GSS Update(krb5)(1) Update failed

Marcel Ritter Marcel.Ritter at rrze.uni-erlangen.de
Tue May 4 05:41:14 MDT 2010 

On 05/04/2010 12:23 PM, Andrew Bartlett wrote:
> On Tue, 2010-05-04 at 11:16 +0200, Marcel Ritter wrote:
>   
>> On 05/04/2010 06:58 AM, Rohit Rajan wrote:
>>     
>>> Dear all,
>>>       
Hi Andrew,
>> Hi,
>>
>> I'm seeing the same problems here:
>>
>> GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text):
>> Failed to find S4-DC1$@LINEX.ORG(kvno 17) in keytab
>> FILE:/var/lib/samba4/private/secrets.keytab (arcfour-hmac-md5)
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>>
>> I guess the problem is not the missing entry, but the wrong
>> KVNO (key version number):
>>
>> s4-dc1 # klist -ke FILE:/var/lib/samba4/private/secrets.keytab
>> Keytab name: FILE:/var/lib/samba4/private/secrets.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>   18 S4-DC1$@LINEX.ORG (DES cbc mode with RSA-MD5)
>>   18 S4-DC1$@LINEX.ORG (AES-256 CTS mode with 96-bit SHA-1 HMAC)
>>   18 S4-DC1$@LINEX.ORG (Triple DES cbc mode with HMAC/sha1)
>>   18 S4-DC1$@LINEX.ORG (ArcFour with HMAC/md5)
>>
>> However I have no idea where the request with a lower KVNO comes from :-(
>>     
> Can you both describe your setups a bit more?
>   
I'm running a recent git checkout (about 2 day old), waf build,
installed (using waf install).

Setup was a standard provision - nothing special.
The samba4 version has been updated several times and the
data was migrated using upgradeprovision.

DNS Server is bind 9.6.1P3 (with samba patches) running on the
same machine.

Several test clients are joined to the domain win2k8, win7, win-xp
and Samba 3.x.

What else do you need to know?
> Also, check in particular the kvno in ms-ds-KeyVersionNumber of the
> server object in the directory.  
>   
CN=S4-DC1,OU=Domain Controllers reports:
   ms-ds-KeyVersionNumber: 18

Same KVNO as listed by "klist -ke secrets.keytab".

Any idea where else we could look for the older KVNO?
I've done a quick ldbsearch on all .ldb files - without any luck.

> I'll do my best to get to the bottom of this for you.
>
> Thanks,
>
> Andrew Bartlett
>   
Bye,
   Marcel

More information about the samba-technical mailing list