regenerating secrets.keytab

Matthieu Patou mat at samba.org
Thu Sep 2 23:11:36 MDT 2010 


"Andrew Bartlett" <abartlet at samba.org> wrote:

>On Thu, 2010-09-02 at 18:17 -0400, Aaron Solochek wrote:
>> On 09/02/2010 06:11 PM, Andrew Bartlett wrote:
>> > On Thu, 2010-09-02 at 18:02 -0400, Aaron Solochek wrote:
>> >> On 09/02/2010 05:12 PM, Andrew Bartlett wrote:
>> >>> On Thu, 2010-09-02 at 16:29 -0400, Aaron Solochek wrote:
>> >>>> I'm not sure how, but my secrets.keytab is messed up.  My PDC running
>> >>>> samba4 is named FOO, and secrets.keytab contains 4 keys for FOO with
>> >>>> kvno 1.  When I run samba with -d1, I was seeing this:
>> >>>>
>> >>>>  Failed to find FOO$@BAR.COM(kvno 6) in keytab
>> >>>> FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
>> >>>>
>> >>>> Since I couldn't figure out how to make the keytab and ldb agree, I
>> >>>> hacked the keytab to set kvno =6.  Unsurprisingly that doesn't result in
>> >>>> a valid keytab, so now I'm just getting decrypt integrity check errors.
>> >>>>
>> >>>> How can I fix this without wiping everything and starting over?
>> >>>
>> >>> I would run an upgradeprovision.  It will reset both passwords,
>> >>> hopefully getting everything right again in the process.  
>> >>>
>> >>> We could potentially split out the password changing aspect of this into
>> >>> another helper script, or put in the periodic password changing, but for
>> >>> now that's the best option. 
>> >>>
>> >>
>> >> This sounds good, however, I am getting these errors:
>> >>
>> >> A transaction is still active in ldb context [0x2968680] on
>> >> /usr/local/samba/private/sam.ldb
>> >> A transaction is still active in ldb context [0x3d74120] on
>> >> /usr/local/samba/private/idmap.ldb
>> >> A transaction is still active in ldb context [0x3023060] on
>> >> /usr/local/samba/private/secrets.ldb
>> >> A transaction is still active in ldb context [0x40ce300] on
>> >> /usr/local/samba/private/privilege.ldb
>> >>
This is sent by upgradeprovision when something really unexpected happened ... send the full output.
>> >>
>> >> nothing is using those files, so I'm guessing there are some stale locks
>> >> somewhere.  How do I clear those out?
>> > 
>> > This means that there is a bug in the version of upgradeprovision code.


Matthieu Patou
Samba team

More information about the samba-technical mailing list