regenerating secrets.keytab

Aaron Solochek aarons-samba at aberrant.org
Thu Sep 2 16:17:33 MDT 2010 

On 09/02/2010 06:11 PM, Andrew Bartlett wrote:
> On Thu, 2010-09-02 at 18:02 -0400, Aaron Solochek wrote:
>> On 09/02/2010 05:12 PM, Andrew Bartlett wrote:
>>> On Thu, 2010-09-02 at 16:29 -0400, Aaron Solochek wrote:
>>>> I'm not sure how, but my secrets.keytab is messed up.  My PDC running
>>>> samba4 is named FOO, and secrets.keytab contains 4 keys for FOO with
>>>> kvno 1.  When I run samba with -d1, I was seeing this:
>>>>
>>>>  Failed to find FOO$@BAR.COM(kvno 6) in keytab
>>>> FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
>>>>
>>>> Since I couldn't figure out how to make the keytab and ldb agree, I
>>>> hacked the keytab to set kvno =6.  Unsurprisingly that doesn't result in
>>>> a valid keytab, so now I'm just getting decrypt integrity check errors.
>>>>
>>>> How can I fix this without wiping everything and starting over?
>>>
>>> I would run an upgradeprovision.  It will reset both passwords,
>>> hopefully getting everything right again in the process.  
>>>
>>> We could potentially split out the password changing aspect of this into
>>> another helper script, or put in the periodic password changing, but for
>>> now that's the best option. 
>>>
>>
>> This sounds good, however, I am getting these errors:
>>
>> A transaction is still active in ldb context [0x2968680] on
>> /usr/local/samba/private/sam.ldb
>> A transaction is still active in ldb context [0x3d74120] on
>> /usr/local/samba/private/idmap.ldb
>> A transaction is still active in ldb context [0x3023060] on
>> /usr/local/samba/private/secrets.ldb
>> A transaction is still active in ldb context [0x40ce300] on
>> /usr/local/samba/private/privilege.ldb
>>
>>
>> nothing is using those files, so I'm guessing there are some stale locks
>> somewhere.  How do I clear those out?
> 
> This means that there is a bug in the version of upgradeprovision code.
> What version of Samba4 are you running?

This is the latest from git.

this is the top entry of the git log for it:

commit ed51bf5f68b77f97b00b30e1a6be3773841299b6
Author: Matthieu Patou <mat at matws.net>
Date:   Sat Aug 14 16:57:49 2010 +0400

    s4 upgradeprovision: exit with a non null return code so that it can be
trapped in blackbox tests

-Aaron



> 
>> And to verify, I'm just doing this:
>>
>> upgradeprovision --realm=BAR.COM -U Administrator
>>
>> I don't want the full provision, which sounds like it will wipe out everything,
>> right?
> 
> Correct, a provision will wipe everything. 
> 
> Andrew Bartlett
> 
> 
> 
> !DSPAM:4c8020fa32541391727493!

More information about the samba-technical mailing list