Secondary DC not registered with KDC

Andrew Bartlett abartlet at samba.org
Thu Jun 7 17:22:25 MDT 2012


On Thu, 2012-06-07 at 11:51 -0400, Aaron E. wrote:
> I'm scratching my head with this.. Is this a normal error with debug 3? 
> Any help in direction or troubleshooting with this is appreciated. Any 
> searches I can perform on the DB or items I need to delete or add?
> 
> 
>   I believe this has been a good DB since alpha 18 or 19.. This is the 
> DB that I would like to turn production if I can clean up the errors and 
> get Secondary DC DNS worked through and working.. I'd hate to have to 
> reconfigure my terminal servers and group policy, squid and mailservers 
> that I've setup tuned to this installation.. I would love to start 
> migrating users in the next few weeks ..
> 
>   Got NTLMSSP neg_flags=0x60088235
>   Server ldap/astrodc2.astrointernal.com at ASTROINTERNAL.COM is not
>   registered with our KDC: Miscellaneous failure (see text): Server
>   (ldap/astrodc2.astrointernal.com at ASTROINTERNAL.COM) unknown
>   SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>   NT_STATUS_INVALID_PARAMETER
> 
> root at adc2--/opt/samba4/etc\>> ldbsearch -H ldap://astrodc1 
> -Uadministrator%xxxxxxx |grep ldap
> 
> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/ASTROINTERNAL
> servicePrincipalName: ldap/ASTRODC2.astrointernal.com
> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/astrointernal.com
> servicePrincipalName: 
> ldap/be899af6-ed2d-482b-946b-c00e89915cc2._msdcs.astroin
> servicePrincipalName: ldap/ASTRODC2
> servicePrincipalName: ldap/astrodc1.astrointernal.com/ASTROINTERNAL
> servicePrincipalName: ldap/astrodc1.astrointernal.com
> servicePrincipalName: ldap/astrodc1.astrointernal.com/astrointernal.com
> servicePrincipalName: 
> ldap/8b2675ab-c9f9-4859-85fe-425b65483ffe._msdcs.astroin
> servicePrincipalName: ldap/ASTRODC1
> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/ASTROINTERNAL
> servicePrincipalName: ldap/ASTRODC2.astrointernal.com
> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/astrointernal.com
> servicePrincipalName: 
> ldap/db0a2e8d-f331-4034-b0a3-f44b9cefc246._msdcs.astroin
> servicePrincipalName: 
> ldap/astrodc1.astrointernal.com/DomainDnsZones.astrointe
> servicePrincipalName: 
> ldap/astrodc1.astrointernal.com/ForestDnsZones.astrointe
> ref: ldap://astrointernal.com/CN=Configuration,DC=astrointernal,DC=com
> ref: ldap://astrointernal.com/DC=DomainDnsZones,DC=astrointernal,DC=com
> ref: ldap://astrointernal.com/DC=ForestDnsZones,DC=astrointernal,DC=com

Can you do that search again, but like this:

ldbsearch -H ldap://astrodc1
servicePrincipalName=ldap/ASTRODC2.astrointernal.com 

If we have two entries with astrodc2, then we don't know which one to
use.  We should probably also work out if we should have prevented that
happening in the first place.

Andrew Bartlett


-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list