Web lists-archives.com

Re: [Samba] Failed to find DC in keytab, gpupdate fails




Hi,
Setting dc's IP on top of resolv.conf file, as you suggested, didn't help.
Perhaps there's something else I could try.

Regards,
Kris

-----Original Message-----
From: L.P.H. van Belle [mailto:belle@xxxxxxxxx] 
Sent: Thursday, March 29, 2018 1:14 PM
To: samba@xxxxxxxxxxxxxxx
Cc: Krzysztof Paszkowski <kylo@xxxxxxxx>
Subject: RE: Failed to find DC in keytab, gpupdate fails

Hi, 

I suggest you post this to samba@xxxxxxxxxxxxxx that more for these
questions. 

Try this setting in resolv.conf 

search domain.net.pl
nameserver 10.1.10.11		# IP of DC itself.
#nameserver 			# and extra nameserver that has access to
the DC dns info. (a second dc maybe)
nameserver 8.8.8.8		# IP of forwarder in SMB.conf as backup for
internet access.
# and max 3 nameservers in resolv.conf. 

Stop samba and start it again, and check again. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces@xxxxxxxxxxxxxxx] Namens Krzysztof 
> Paszkowski via samba-technical
> Verzonden: donderdag 29 maart 2018 12:42
> Aan: samba-technical@xxxxxxxxxxxxxxx
> Onderwerp: Failed to find DC in keytab, gpupdate fails
> 
> Hi all,
> 
> I'm using Samba4 AD DC  for a while. I was starting from 4.1, now I 
> have last version from 4.7.
> 
> Everything was great, but suddenly computers were unable to install 
> software via gpo.
> 
> I'm looking for a  help, because I'm fighting almost for a week and 
> I'm unable to find the  cause.
> 
>  
> 
> I saw such a logs on my main DC (and only there):
> 
>  
> 
> [2018/03/28 09:11:29.622673,  1]
> ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
> 
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> 
> [2018/03/28 09:11:29.695783,  1]
> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat
> e_internal)
> 
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure 
> (see
> text): Failed to find DC$@DOMAIN.NET.PL(kvno 
> <mailto:DC$@DOMAIN.NET.PL(kvno>
> 2) in keytab FILE:/usr/local/samba/private/secrets.keytab
> (aes256-cts-hmac-sha1-96)
> 
>  
> 
> This error repeats every time, the computer is turning on and trying 
> to obtain group policy or when I'm trying to open \\DOMAIN.NET.PL 
> <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl 
> <file:///\\dc.domain.net.pl>  and shares of all others DCs.
> 
>  
> 
> I was googling, but I couldn't find resolution to my problem. 
> The closest
> one had unnecessary  lines in smb.conf (with idmap and acl_xattr).
> 
>  
> 
> [root@dc samba-4.7.6]# klist -ke
> FILE:/usr/local/samba/private/secrets.keytab
> 
> Keytab name: FILE:/usr/local/samba/private/secrets.keytab
> 
> KVNO Principal
> 
> ----
> --------------------------------------------------------------
> ------------
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
> (des-cbc-crc)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-crc)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-crc)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
> (des-cbc-md5)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-md5)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-md5)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
> (arcfour-hmac)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (arcfour-hmac)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (arcfour-hmac)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
> (aes128-cts-hmac-sha1-96)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>
> (aes128-cts-hmac-sha1-96)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
> (aes128-cts-hmac-sha1-96)
> 
>    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
> (aes256-cts-hmac-sha1-96)
> 
>    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
> <mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>
> (aes256-cts-hmac-sha1-96)
> 
>    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
> (aes256-cts-hmac-sha1-96)
> 
>  
> 
> Version 4.7.6, built from source, rather always according to Wiki.
> 
> Internal DNS, DNS is working.
> 
> Domain computers can connect to the domain.
> 
> Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix  - 
> not helping.
> 
> I have updated from 4.7.4 to 4.7.6, but still the same.
> 
> I have 5 AD DC in domain.
> 
>  
> 
> **smb.conf
> 
> [global]
> 
>         workgroup = DOMAIN
> 
>         realm = DOMAIN.NET.PL
> 
>         netbios name = DC
> 
>         server role = active directory domain controller
> 
>        dns forwarder = 8.8.8.8
> 
> #       log level = 3 passdb:5 auth:5
> 
>         bind interfaces only = yes
> 
>         interfaces = lo eth0
> 
>         log level = 1 auth_audit:1
> 
>         allow dns updates = nonsecure
> 
>         ntlm auth = yes
> 
>         template shell = /bin/bash
> 
>         template homedir = /tmp
> 
>  
> 
> [netlogon]
> 
>         path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts
> 
>         read only = No
> 
> [sysvol]
> 
>         path = /usr/local/samba/var/locks/sysvol
> 
>         read only = No
> 
> [users$]
> 
>        path = /usr/local/samba/var/data/users
> 
>        comment = user folders for folder redirection
> 
>        read only = No
> 
> [udzial]
> 
>         path = /usr/local/samba/var/data/udzial
> 
>         read only = No
> 
>         vfs objects = recycle
> 
>         recycle:repository = .recycle/%u
> 
>         recycle:keeptree = yes
> 
>         recycle:touch = yes
> 
>         recycle:versions = yes
> 
>         recycle:inherit_nt_acl = Yes
> 
>         recycle:directory_mode = 0700
> 
>  
> 
>  
> 
> ****/etc/krb5.conf
> 
> [libdefaults]
> 
>         default_realm = DOMAIN.NET.PL
> 
>         dns_lookup_realm = false
> 
>         dns_lookup_kdc = true
> 
>  
> 
> **** /etc/hosts
> 
> 127.0.0.1   localhost.localdomain       localhost
> 
> 10.1.10.11      dc.domain.net.pl        dc
> 
>  
> 
> ****/etc/resolv.conf
> 
> search domain.net.pl
> 
> nameserver 10.3.10.1
> 
> nameserver 10.6.10.1
> 
> nameserver 10.10.10.1
> 
> nameserver 127.0.0.1
> 
>  
> 
> I would be grateful for any hint.
> 
>  
> 
> Regards,
> 
> Kris
> 
> 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba