[Samba] samba-tool domain exportkeytab failure

Tue May 7 04:56:51 MDT 2013

On 7.5.2013 2:32, Andrew Bartlett wrote:
> On Mon, 2013-05-06 at 13:41 +0300, Pekka L.J. Jalkanen wrote:
>> On 4.5.2013 0:22, Andrew Bartlett wrote:
>>>
>>> It would be useful to know why samba-tool exportkeytab didn't work, it
>>> is tested in our make test.  Perhaps run it with -d10 and see if it
>>> gives more clues?
>>
>> Not much--only the two lines above the hexdump:
> 
> Those are the important details I needed. 

Excellent! :)

>> -----
>>
>> gendb_search_v: DC=mydomain,DC=site NULL -> 1
>> ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
>> [0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b... .... . .
>> [0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
>> [0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
>> [0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
>> [0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
>> [0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
>> [0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
>> ERROR(runtime): uncaught exception - Invalid argument
>>   File
>> "/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/__init__.py", line
>> 175, in _run
>>     return self.run(*args, **kwargs)
>>   File
>> "/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/domain.py",
>> line 103, in run
>>     net.export_keytab(keytab=keytab, principal=principal)
> 
> The issue here is that when we migrated the key from your existing
> database, we were unable to read this attribute correctly.  I'm
> surprised this works at all actually.
> 
> What does 'samba-tool dbcheck' show?

Zero errors (even with "--cross-ncs"), unless I run with
--reset-well-known-acls, in which case four ACL errors are reported. But
I've let those unfixed this far as I'm not sure if I'm really having any
problem there or not. Windows is not complaining about any errors with
sysvol or the GPOs.

>>> While I
>>> do take GPG encrypted stuff, I prefer not to unless I'm actually fixing
>>> database errors in databases or other things that would never be
>>> reproduced again.
>>
>> I understand your point. Sorry that can't help quickly, but if you don't
>> see a delay of one to two months to be a problem, I can try this then.
>> If you do, then the encryption is the only way. I'm not in terrible
>> hurry, even if it would be nice to get this fixed.
> 
> The failure to parse the keys in the supplementalCredentials attribute
> counts as a database error.  Once we solve that, let's see what other
> problems we have.

As you can see from my previous messages, I've rebuilt our Samba DC
yesterday (and no backups of the old conf, sorry--so far I've only been
backing up the Windows DC), so I hope that with that parse error you're
referring just to the exportkeytab failure, as the other errors are no
longer reproducible for me.

> If you can send me all the files (including the smb.conf) for your
> domain GPG encrypted I'll take a look.

OK, this is what I'll do. You'll have that shortly.

Pekka L.J. Jalkanen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 946 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20130507/6368ab2d/attachment.pgp>