[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
L.P.H. van Belle
belle at bazuin.nl
Tue Jun 20 08:35:16 UTC 2017
Hai,
Just saying samba does not use /etc/krb5.keytab is not totaly correct.
A lot of setups use the setting : dedicated keytab file = /etc/krb5.keytab
Because systemd defaults point to /etc/krb5.keytab.
>From his logs:
Failed to find
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
And from his command (klist -k : Keytab name: FILE:/etc/krb5.keytab ) the above server is found.
Only the HOST/SPN entry is missing.
This looks like that :
dedicated keytab file = /etc/krb5.keytab
was in smb.conf but is gone now, or a symlink is replaced by a keytab file /etc
I suspect last one due to the upgrade.
In this case, export the spn's again and check if host/spn and NETBIOSNAME$@SPN exist.
use ktutil to import all entries from both keytab files and export the one you need back.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Andrew Bartlett via samba
> Verzonden: maandag 19 juni 2017 23:59
> Aan: Prunk Dump; samba at lists.samba.org
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from
> debian Jessie to Stretch
>
> On Mon, 2017-06-19 at 22:13 +0200, Prunk Dump via samba wrote:
> > Hello Samba team !
> >
> > I'am in a very delicate situation. After an upgrade to
> debian Stretch
> > my DRS stopped working.
>
> Have you ever had MIT krb5 installed, or is krb5kdc now running?
>
> Samba doesn't use /etc/krb5.keytab, so this may be related to
> some previous install (or may be related to how you are
> trying to use NFS).
>
>
> >
> > This seem to be a computer account problem. But I can't find any
> > problem in Kerberos :
> >
> >
> > --------------------------------
> > # kinit -k FICHDC$
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
>
> Can you do this against the secrets.keytab in Samba's private/ dir?
>
> You can reset the Samba machine account pw with
> ./source4/scripting/devel/chgtdcpass, but:
> - it wont be packaged so you will have to build Samba and
> tell it to operate against the right paths
> - it shouldn't be needed, upgrades shouldn't break this, and
> understanding the root cause would be better
>
> Does 'samba-tool time -P' work? It is any different with
> 'samba-tool time -P -k no'? (It seems you issue is related
> primarily to kerberos and a keytab out of sync somehow).
>
> > Valid starting Expires Service principal
> > 19/06/2017 22:05:54 20/06/2017 08:05:54
> >
> krbtgt/NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR at NET.LYC-GUILLAU
> ME-FICHET.AC-GRENOBLE.FR
> > renew until 20/06/2017 22:05:54
> > # klist -k
> > Keytab name: FILE:/etc/krb5.keytab
>
> As I mention above, this is the wrong keytab for a Samba DC.
>
> > A big thank if someone can help me !
>
> I hope this helps, otherwise depending on the urgency you
> might need to get some professional guidance. It gets really
> stressful when then network is down and we all know that can
> lead to mistakes.
>
> Take care,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list