regenerating secrets.keytab

Aaron Solochek aarons-samba at aberrant.org
Thu Sep 2 16:02:27 MDT 2010 

On 09/02/2010 05:12 PM, Andrew Bartlett wrote:
> On Thu, 2010-09-02 at 16:29 -0400, Aaron Solochek wrote:
>> I'm not sure how, but my secrets.keytab is messed up.  My PDC running
>> samba4 is named FOO, and secrets.keytab contains 4 keys for FOO with
>> kvno 1.  When I run samba with -d1, I was seeing this:
>>
>>  Failed to find FOO$@BAR.COM(kvno 6) in keytab
>> FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
>>
>> Since I couldn't figure out how to make the keytab and ldb agree, I
>> hacked the keytab to set kvno =6.  Unsurprisingly that doesn't result in
>> a valid keytab, so now I'm just getting decrypt integrity check errors.
>>
>> How can I fix this without wiping everything and starting over?
> 
> I would run an upgradeprovision.  It will reset both passwords,
> hopefully getting everything right again in the process.  
> 
> We could potentially split out the password changing aspect of this into
> another helper script, or put in the periodic password changing, but for
> now that's the best option. 
> 

This sounds good, however, I am getting these errors:

A transaction is still active in ldb context [0x2968680] on
/usr/local/samba/private/sam.ldb
A transaction is still active in ldb context [0x3d74120] on
/usr/local/samba/private/idmap.ldb
A transaction is still active in ldb context [0x3023060] on
/usr/local/samba/private/secrets.ldb
A transaction is still active in ldb context [0x40ce300] on
/usr/local/samba/private/privilege.ldb


nothing is using those files, so I'm guessing there are some stale locks
somewhere.  How do I clear those out?

And to verify, I'm just doing this:

upgradeprovision --realm=BAR.COM -U Administrator

I don't want the full provision, which sounds like it will wipe out everything,
right?

Thank you.

-Aaron


>> p.s: as an interesting side note, there are a couple of hostnames that
>> resolve to foo.  If, from a windows machine, I attempt to open \\FOO, I
>> am prompted for a login (because of the decryption failure, I assume --
>> it never used to prompt) which never succeeds, but if I open \\bar.com,
>> which also resolves to the same IP as foo, it actually shows me the
>> shares (maybe they're cached?) although I get a misc. error when I try
>> to open them.
> 
> bar.com will not be in the KDC's list of hosts, but would normally
> redirect via MSDFS.  However, because we don't implement that, a
> connection is made, and NTLMSSP authentication succeeds.
> 
> Andrew Bartlett
> 
> 
> 
> 
> !DSPAM:4c80138e304191147317853!

More information about the samba-technical mailing list