Web lists-archives.com

Re: [Samba] Failed to find DC in keytab, gpupdate fails




Hi, 

I suggest you post this to samba@xxxxxxxxxxxxxx that more for these questions. 

Try this setting in resolv.conf 

search domain.net.pl
nameserver 10.1.10.11		# IP of DC itself.
#nameserver 			# and extra nameserver that has access to the DC dns info. (a second dc maybe)
nameserver 8.8.8.8		# IP of forwarder in SMB.conf as backup for internet access.
# and max 3 nameservers in resolv.conf. 

Stop samba and start it again, and check again. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces@xxxxxxxxxxxxxxx] Namens 
> Krzysztof Paszkowski via samba-technical
> Verzonden: donderdag 29 maart 2018 12:42
> Aan: samba-technical@xxxxxxxxxxxxxxx
> Onderwerp: Failed to find DC in keytab, gpupdate fails
> 
> Hi all,
> 
> I'm using Samba4 AD DC  for a while. I was starting from 4.1, 
> now I have
> last version from 4.7.
> 
> Everything was great, but suddenly computers were unable to 
> install software
> via gpo.
> 
> I'm looking for a  help, because I'm fighting almost for a 
> week and I'm
> unable to find the  cause.
> 
>  
> 
> I saw such a logs on my main DC (and only there):
> 
>  
> 
> [2018/03/28 09:11:29.622673,  1]
> ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
> 
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> 
> [2018/03/28 09:11:29.695783,  1]
> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat
> e_internal)
> 
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous 
> failure (see
> text): Failed to find DC$@DOMAIN.NET.PL(kvno 
> <mailto:DC$@DOMAIN.NET.PL(kvno>
> 2) in keytab FILE:/usr/local/samba/private/secrets.keytab
> (aes256-cts-hmac-sha1-96)
> 
>  
> 
> This error repeats every time, the computer is turning on and 
> trying to
> obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
> <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
> <file:///\\dc.domain.net.pl>  and shares of all others DCs.
> 
>  
> 
> I was googling, but I couldn't find resolution to my problem. 
> The closest
> one had unnecessary  lines in smb.conf (with idmap and acl_xattr).
> 
>  
> 
> [root@dc samba-4.7.6]# klist -ke
> FILE:/usr/local/samba/private/secrets.keytab
> 
> Keytab name: FILE:/usr/local/samba/private/secrets.keytab
> 
> KVNO Principal
> 
> ----
> --------------------------------------------------------------
> ------------
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>  
> (des-cbc-crc)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-crc)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-crc)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>  
> (des-cbc-md5)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-md5)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-md5)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>  
> (arcfour-hmac)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (arcfour-hmac)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (arcfour-hmac)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
> (aes128-cts-hmac-sha1-96)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  
> (aes128-cts-hmac-sha1-96)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  
> (aes128-cts-hmac-sha1-96)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
> (aes256-cts-hmac-sha1-96)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  
> (aes256-cts-hmac-sha1-96)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  
> (aes256-cts-hmac-sha1-96)
> 
>  
> 
> Version 4.7.6, built from source, rather always according to Wiki.
> 
> Internal DNS, DNS is working.
> 
> Domain computers can connect to the domain.
> 
> Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs 
> --fix  - not
> helping.
> 
> I have updated from 4.7.4 to 4.7.6, but still the same.
> 
> I have 5 AD DC in domain.
> 
>  
> 
> **smb.conf
> 
> [global]
> 
>         workgroup = DOMAIN
> 
>         realm = DOMAIN.NET.PL
> 
>         netbios name = DC
> 
>         server role = active directory domain controller
> 
>        dns forwarder = 8.8.8.8
> 
> #       log level = 3 passdb:5 auth:5
> 
>         bind interfaces only = yes
> 
>         interfaces = lo eth0
> 
>         log level = 1 auth_audit:1
> 
>         allow dns updates = nonsecure
> 
>         ntlm auth = yes
> 
>         template shell = /bin/bash
> 
>         template homedir = /tmp
> 
>  
> 
> [netlogon]
> 
>         path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts
> 
>         read only = No
> 
> [sysvol]
> 
>         path = /usr/local/samba/var/locks/sysvol
> 
>         read only = No
> 
> [users$]
> 
>        path = /usr/local/samba/var/data/users
> 
>        comment = user folders for folder redirection
> 
>        read only = No
> 
> [udzial]
> 
>         path = /usr/local/samba/var/data/udzial
> 
>         read only = No
> 
>         vfs objects = recycle
> 
>         recycle:repository = .recycle/%u
> 
>         recycle:keeptree = yes
> 
>         recycle:touch = yes
> 
>         recycle:versions = yes
> 
>         recycle:inherit_nt_acl = Yes
> 
>         recycle:directory_mode = 0700
> 
>  
> 
>  
> 
> ****/etc/krb5.conf
> 
> [libdefaults]
> 
>         default_realm = DOMAIN.NET.PL
> 
>         dns_lookup_realm = false
> 
>         dns_lookup_kdc = true
> 
>  
> 
> **** /etc/hosts
> 
> 127.0.0.1   localhost.localdomain       localhost
> 
> 10.1.10.11      dc.domain.net.pl        dc
> 
>  
> 
> ****/etc/resolv.conf
> 
> search domain.net.pl
> 
> nameserver 10.3.10.1
> 
> nameserver 10.6.10.1
> 
> nameserver 10.10.10.1
> 
> nameserver 127.0.0.1
> 
>  
> 
> I would be grateful for any hint.
> 
>  
> 
> Regards,
> 
> Kris
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba