Web lists-archives.com

Re: [Samba] Unable to rejoin domain, LDAP error 50





2. KVNO mismatch - on the main DC

[2018/04/03 14:36:46.822531,
1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/04/03 14:36:46.968728,
1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab
FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)

kvno DC
DC@xxxxxxxxxxxxx: kvno = 1

Is there any other way to increase the key version to 2 than demote
dc and rejoin domain? I was trying with the command:
ktutil:  add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e
aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key
with -key option in add_entry) - can I leave it empty, just hit enter
key?



You could try running 'samba_upgradeprovision', this will reset the
passwords:

samba_upgradeprovision --realm=<YOUR REALM> -U Administrator

NOTE: I have never had to do this, So I would urge you to backup
everything before trying it.

However, the errors could be coming from something that is using stale
passwords, they may go away if you wait long enough or reboot
everything.

Rowland

I'll try it this weekend, making before full backup of my DC. I'm
facing this error about KVNO mismatch at least three weeks (and I'm
not sure where did it get from).

Thank you for your assistance, I'll give you a feedback about
samba_upgradeprovision.

Regards,
Kris

I should try this command sooner. Now I have made full backup and something is missing:

[root@dc ~]# cd /opt/samba-4.7.6/bin
[root@dc bin]# ./samba_upgradeprovision --realm=DOMAIN.NET.PL -U Administrator
Traceback (most recent call last):
  File "./samba_upgradeprovision", line 36, in <module>
    import ldb

I have the same output running the script from /opt/samba-4.7.6/source4/scripting/bin/ directory.
OS is CentOS 6. Google returns nothing really special about it.

Any hint?

Regards,
Kris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba