->  install fresh samba -> dc1 join again as DC with some editing inbetween) the secrets.keytab was created anew, but right now it has KVNO 2, instead of 1 (kind of supposed to happen I guess, or I didn't clean something from LDAP after demote?)

I don't know if it's an issue (so far I don't have any errors), but I understand that the way I upgraded wasn't the most obvious one.

The way I upgraded:

In 4.5 I got hit by the replication bug, that changed from cn=... to CN=.... for all the replicated data, which didn't actually meant all that much, but meant that all "ldapcmp" queries returned tons of errors.

So, following the advice I earlier got here, I made a semi-fresh start, that is (to make it short):

- demote DC

- move all old samba files to some temp folder

- install "fresh" samba 4.7.4 (compiled myself)

- add machine again to domain as DC (basically all steps from the WIKI)

- allow it to replicate all the data from working DC's

from "old installation" i cherry-picked smb.conf and TLS files (since hostname was the same)


This way I have same ip/hostname, and database is without those errors.


IN the end when running:

samba-tool drs showrepl

or

samba-tool ldapcmp ldap://dc1 ldap://dc2 (or dc1 - dc3 or dc2 - dc2) i get NO errors

everything works fine so far (adding users, changing passwords etc.)

basically everything seems fine now, but maybe something somewhere expects/requires DC$ machine account to have KVNO=1 and won't accept KVNO=2?


Any input would be great!


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba