[Samba] KVNO in secrets.keytab for AD DC

Kacper Wirski kacper.wirski at gmail.com
Sun Dec 31 19:50:30 UTC 2017


Hello,

Some time ago I asked about updating from 4.5 -> 4.7 for DC's.

I've done it "the long way" and - maybe not the safest.

What worries me is this:

I added those DC with same names they were previously (basically dc1 -> 
demote ->  install fresh samba -> dc1 join again as DC with some editing 
inbetween) the secrets.keytab was created anew, but right now it has 
KVNO 2, instead of 1 (kind of supposed to happen I guess, or I didn't 
clean something from LDAP after demote?)

I don't know if it's an issue (so far I don't have any errors), but I 
understand that the way I upgraded wasn't the most obvious one.

The way I upgraded:

In 4.5 I got hit by the replication bug, that changed from cn=... to 
CN=.... for all the replicated data, which didn't actually meant all 
that much, but meant that all "ldapcmp" queries returned tons of errors.

So, following the advice I earlier got here, I made a semi-fresh start, 
that is (to make it short):

- demote DC

- move all old samba files to some temp folder

- install "fresh" samba 4.7.4 (compiled myself)

- add machine again to domain as DC (basically all steps from the WIKI)

- allow it to replicate all the data from working DC's

from "old installation" i cherry-picked smb.conf and TLS files (since 
hostname was the same)


This way I have same ip/hostname, and database is without those errors.


IN the end when running:

samba-tool drs showrepl

or

samba-tool ldapcmp ldap://dc1 ldap://dc2 (or dc1 - dc3 or dc2 - dc2) i 
get NO errors

everything works fine so far (adding users, changing passwords etc.)

basically everything seems fine now, but maybe something somewhere 
expects/requires DC$ machine account to have KVNO=1 and won't accept KVNO=2?


Any input would be great!




More information about the samba mailing list