regenerating secrets.keytab

Andrew Bartlett abartlet at samba.org
Thu Sep 2 15:12:02 MDT 2010


On Thu, 2010-09-02 at 16:29 -0400, Aaron Solochek wrote:
> I'm not sure how, but my secrets.keytab is messed up.  My PDC running
> samba4 is named FOO, and secrets.keytab contains 4 keys for FOO with
> kvno 1.  When I run samba with -d1, I was seeing this:
> 
>  Failed to find FOO$@BAR.COM(kvno 6) in keytab
> FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
> 
> Since I couldn't figure out how to make the keytab and ldb agree, I
> hacked the keytab to set kvno =6.  Unsurprisingly that doesn't result in
> a valid keytab, so now I'm just getting decrypt integrity check errors.
> 
> How can I fix this without wiping everything and starting over?

I would run an upgradeprovision.  It will reset both passwords,
hopefully getting everything right again in the process.  

We could potentially split out the password changing aspect of this into
another helper script, or put in the periodic password changing, but for
now that's the best option. 

> -Aaron
> 
> 
> p.s: as an interesting side note, there are a couple of hostnames that
> resolve to foo.  If, from a windows machine, I attempt to open \\FOO, I
> am prompted for a login (because of the decryption failure, I assume --
> it never used to prompt) which never succeeds, but if I open \\bar.com,
> which also resolves to the same IP as foo, it actually shows me the
> shares (maybe they're cached?) although I get a misc. error when I try
> to open them.

bar.com will not be in the KDC's list of hosts, but would normally
redirect via MSDFS.  However, because we don't implement that, a
connection is made, and NTLMSSP authentication succeeds.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100903/5559c11e/attachment.pgp>


More information about the samba-technical mailing list