Web lists-archives.com

Re: [Samba] Failed to find DC in keytab, gpupdate fails




Try verifying kvno from the client that gives the error message. That kvno = 2 for dc$ must've come from somewhere. You can also double check e.g. via ADUC ldap attributes of the dc$: lastpwdset and kvno. If  kvno is definately 1 that means that client connecting has some error, if it's 2, than it means that dc has outdated keytab. And if it's the former, than I really am not sure why. My DC's have kvno 2 or 3 (those that were rejoined to the domain once).

I've seen scenario the other way round (clients knew about kvno 2 but keytab was already kvno 3 and that was when password change occured on the server, so kvno went up to 3. . Client reboot made them look up for the "new" kvno in the AD and they reconnected fine.

Regards,

Kacper


W dniu 29.03.2018 o 17:28, Krzysztof Paszkowski via samba pisze:
Hi,
you're right about kvno.

kvno dc gives me:
dc@xxxxxxxxxxxxx: kvno = 1

I'm pretty sure I didn't change dc$ password nor keytab wasn't recreated (the file is from 2015).

I've checked other DCs.
It looks like two of them with CentOS 7 have kvno = 2, and one with CentOS 6 has also v 1.
DCs on CentOS 7 are pretty new, with samba version 4.7.4 from the scratch. Main DC and the second with CentOS 6 are from the beginning adventure with Samba4.

So, how to fix it?

Regards,
Kris
-----Original Message-----
From: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] On Behalf Of Kacper Wirski via samba
Sent: Thursday, March 29, 2018 4:26 PM
To: samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Failed to find DC in keytab, gpupdate fails

what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated?
If You made some upgrades, maybe during process You for example rejoined the domain (that would set new password for the machine in AD).

If "kvno dc.domain.net.pl" will give you answer = 2, than maybe You can just export keytab of the dc$ account and replace old secrets.keytab with new?


Regards,

Kacper


W dniu 29.03.2018 o 16:01, Krzysztof Paszkowski via samba pisze:
Hi,
Setting dc's IP on top of resolv.conf file, as you suggested, didn't help.
Perhaps there's something else I could try.

Regards,
Kris

-----Original Message-----
From: L.P.H. van Belle [mailto:belle@xxxxxxxxx]
Sent: Thursday, March 29, 2018 1:14 PM
To: samba@xxxxxxxxxxxxxxx
Cc: Krzysztof Paszkowski <kylo@xxxxxxxx>
Subject: RE: Failed to find DC in keytab, gpupdate fails

Hi,

I suggest you post this to samba@xxxxxxxxxxxxxx that more for these
questions.

Try this setting in resolv.conf

search domain.net.pl
nameserver 10.1.10.11		# IP of DC itself.
#nameserver 			# and extra nameserver that has access to
the DC dns info. (a second dc maybe)
nameserver 8.8.8.8		# IP of forwarder in SMB.conf as backup for
internet access.
# and max 3 nameservers in resolv.conf.

Stop samba and start it again, and check again.


Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba-technical
[mailto:samba-technical-bounces@xxxxxxxxxxxxxxx] Namens Krzysztof
Paszkowski via samba-technical
Verzonden: donderdag 29 maart 2018 12:42
Aan: samba-technical@xxxxxxxxxxxxxxx
Onderwerp: Failed to find DC in keytab, gpupdate fails

Hi all,

I'm using Samba4 AD DC  for a while. I was starting from 4.1, now I
have last version from 4.7.

Everything was great, but suddenly computers were unable to install
software via gpo.

I'm looking for a  help, because I'm fighting almost for a week and
I'm unable to find the  cause.

I saw such a logs on my main DC (and only there):

[2018/03/28 09:11:29.622673,  1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)

    SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

[2018/03/28 09:11:29.695783,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat
e_internal)

    GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
(see
text): Failed to find DC$@DOMAIN.NET.PL(kvno
<mailto:DC$@DOMAIN.NET.PL(kvno>
2) in keytab FILE:/usr/local/samba/private/secrets.keytab
(aes256-cts-hmac-sha1-96)

This error repeats every time, the computer is turning on and trying
to obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
<file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
<file:///\\dc.domain.net.pl>  and shares of all others DCs.

I was googling, but I couldn't find resolution to my problem.
The closest
one had unnecessary  lines in smb.conf (with idmap and acl_xattr).

[root@dc samba-4.7.6]# klist -ke
FILE:/usr/local/samba/private/secrets.keytab

Keytab name: FILE:/usr/local/samba/private/secrets.keytab

KVNO Principal

----
--------------------------------------------------------------
------------

     1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(des-cbc-crc)

     1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-crc)

     1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-crc)

     1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(des-cbc-md5)

     1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (des-cbc-md5)

     1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-md5)

     1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(arcfour-hmac)

     1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>  (arcfour-hmac)

     1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (arcfour-hmac)

     1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(aes128-cts-hmac-sha1-96)

     1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>
(aes128-cts-hmac-sha1-96)

     1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
(aes128-cts-hmac-sha1-96)

     1 HOST/dc@xxxxxxxxxxxxx <mailto:HOST/dc@xxxxxxxxxxxxx>
(aes256-cts-hmac-sha1-96)

     1 HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx
<mailto:HOST/dc.DOMAIN.net.pl@xxxxxxxxxxxxx>
(aes256-cts-hmac-sha1-96)

     1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
(aes256-cts-hmac-sha1-96)

Version 4.7.6, built from source, rather always according to Wiki.

Internal DNS, DNS is working.

Domain computers can connect to the domain.

Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix  -
not helping.

I have updated from 4.7.4 to 4.7.6, but still the same.

I have 5 AD DC in domain.

**smb.conf

[global]

          workgroup = DOMAIN

          realm = DOMAIN.NET.PL

          netbios name = DC

          server role = active directory domain controller

         dns forwarder = 8.8.8.8

#       log level = 3 passdb:5 auth:5

          bind interfaces only = yes

          interfaces = lo eth0

          log level = 1 auth_audit:1

          allow dns updates = nonsecure

          ntlm auth = yes

          template shell = /bin/bash

          template homedir = /tmp

[netlogon]

          path =
/usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts

          read only = No

[sysvol]

          path = /usr/local/samba/var/locks/sysvol

          read only = No

[users$]

         path = /usr/local/samba/var/data/users

         comment = user folders for folder redirection

         read only = No

[udzial]

          path = /usr/local/samba/var/data/udzial

          read only = No

          vfs objects = recycle

          recycle:repository = .recycle/%u

          recycle:keeptree = yes

          recycle:touch = yes

          recycle:versions = yes

          recycle:inherit_nt_acl = Yes

          recycle:directory_mode = 0700

****/etc/krb5.conf

[libdefaults]

          default_realm = DOMAIN.NET.PL

          dns_lookup_realm = false

          dns_lookup_kdc = true

**** /etc/hosts

127.0.0.1   localhost.localdomain       localhost

10.1.10.11      dc.domain.net.pl        dc

****/etc/resolv.conf

search domain.net.pl

nameserver 10.3.10.1

nameserver 10.6.10.1

nameserver 10.10.10.1

nameserver 127.0.0.1

I would be grateful for any hint.

Regards,

Kris





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba