regenerating secrets.keytab

Andrew Bartlett abartlet at samba.org
Thu Sep 2 22:45:35 MDT 2010 

On Thu, 2010-09-02 at 18:17 -0400, Aaron Solochek wrote:
> On 09/02/2010 06:11 PM, Andrew Bartlett wrote:
> > On Thu, 2010-09-02 at 18:02 -0400, Aaron Solochek wrote:
> >> On 09/02/2010 05:12 PM, Andrew Bartlett wrote:
> >>> On Thu, 2010-09-02 at 16:29 -0400, Aaron Solochek wrote:
> >>>> I'm not sure how, but my secrets.keytab is messed up.  My PDC running
> >>>> samba4 is named FOO, and secrets.keytab contains 4 keys for FOO with
> >>>> kvno 1.  When I run samba with -d1, I was seeing this:
> >>>>
> >>>>  Failed to find FOO$@BAR.COM(kvno 6) in keytab
> >>>> FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
> >>>>
> >>>> Since I couldn't figure out how to make the keytab and ldb agree, I
> >>>> hacked the keytab to set kvno =6.  Unsurprisingly that doesn't result in
> >>>> a valid keytab, so now I'm just getting decrypt integrity check errors.
> >>>>
> >>>> How can I fix this without wiping everything and starting over?
> >>>
> >>> I would run an upgradeprovision.  It will reset both passwords,
> >>> hopefully getting everything right again in the process.  
> >>>
> >>> We could potentially split out the password changing aspect of this into
> >>> another helper script, or put in the periodic password changing, but for
> >>> now that's the best option. 
> >>>
> >>
> >> This sounds good, however, I am getting these errors:
> >>
> >> A transaction is still active in ldb context [0x2968680] on
> >> /usr/local/samba/private/sam.ldb
> >> A transaction is still active in ldb context [0x3d74120] on
> >> /usr/local/samba/private/idmap.ldb
> >> A transaction is still active in ldb context [0x3023060] on
> >> /usr/local/samba/private/secrets.ldb
> >> A transaction is still active in ldb context [0x40ce300] on
> >> /usr/local/samba/private/privilege.ldb
> >>
> >>
> >> nothing is using those files, so I'm guessing there are some stale locks
> >> somewhere.  How do I clear those out?
> > 
> > This means that there is a bug in the version of upgradeprovision code.
> > What version of Samba4 are you running?
> 
> This is the latest from git.
> 
> this is the top entry of the git log for it:
> 
> commit ed51bf5f68b77f97b00b30e1a6be3773841299b6
> Author: Matthieu Patou <mat at matws.net>
> Date:   Sat Aug 14 16:57:49 2010 +0400
> 
>     s4 upgradeprovision: exit with a non null return code so that it can be
> trapped in blackbox tests

Your best bet would be to work with Matthieu to determine what is wrong
with upgradeprovision or your invocation of it. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100903/f7a556e5/attachment.pgp>

More information about the samba-technical mailing list