GSS Update(krb5)(1) Update failed
Stefan (metze) Metzmacher
metze at samba.org
Fri May 7 01:35:05 MDT 2010
Andrew Bartlett schrieb:
> On Tue, 2010-05-04 at 13:41 +0200, Marcel Ritter wrote:
>> On 05/04/2010 12:23 PM, Andrew Bartlett wrote:
>>> On Tue, 2010-05-04 at 11:16 +0200, Marcel Ritter wrote:
>>>> On 05/04/2010 06:58 AM, Rohit Rajan wrote:
>>>>> Dear all,
>> Hi Andrew,
>>>> I'm seeing the same problems here:
>>>> GSS Update(krb5)(1) Update failed: Miscellaneous failure (see text):
>>>> Failed to find S4-DC1$@LINEX.ORG(kvno 17) in keytab
>>>> FILE:/var/lib/samba4/private/secrets.keytab (arcfour-hmac-md5)
>>>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>>>> I guess the problem is not the missing entry, but the wrong
>>>> KVNO (key version number):
>>>> s4-dc1 # klist -ke FILE:/var/lib/samba4/private/secrets.keytab
>>>> Keytab name: FILE:/var/lib/samba4/private/secrets.keytab
>>>> KVNO Principal
>>>> 18 S4-DC1$@LINEX.ORG (DES cbc mode with RSA-MD5)
>>>> 18 S4-DC1$@LINEX.ORG (AES-256 CTS mode with 96-bit SHA-1 HMAC)
>>>> 18 S4-DC1$@LINEX.ORG (Triple DES cbc mode with HMAC/sha1)
>>>> 18 S4-DC1$@LINEX.ORG (ArcFour with HMAC/md5)
>>>> However I have no idea where the request with a lower KVNO comes from :-(
>>> Can you both describe your setups a bit more?
>> I'm running a recent git checkout (about 2 day old), waf build,
>> installed (using waf install).
>> Setup was a standard provision - nothing special.
>> The samba4 version has been updated several times and the
>> data was migrated using upgradeprovision.
>> Any idea where else we could look for the older KVNO?
>> I've done a quick ldbsearch on all .ldb files - without any luck.
> OK, so the key thing here is upgradeprovision. The issue could simply
> be that an existing client has a ticket to the server with the old
> password (they could have it for 10 hours so so, perhaps longer), and
> that for some reason we have not maintained the old password in the
> I'm currently looking into other issues around the kvno - we need to
> rework this to use the correct algorithm (based on replPropertyMetaData,
> not a simple increasing counter).
we need to get rid of storing msDs-KeyVersionNumber, it's a constructed
attribute using the version of the unicodePwd in the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 260 bytes
Desc: OpenPGP digital signature
More information about the samba-technical