regenerating secrets.keytab

Aaron Solochek aarons-samba at
Thu Sep 2 14:29:12 MDT 2010

I'm not sure how, but my secrets.keytab is messed up.  My PDC running
samba4 is named FOO, and secrets.keytab contains 4 keys for FOO with
kvno 1.  When I run samba with -d1, I was seeing this:

 Failed to find FOO$@BAR.COM(kvno 6) in keytab
FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)

Since I couldn't figure out how to make the keytab and ldb agree, I
hacked the keytab to set kvno =6.  Unsurprisingly that doesn't result in
a valid keytab, so now I'm just getting decrypt integrity check errors.

How can I fix this without wiping everything and starting over?


p.s: as an interesting side note, there are a couple of hostnames that
resolve to foo.  If, from a windows machine, I attempt to open \\FOO, I
am prompted for a login (because of the decryption failure, I assume --
it never used to prompt) which never succeeds, but if I open \\,
which also resolves to the same IP as foo, it actually shows me the
shares (maybe they're cached?) although I get a misc. error when I try
to open them.

More information about the samba-technical mailing list