Failed to find DC in keytab, gpupdate fails
Krzysztof Paszkowski
kylo at kimpa.pl
Thu Mar 29 10:42:09 UTC 2018
Hi all,
I'm using Samba4 AD DC for a while. I was starting from 4.1, now I have
last version from 4.7.
Everything was great, but suddenly computers were unable to install software
via gpo.
I'm looking for a help, because I'm fighting almost for a week and I'm
unable to find the cause.
I saw such a logs on my main DC (and only there):
[2018/03/28 09:11:29.622673, 1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/03/28 09:11:29.695783, 1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Failed to find DC$@DOMAIN.NET.PL(kvno <mailto:DC$@DOMAIN.NET.PL(kvno>
2) in keytab FILE:/usr/local/samba/private/secrets.keytab
(aes256-cts-hmac-sha1-96)
This error repeats every time, the computer is turning on and trying to
obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
<file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
<file:///\\dc.domain.net.pl> and shares of all others DCs.
I was googling, but I couldn't find resolution to my problem. The closest
one had unnecessary lines in smb.conf (with idmap and acl_xattr).
[root at dc samba-4.7.6]# klist -ke
FILE:/usr/local/samba/private/secrets.keytab
Keytab name: FILE:/usr/local/samba/private/secrets.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> (des-cbc-crc)
1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-crc)
1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-crc)
1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> (des-cbc-md5)
1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-md5)
1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-md5)
1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> (arcfour-hmac)
1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (arcfour-hmac)
1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (arcfour-hmac)
1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
(aes128-cts-hmac-sha1-96)
1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (aes128-cts-hmac-sha1-96)
1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (aes128-cts-hmac-sha1-96)
1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
(aes256-cts-hmac-sha1-96)
1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
<mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (aes256-cts-hmac-sha1-96)
1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (aes256-cts-hmac-sha1-96)
Version 4.7.6, built from source, rather always according to Wiki.
Internal DNS, DNS is working.
Domain computers can connect to the domain.
Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix - not
helping.
I have updated from 4.7.4 to 4.7.6, but still the same.
I have 5 AD DC in domain.
**smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.NET.PL
netbios name = DC
server role = active directory domain controller
dns forwarder = 8.8.8.8
# log level = 3 passdb:5 auth:5
bind interfaces only = yes
interfaces = lo eth0
log level = 1 auth_audit:1
allow dns updates = nonsecure
ntlm auth = yes
template shell = /bin/bash
template homedir = /tmp
[netlogon]
path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[users$]
path = /usr/local/samba/var/data/users
comment = user folders for folder redirection
read only = No
[udzial]
path = /usr/local/samba/var/data/udzial
read only = No
vfs objects = recycle
recycle:repository = .recycle/%u
recycle:keeptree = yes
recycle:touch = yes
recycle:versions = yes
recycle:inherit_nt_acl = Yes
recycle:directory_mode = 0700
****/etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.NET.PL
dns_lookup_realm = false
dns_lookup_kdc = true
**** /etc/hosts
127.0.0.1 localhost.localdomain localhost
10.1.10.11 dc.domain.net.pl dc
****/etc/resolv.conf
search domain.net.pl
nameserver 10.3.10.1
nameserver 10.6.10.1
nameserver 10.10.10.1
nameserver 127.0.0.1
I would be grateful for any hint.
Regards,
Kris
More information about the samba-technical
mailing list