regenerating secrets.keytab
Andrew Bartlett
abartlet at samba.org
Thu Sep 2 16:11:03 MDT 2010
On Thu, 2010-09-02 at 18:02 -0400, Aaron Solochek wrote:
> On 09/02/2010 05:12 PM, Andrew Bartlett wrote:
> > On Thu, 2010-09-02 at 16:29 -0400, Aaron Solochek wrote:
> >> I'm not sure how, but my secrets.keytab is messed up. My PDC running
> >> samba4 is named FOO, and secrets.keytab contains 4 keys for FOO with
> >> kvno 1. When I run samba with -d1, I was seeing this:
> >>
> >> Failed to find FOO$@BAR.COM(kvno 6) in keytab
> >> FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
> >>
> >> Since I couldn't figure out how to make the keytab and ldb agree, I
> >> hacked the keytab to set kvno =6. Unsurprisingly that doesn't result in
> >> a valid keytab, so now I'm just getting decrypt integrity check errors.
> >>
> >> How can I fix this without wiping everything and starting over?
> >
> > I would run an upgradeprovision. It will reset both passwords,
> > hopefully getting everything right again in the process.
> >
> > We could potentially split out the password changing aspect of this into
> > another helper script, or put in the periodic password changing, but for
> > now that's the best option.
> >
>
> This sounds good, however, I am getting these errors:
>
> A transaction is still active in ldb context [0x2968680] on
> /usr/local/samba/private/sam.ldb
> A transaction is still active in ldb context [0x3d74120] on
> /usr/local/samba/private/idmap.ldb
> A transaction is still active in ldb context [0x3023060] on
> /usr/local/samba/private/secrets.ldb
> A transaction is still active in ldb context [0x40ce300] on
> /usr/local/samba/private/privilege.ldb
>
>
> nothing is using those files, so I'm guessing there are some stale locks
> somewhere. How do I clear those out?
This means that there is a bug in the version of upgradeprovision code.
What version of Samba4 are you running?
> And to verify, I'm just doing this:
>
> upgradeprovision --realm=BAR.COM -U Administrator
>
> I don't want the full provision, which sounds like it will wipe out everything,
> right?
Correct, a provision will wipe everything.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100903/91354bd3/attachment.pgp>
More information about the samba-technical
mailing list