Web lists-archives.com

Re: [Samba] gpo not applied a boot computer




On Tue, 26 Feb 2019 16:37:39 +0100
David Jehin <bedou210977@xxxxxxxxx> wrote:

> THANK YOU FOR YOUR REPLY
> 
> THE RESULT :
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 HOST/samba4@xxxxxxx (des-cbc-crc)
>    1 HOST/samba4.fss.lan@xxxxxxx (des-cbc-crc)
>    1 SAMBA4$@FSS.LAN (des-cbc-crc)
>    1 HOST/samba4@xxxxxxx (des-cbc-md5)
>    1 HOST/samba4.fss.lan@xxxxxxx (des-cbc-md5)
>    1 SAMBA4$@FSS.LAN (des-cbc-md5)
>    1 HOST/samba4@xxxxxxx (arcfour-hmac)
>    1 HOST/samba4.fss.lan@xxxxxxx (arcfour-hmac)
>    1 SAMBA4$@FSS.LAN (arcfour-hmac)
>    1 HOST/samba4@xxxxxxx (aes128-cts-hmac-sha1-96)
>    1 HOST/samba4.fss.lan@xxxxxxx (aes128-cts-hmac-sha1-96)
>    1 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96)
>    1 HOST/samba4@xxxxxxx (aes256-cts-hmac-sha1-96)
>    1 HOST/samba4.fss.lan@xxxxxxx (aes256-cts-hmac-sha1-96)
>    1 SAMBA4$@FSS.LAN (aes256-cts-hmac-sha1-96)
>    2 HOST/samba4@xxxxxxx (des-cbc-crc)
>    2 HOST/samba4.fss.lan@xxxxxxx (des-cbc-crc)
>    2 SAMBA4$@FSS.LAN (des-cbc-crc)
>    2 HOST/samba4@xxxxxxx (des-cbc-md5)
>    2 HOST/samba4.fss.lan@xxxxxxx (des-cbc-md5)
>    2 SAMBA4$@FSS.LAN (des-cbc-md5)
>    2 HOST/samba4@xxxxxxx (arcfour-hmac)
>    2 HOST/samba4.fss.lan@xxxxxxx (arcfour-hmac)
>    2 SAMBA4$@FSS.LAN (arcfour-hmac)
>    2 HOST/samba4@xxxxxxx (aes128-cts-hmac-sha1-96)
>    2 HOST/samba4.fss.lan@xxxxxxx (aes128-cts-hmac-sha1-96)
>    2 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96)
>    2 HOST/samba4@xxxxxxx (aes256-cts-hmac-sha1-96)
>    2 HOST/samba4.fss.lan@xxxxxxx (aes256-cts-hmac-sha1-96)
>    2 SAMBA4$@FSS.LAN (aes256-cts-hmac-sha1-96)
>    1 HOST/samba4.fss.lan@xxxxxxx (des-cbc-crc)
>    1 SAMBA4$@FSS.LAN (des-cbc-crc)
>    1 HOST/samba4@xxxxxxx (des-cbc-md5)
>    1 HOST/samba4.fss.lan@xxxxxxx (des-cbc-md5)
>    1 SAMBA4$@FSS.LAN (des-cbc-md5)
>    1 HOST/samba4@xxxxxxx (arcfour-hmac)
>    1 HOST/samba4.fss.lan@xxxxxxx (arcfour-hmac)
>    1 SAMBA4$@FSS.LAN (arcfour-hmac)
>    1 HOST/samba4@xxxxxxx (aes128-cts-hmac-sha1-96)
>    1 HOST/samba4.fss.lan@xxxxxxx (aes128-cts-hmac-sha1-96)
>    1 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96)
>    1 HOST/samba4@xxxxxxx (aes256-cts-hmac-sha1-96)
>    1 HOST/samba4.fss.lan@xxxxxxx (aes256-cts-hmac-sha1-96)
>    1 SAMBA4$@FSS.LAN (aes256-cts-hmac-sha1-96)
> 
> 
> Le mar. 26 févr. 2019 à 16:22, Rowland Penny via samba <
> samba@xxxxxxxxxxxxxxx> a écrit :
> 
> > On Tue, 26 Feb 2019 15:57:03 +0100
> > David Jehin via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > Hello everyone
> > > since now a certain time I pull my hair and do not understand the
> > > source of my problem.
> > > after a samba 3 pdc migration to samba 4.8.5 AD, when a windows
> > > client starts the gpo computer is not applied to the boot.
> > > in the windows logs there are 1058 GPO errors and server side
> > > samba here are the logs:
> > >
> > >   GSS server Update (krb5) (1) Update failed: Miscellaneous
> > > failure (see text): Failed to find SAMBA4$@FSS.LAN (kvno 2) in
> > > keytab FILE: /var/lib/samba/private/secrets.keytab (arcfour
> > > -hmac-md5) [2019/02/20 11: 20: 33.013351, 1]
> > > ../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
> > >    gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
> > > NEG_TOKEN_INIT content failed (next [(null)]):
> > > NT_STATUS_LOGON_FAILURE [2019/02/20 11: 20: 33.041913, 1]
> > > ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> > >
> > > thank you again for your participation.
> >
> > What does this show:
> >
> > klist -e -k /var/lib/samba/private/secrets.keytab
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

Well that shows that the keytab exists and contains the required
enctypes for SAMBA4$@FSS.LAN at KVNO 2, what it doesn't have is
'(arcfour -hmac-md5)' which, to be honest, I don't recognise.

What distro is this running on ?
Self compiled Samba or distro packages ?

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba