GSS Update(krb5)(1) Update failed

Stefan (metze) Metzmacher metze at samba.org
Fri May 7 01:35:05 MDT 2010 

Andrew Bartlett schrieb:
> On Tue, 2010-05-04 at 13:41 +0200, Marcel Ritter wrote:
>> On 05/04/2010 12:23 PM, Andrew Bartlett wrote:
>>> On Tue, 2010-05-04 at 11:16 +0200, Marcel Ritter wrote:
>>>   
>>>> On 05/04/2010 06:58 AM, Rohit Rajan wrote:
>>>>     
>>>>> Dear all,
>>>>>       
>> Hi Andrew,
>>>> Hi,
>>>>
>>>> I'm seeing the same problems here:
>>>>
>>>> GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text):
>>>> Failed to find S4-DC1$@LINEX.ORG(kvno 17) in keytab
>>>> FILE:/var/lib/samba4/private/secrets.keytab (arcfour-hmac-md5)
>>>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>> I guess the problem is not the missing entry, but the wrong
>>>> KVNO (key version number):
>>>>
>>>> s4-dc1 # klist -ke FILE:/var/lib/samba4/private/secrets.keytab
>>>> Keytab name: FILE:/var/lib/samba4/private/secrets.keytab
>>>> KVNO Principal
>>>> ----
>>>> --------------------------------------------------------------------------
>>>>   18 S4-DC1$@LINEX.ORG (DES cbc mode with RSA-MD5)
>>>>   18 S4-DC1$@LINEX.ORG (AES-256 CTS mode with 96-bit SHA-1 HMAC)
>>>>   18 S4-DC1$@LINEX.ORG (Triple DES cbc mode with HMAC/sha1)
>>>>   18 S4-DC1$@LINEX.ORG (ArcFour with HMAC/md5)
>>>>
>>>> However I have no idea where the request with a lower KVNO comes from :-(
>>>>     
>>> Can you both describe your setups a bit more?
>>>   
>> I'm running a recent git checkout (about 2 day old), waf build,
>> installed (using waf install).
>>
>> Setup was a standard provision - nothing special.
>> The samba4 version has been updated several times and the
>> data was migrated using upgradeprovision.
> 
>> Any idea where else we could look for the older KVNO?
>> I've done a quick ldbsearch on all .ldb files - without any luck.
> 
> OK, so the key thing here is upgradeprovision.  The issue could simply
> be that an existing client has a ticket to the server with the old
> password (they could have it for 10 hours so so, perhaps longer), and
> that for some reason we have not maintained the old password in the
> keytab.  
> 
> I'm currently looking into other issues around the kvno - we need to
> rework this to use the correct algorithm (based on replPropertyMetaData,
> not a simple increasing counter). 

we need to get rid of storing msDs-KeyVersionNumber, it's a constructed
attribute using the version of the unicodePwd in the
replPropertyMetaData array.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100507/dd113f54/attachment.pgp>

More information about the samba-technical mailing list