[Samba] KVNO in secrets.keytab for AD DC
- Date: Sun, 31 Dec 2017 20:50:30 +0100
- From: Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] KVNO in secrets.keytab for AD DC
Some time ago I asked about updating from 4.5 -> 4.7 for DC's.
I've done it "the long way" and - maybe not the safest.
What worries me is this:
I added those DC with same names they were previously (basically dc1 ->
demote -> install fresh samba -> dc1 join again as DC with some editing
inbetween) the secrets.keytab was created anew, but right now it has
KVNO 2, instead of 1 (kind of supposed to happen I guess, or I didn't
clean something from LDAP after demote?)
I don't know if it's an issue (so far I don't have any errors), but I
understand that the way I upgraded wasn't the most obvious one.
The way I upgraded:
In 4.5 I got hit by the replication bug, that changed from cn=... to
CN=.... for all the replicated data, which didn't actually meant all
that much, but meant that all "ldapcmp" queries returned tons of errors.
So, following the advice I earlier got here, I made a semi-fresh start,
that is (to make it short):
- demote DC
- move all old samba files to some temp folder
- install "fresh" samba 4.7.4 (compiled myself)
- add machine again to domain as DC (basically all steps from the WIKI)
- allow it to replicate all the data from working DC's
from "old installation" i cherry-picked smb.conf and TLS files (since
hostname was the same)
This way I have same ip/hostname, and database is without those errors.
IN the end when running:
samba-tool drs showrepl
samba-tool ldapcmp ldap://dc1 ldap://dc2 (or dc1 - dc3 or dc2 - dc2) i
get NO errors
everything works fine so far (adding users, changing passwords etc.)
basically everything seems fine now, but maybe something somewhere
expects/requires DC$ machine account to have KVNO=1 and won't accept KVNO=2?
Any input would be great!
To unsubscribe from this list go to the following URL and read the