Secondary DC not registered with KDC

Aaron E. ssureshot at gmail.com
Fri Jun 8 07:58:42 MDT 2012


On 06/07/2012 07:22 PM, Andrew Bartlett wrote:
> On Thu, 2012-06-07 at 11:51 -0400, Aaron E. wrote:
>> I'm scratching my head with this.. Is this a normal error with debug 3?
>> Any help in direction or troubleshooting with this is appreciated. Any
>> searches I can perform on the DB or items I need to delete or add?
>>
>>
>>    I believe this has been a good DB since alpha 18 or 19.. This is the
>> DB that I would like to turn production if I can clean up the errors and
>> get Secondary DC DNS worked through and working.. I'd hate to have to
>> reconfigure my terminal servers and group policy, squid and mailservers
>> that I've setup tuned to this installation.. I would love to start
>> migrating users in the next few weeks ..
>>
>>    Got NTLMSSP neg_flags=0x60088235
>>    Server ldap/astrodc2.astrointernal.com at ASTROINTERNAL.COM is not
>>    registered with our KDC: Miscellaneous failure (see text): Server
>>    (ldap/astrodc2.astrointernal.com at ASTROINTERNAL.COM) unknown
>>    SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>>    NT_STATUS_INVALID_PARAMETER
>>
>> root at adc2--/opt/samba4/etc\>>  ldbsearch -H ldap://astrodc1
>> -Uadministrator%xxxxxxx |grep ldap
>>
>> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/ASTROINTERNAL
>> servicePrincipalName: ldap/ASTRODC2.astrointernal.com
>> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/astrointernal.com
>> servicePrincipalName:
>> ldap/be899af6-ed2d-482b-946b-c00e89915cc2._msdcs.astroin
>> servicePrincipalName: ldap/ASTRODC2
>> servicePrincipalName: ldap/astrodc1.astrointernal.com/ASTROINTERNAL
>> servicePrincipalName: ldap/astrodc1.astrointernal.com
>> servicePrincipalName: ldap/astrodc1.astrointernal.com/astrointernal.com
>> servicePrincipalName:
>> ldap/8b2675ab-c9f9-4859-85fe-425b65483ffe._msdcs.astroin
>> servicePrincipalName: ldap/ASTRODC1
>> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/ASTROINTERNAL
>> servicePrincipalName: ldap/ASTRODC2.astrointernal.com
>> servicePrincipalName: ldap/ASTRODC2.astrointernal.com/astrointernal.com
>> servicePrincipalName:
>> ldap/db0a2e8d-f331-4034-b0a3-f44b9cefc246._msdcs.astroin
>> servicePrincipalName:
>> ldap/astrodc1.astrointernal.com/DomainDnsZones.astrointe
>> servicePrincipalName:
>> ldap/astrodc1.astrointernal.com/ForestDnsZones.astrointe
>> ref: ldap://astrointernal.com/CN=Configuration,DC=astrointernal,DC=com
>> ref: ldap://astrointernal.com/DC=DomainDnsZones,DC=astrointernal,DC=com
>> ref: ldap://astrointernal.com/DC=ForestDnsZones,DC=astrointernal,DC=com
>
> Can you do that search again, but like this:
>
> ldbsearch -H ldap://astrodc1
> servicePrincipalName=ldap/ASTRODC2.astrointernal.com
>
> If we have two entries with astrodc2, then we don't know which one to
> use.  We should probably also work out if we should have prevented that
> happening in the first place.
>
> Andrew Bartlett
>
>

There are two entries once of them looks like the primary DC though?? If 
I run the same search with 
servicePrincipalName=ldap/ASTRODC1.astrointernal.com it only returns the 
one entry.

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
interpret_interface: using netmask value 32 from config file on 
interface bond0:n01
interpret_interface: using netmask value 32 from config file on 
interface bond0:n01
# record 1
dn: CN=ASTRODC1,OU=Domain Controllers,DC=astrointernal,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: ASTRODC1
instanceType: 4
whenCreated: 20120425124940.0Z
uSNCreated: 3582
name: ASTRODC1
objectGUID: 22639784-5d5c-4648-96f4-c58dd7420e34
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 129798317800000000
primaryGroupID: 516
objectSid: S-1-5-21-3977904483-3162356089-3601181703-1000
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ASTRODC1$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.0.0alpha20-GIT-2d01099
dNSHostName: astrodc1.astrointernal.com
objectCategory: 
CN=Computer,CN=Schema,CN=Configuration,DC=astrointernal,DC=com
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=ASTRODC1,OU=Domain 
Controllers,DC=astrointerna
  l,DC=com
serverReferenceBL: 
CN=ASTRODC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
  CN=Configuration,DC=astrointernal,DC=com
msDS-SupportedEncryptionTypes: 31
servicePrincipalName: HOST/astrodc1.astrointernal.com
servicePrincipalName: HOST/astrodc1.astrointernal.com/ASTROINTERNAL
servicePrincipalName: ldap/astrodc1.astrointernal.com/ASTROINTERNAL
servicePrincipalName: GC/astrodc1.astrointernal.com/astrointernal.com
servicePrincipalName: ldap/astrodc1.astrointernal.com
servicePrincipalName: HOST/astrodc1.astrointernal.com/astrointernal.com
servicePrincipalName: ldap/astrodc1.astrointernal.com/astrointernal.com
servicePrincipalName: HOST/ASTRODC1
servicePrincipalName: 
E3514235-4B06-11D1-AB04-00C04FC2DCD2/8b2675ab-c9f9-4859-
  85fe-425b65483ffe/astrointernal.com
servicePrincipalName: 
ldap/8b2675ab-c9f9-4859-85fe-425b65483ffe._msdcs.astroin
  ternal.com
servicePrincipalName: ldap/ASTRODC1
servicePrincipalName: RestrictedKrbHost/ASTRODC1
servicePrincipalName: RestrictedKrbHost/astrodc1.astrointernal.com
servicePrincipalName: HOST/ASTRODC2.astrointernal.com
servicePrincipalName: HOST/ASTRODC2.astrointernal.com/ASTROINTERNAL
servicePrincipalName: ldap/ASTRODC2.astrointernal.com/ASTROINTERNAL
servicePrincipalName: GC/ASTRODC2.astrointernal.com/astrointernal.com
servicePrincipalName: ldap/ASTRODC2.astrointernal.com
servicePrincipalName: HOST/ASTRODC2.astrointernal.com/astrointernal.com
servicePrincipalName: ldap/ASTRODC2.astrointernal.com/astrointernal.com
servicePrincipalName: 
E3514235-4B06-11D1-AB04-00C04FC2DCD2/db0a2e8d-f331-4034-
  b0a3-f44b9cefc246/astrointernal.com
servicePrincipalName: 
ldap/db0a2e8d-f331-4034-b0a3-f44b9cefc246._msdcs.astroin
  ternal.com
servicePrincipalName: RestrictedKrbHost/ASTRODC2.astrointernal.com
servicePrincipalName: 
ldap/astrodc1.astrointernal.com/DomainDnsZones.astrointe
  rnal.com
servicePrincipalName: 
ldap/astrodc1.astrointernal.com/ForestDnsZones.astrointe
  rnal.com
whenChanged: 20120605201902.0Z
uSNChanged: 4803
distinguishedName: CN=ASTRODC1,OU=Domain Controllers,DC=astrointernal,DC=com

# record 2
dn: CN=ASTRODC2,OU=Domain Controllers,DC=astrointernal,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: ASTRODC2
instanceType: 4
whenCreated: 20120605202046.0Z
displayName: ASTRODC2$
uSNCreated: 4809
name: ASTRODC2
objectGUID: 0280fce9-2cad-4e83-bfaf-142c8c8dccae
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 516
objectSid: S-1-5-21-3977904483-3162356089-3601181703-1154
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ASTRODC2$
sAMAccountType: 805306369
dNSHostName: ASTRODC2.astrointernal.com
objectCategory: 
CN=Computer,CN=Schema,CN=Configuration,DC=astrointernal,DC=com
isCriticalSystemObject: TRUE
serverReferenceBL: 
CN=ASTRODC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
  CN=Configuration,DC=astrointernal,DC=com
pwdLastSet: 129834012460000000
userAccountControl: 532480
rIDSetReferences: CN=RID Set,CN=ASTRODC2,OU=Domain 
Controllers,DC=astrointerna
  l,DC=com
whenChanged: 20120605202109.0Z
uSNChanged: 4906
servicePrincipalName: HOST/ASTRODC2
servicePrincipalName: HOST/ASTRODC2.astrointernal.com
servicePrincipalName: GC/ASTRODC2.astrointernal.com/astrointernal.com
servicePrincipalName: 
E3514235-4B06-11D1-AB04-00C04FC2DCD2/be899af6-ed2d-482b-
  946b-c00e89915cc2/astrointernal.com
servicePrincipalName: HOST/ASTRODC2.astrointernal.com/ASTROINTERNAL
servicePrincipalName: ldap/ASTRODC2.astrointernal.com/ASTROINTERNAL
servicePrincipalName: ldap/ASTRODC2.astrointernal.com
servicePrincipalName: HOST/ASTRODC2.astrointernal.com/astrointernal.com
servicePrincipalName: ldap/ASTRODC2.astrointernal.com/astrointernal.com
servicePrincipalName: 
ldap/be899af6-ed2d-482b-946b-c00e89915cc2._msdcs.astroin
  ternal.com
servicePrincipalName: ldap/ASTRODC2
servicePrincipalName: RestrictedKrbHost/ASTRODC2
servicePrincipalName: RestrictedKrbHost/ASTRODC2.astrointernal.com
distinguishedName: CN=ASTRODC2,OU=Domain Controllers,DC=astrointernal,DC=com

# Referral
ref: ldap://astrointernal.com/CN=Configuration,DC=astrointernal,DC=com

# Referral
ref: ldap://astrointernal.com/DC=DomainDnsZones,DC=astrointernal,DC=com

# Referral
ref: ldap://astrointernal.com/DC=ForestDnsZones,DC=astrointernal,DC=com

# returned 5 records
# 2 entries
# 3 referrals
###



More information about the samba-technical mailing list