Web lists-archives.com

Re: [Samba] Failed to find DC in keytab, gpupdate fails




what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated? If You made some upgrades, maybe during process You for example rejoined the domain (that would set new password for the machine in AD).

If "kvno dc.domain.net.pl" will give you answer = 2, than maybe You can just export keytab of the dc$ account and replace old secrets.keytab with new?


Regards,

Kacper


W dniu 29.03.2018 o 16:01, Krzysztof Paszkowski via samba pisze:
Hi,
Setting dc's IP on top of resolv.conf file, as you suggested, didn't help.
Perhaps there's something else I could try.

Regards,
Kris

-----Original Message-----
From: L.P.H. van Belle [mailto:belle@xxxxxxxxx]
Sent: Thursday, March 29, 2018 1:14 PM
To: samba@xxxxxxxxxxxxxxx
Cc: Krzysztof Paszkowski <kylo@xxxxxxxx>
Subject: RE: Failed to find DC in keytab, gpupdate fails

Hi,

I suggest you post this to samba@xxxxxxxxxxxxxx that more for these
questions.

Try this setting in resolv.conf

search domain.net.pl
nameserver 10.1.10.11		# IP of DC itself.
#nameserver 			# and extra nameserver that has access to
the DC dns info. (a second dc maybe)
nameserver 8.8.8.8		# IP of forwarder in SMB.conf as backup for
internet access.
# and max 3 nameservers in resolv.conf.

Stop samba and start it again, and check again.


Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba-technical
[mailto:samba-technical-bounces@xxxxxxxxxxxxxxx] Namens Krzysztof
Paszkowski via samba-technical
Verzonden: donderdag 29 maart 2018 12:42
Aan: samba-technical@xxxxxxxxxxxxxxx
Onderwerp: Failed to find DC in keytab, gpupdate fails

Hi all,

I'm using Samba4 AD DC  for a while. I was starting from 4.1, now I
have last version from 4.7.

Everything was great, but suddenly computers were unable to install
software via gpo.

I'm looking for a  help, because I'm fighting almost for a week and
I'm unable to find the  cause.

I saw such a logs on my main DC (and only there):

[2018/03/28 09:11:29.622673,  1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)

   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

[2018/03/28 09:11:29.695783,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat
e_internal)

   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
(see
text): Failed to find DC$@DOMAIN.NET.PL(kvno
<mailto:DC$@DOMAIN.NET.PL(kvno>
2) in keytab FILE:/usr/local/samba/private/secrets.keytab
(aes256-cts-hmac-sha1-96)

This error repeats every time, the computer is turning on and trying
to obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
<file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
<file:///\\dc.domain.net.pl>  and shares of all others DCs.

I was googling, but I couldn't find resolution to my problem.
The closest
one had unnecessary  lines in smb.conf (with idmap and acl_xattr).

[root@dc samba-4.7.6]# klist -ke
FILE:/usr/local/samba/private/secrets.keytab

Keytab name: FILE:/usr/local/samba/private/secrets.keytab

KVNO Principal

----
--------------------------------------------------------------
------------

    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(des-cbc-crc)

    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-crc)

    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-crc)

    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(des-cbc-md5)

    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-md5)

    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-md5)

    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(arcfour-hmac)

    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (arcfour-hmac)

    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (arcfour-hmac)

    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(aes128-cts-hmac-sha1-96)

    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>
(aes128-cts-hmac-sha1-96)

    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
(aes128-cts-hmac-sha1-96)

    1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(aes256-cts-hmac-sha1-96)

    1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>
(aes256-cts-hmac-sha1-96)

    1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
(aes256-cts-hmac-sha1-96)

Version 4.7.6, built from source, rather always according to Wiki.

Internal DNS, DNS is working.

Domain computers can connect to the domain.

Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix  -
not helping.

I have updated from 4.7.4 to 4.7.6, but still the same.

I have 5 AD DC in domain.

**smb.conf

[global]

         workgroup = DOMAIN

         realm = DOMAIN.NET.PL

         netbios name = DC

         server role = active directory domain controller

        dns forwarder = 8.8.8.8

#       log level = 3 passdb:5 auth:5

         bind interfaces only = yes

         interfaces = lo eth0

         log level = 1 auth_audit:1

         allow dns updates = nonsecure

         ntlm auth = yes

         template shell = /bin/bash

         template homedir = /tmp

[netlogon]

         path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts

         read only = No

[sysvol]

         path = /usr/local/samba/var/locks/sysvol

         read only = No

[users$]

        path = /usr/local/samba/var/data/users

        comment = user folders for folder redirection

        read only = No

[udzial]

         path = /usr/local/samba/var/data/udzial

         read only = No

         vfs objects = recycle

         recycle:repository = .recycle/%u

         recycle:keeptree = yes

         recycle:touch = yes

         recycle:versions = yes

         recycle:inherit_nt_acl = Yes

         recycle:directory_mode = 0700

****/etc/krb5.conf

[libdefaults]

         default_realm = DOMAIN.NET.PL

         dns_lookup_realm = false

         dns_lookup_kdc = true

**** /etc/hosts

127.0.0.1   localhost.localdomain       localhost

10.1.10.11      dc.domain.net.pl        dc

****/etc/resolv.conf

search domain.net.pl

nameserver 10.3.10.1

nameserver 10.6.10.1

nameserver 10.10.10.1

nameserver 127.0.0.1

I would be grateful for any hint.

Regards,

Kris





--

Z poważaniem,
Kacper Wirski
tel. +48 608 421 424


tel:   + 48 22 637 50 01
fax:   + 48 22 637 50 04

Babka Medica Spółka z ograniczoną odpowiedzialnością Spółka komandytowa
ul. Słomińskiego 19 lok.517, 00-195 Warszawa
Sąd Rejonowy dla M.St. Warszawy w Warszawie  XII Wydział Gospodarczy KRS 0000491764
NIP 525-234-00-28

www.babkamedica.pl <http://www.babkamedica.pl/>


----------------------------------------------------------------------------

Informacja zawarta w niniejszej korespondencji jest poufna. Korespondencja
skierowana jest wyłącznie do osoby (firmy) wymienionej wyżej.
Rozpowszechnianie, kopiowanie, ujawnianie lub przekazywanie osobom trzecim w
jakiejkolwiek formie informacji zawartych w niniejszym dokumencie w całości
lub w części jest zakazane bez uprzedniej pisemnej (pod rygorem nieważności)
zgody Babka Medica Sp. z o.o. Sp. k.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba