Failed to find DC in keytab, gpupdate fails

Krzysztof Paszkowski kylo at kimpa.pl
Thu Mar 29 10:42:09 UTC 2018


Hi all,

I'm using Samba4 AD DC  for a while. I was starting from 4.1, now I have
last version from 4.7.

Everything was great, but suddenly computers were unable to install software
via gpo.

I'm looking for a  help, because I'm fighting almost for a week and I'm
unable to find the  cause.

 

I saw such a logs on my main DC (and only there):

 

[2018/03/28 09:11:29.622673,  1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)

  SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

[2018/03/28 09:11:29.695783,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)

  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text): Failed to find DC$@DOMAIN.NET.PL(kvno <mailto:DC$@DOMAIN.NET.PL(kvno>
2) in keytab FILE:/usr/local/samba/private/secrets.keytab
(aes256-cts-hmac-sha1-96)

 

This error repeats every time, the computer is turning on and trying to
obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
<file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
<file:///\\dc.domain.net.pl>  and shares of all others DCs.

 

I was googling, but I couldn't find resolution to my problem. The closest
one had unnecessary  lines in smb.conf (with idmap and acl_xattr).

 

[root at dc samba-4.7.6]# klist -ke
FILE:/usr/local/samba/private/secrets.keytab

Keytab name: FILE:/usr/local/samba/private/secrets.keytab

KVNO Principal

----
--------------------------------------------------------------------------

   1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>  (des-cbc-crc)

   1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (des-cbc-crc)

   1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-crc)

   1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>  (des-cbc-md5)

   1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (des-cbc-md5)

   1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-md5)

   1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>  (arcfour-hmac)

   1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (arcfour-hmac)

   1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (arcfour-hmac)

   1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
(aes128-cts-hmac-sha1-96)

   1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (aes128-cts-hmac-sha1-96)

   1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (aes128-cts-hmac-sha1-96)

   1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
(aes256-cts-hmac-sha1-96)

   1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (aes256-cts-hmac-sha1-96)

   1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (aes256-cts-hmac-sha1-96)

 

Version 4.7.6, built from source, rather always according to Wiki.

Internal DNS, DNS is working.

Domain computers can connect to the domain.

Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix  - not
helping.

I have updated from 4.7.4 to 4.7.6, but still the same.

I have 5 AD DC in domain.

 

**smb.conf

[global]

        workgroup = DOMAIN

        realm = DOMAIN.NET.PL

        netbios name = DC

        server role = active directory domain controller

       dns forwarder = 8.8.8.8

#       log level = 3 passdb:5 auth:5

        bind interfaces only = yes

        interfaces = lo eth0

        log level = 1 auth_audit:1

        allow dns updates = nonsecure

        ntlm auth = yes

        template shell = /bin/bash

        template homedir = /tmp

 

[netlogon]

        path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts

        read only = No

[sysvol]

        path = /usr/local/samba/var/locks/sysvol

        read only = No

[users$]

       path = /usr/local/samba/var/data/users

       comment = user folders for folder redirection

       read only = No

[udzial]

        path = /usr/local/samba/var/data/udzial

        read only = No

        vfs objects = recycle

        recycle:repository = .recycle/%u

        recycle:keeptree = yes

        recycle:touch = yes

        recycle:versions = yes

        recycle:inherit_nt_acl = Yes

        recycle:directory_mode = 0700

 

 

****/etc/krb5.conf

[libdefaults]

        default_realm = DOMAIN.NET.PL

        dns_lookup_realm = false

        dns_lookup_kdc = true

 

**** /etc/hosts

127.0.0.1   localhost.localdomain       localhost

10.1.10.11      dc.domain.net.pl        dc

 

****/etc/resolv.conf

search domain.net.pl

nameserver 10.3.10.1

nameserver 10.6.10.1

nameserver 10.10.10.1

nameserver 127.0.0.1

 

I would be grateful for any hint.

 

Regards,

Kris



More information about the samba-technical mailing list