[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown
Sven Schwedas
sven.schwedas at tao.at
Tue Sep 5 13:33:45 UTC 2017
On 2017-09-05 14:40, L.P.H. van Belle wrote:
> Ah.. I had a "member break down" ..
>
> Out of the blue,.. Kerberos problem, but pretty simple to fix.
>
> kinit Administrator
Works on all DCs.
> Check your spn of the ad server with :
> samba-tool spn list DC_HOSTNAME$
>
> Check keytab
> klist -ke /var/lib/samba/private/secrets.keytab
Outputs attached. graz-dc-1b is the one making trouble, graz-dc-sem is
the FSMO role holder.
Keytabs look reasonable, as far as I can see, but why does graz-dc-sem
have the same SPN output as graz-dc-1b in addition to its own?
> Can you check this.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
>> Schwedas via samba
>> Verzonden: dinsdag 5 september 2017 14:28
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Server GC/name.dom/dom is not registered
>> with our KDC: Miscellaneous failure (see text): Server
>> (GC/name/dom at DOM) unknown
>>
>> Today's episode of "why is AD break", brought to you by:
>>
>>> [2017/09/05 10:17:06.015617, 3]
>> ../source4/auth/gensec/gensec_gssapi.c:613(gensec_gssapi_update)
>>> Server GC/graz-dc-1b.ad.tao.at/ad.tao.at is not
>> registered with our
>>> KDC: Miscellaneous failure (see text): Server
>>> (GC/graz-dc-1b.ad.tao.at/ad.tao.at at AD.TAO.AT) unknown
>>> [2017/09/05 10:17:06.015717, 0]
>> ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
>>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>
>> ncacn_ip_tcp:192.168.17.66[1024,seal,krb5,target_hostname=bcffbad8-1ad
>>>
>> d-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at,target_principal=GC/graz-dc-
>>>
>> 1b.ad.tao.at/ad.tao.at,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc
>>> 2dcd2/0x00000004,localaddress=192.168.16.213]
>>> NT_STATUS_INVALID_PARAMETER
>>> [2017/09/05 10:17:06.015869, 4]
>> ../source4/dsdb/repl/drepl_notify.c:196(dreplsrv_notify_op_callback)
>>> dreplsrv_notify: Failed to send DsReplicaSync to
>>> bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at for
>>> DC=ad,DC=tao,DC=at - NT_STATUS_INVALID_PARAMETER :
>> WERR_INVALID_PARAM
>>
>> The few google results for this seem to indicate DNS issues,
>> but I'm not sure where those should come from. The servers in
>> question resolve graz-dc-1b.ad.tao.at as well as
>> bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at to the
>> correct IP.
>> Same goes for _kerberos.* and the other SRV records in
>> _msdcs. and the AD domain itself.
>>
>> Any ideas where else to look?
>>
>> --
>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas,
>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype
>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz
>> https://www.tao-digital.at | Tel +43 680 301 7167
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
-------------- next part --------------
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HOST/graz-dc-1b at AD.TAO.AT (des-cbc-crc)
2 HOST/graz-dc-1b.ad.tao.at at AD.TAO.AT (des-cbc-crc)
2 GRAZ-DC-1B$@AD.TAO.AT (des-cbc-crc)
2 HOST/graz-dc-1b at AD.TAO.AT (des-cbc-md5)
2 HOST/graz-dc-1b.ad.tao.at at AD.TAO.AT (des-cbc-md5)
2 GRAZ-DC-1B$@AD.TAO.AT (des-cbc-md5)
2 HOST/graz-dc-1b at AD.TAO.AT (arcfour-hmac)
2 HOST/graz-dc-1b.ad.tao.at at AD.TAO.AT (arcfour-hmac)
2 GRAZ-DC-1B$@AD.TAO.AT (arcfour-hmac)
2 HOST/graz-dc-1b at AD.TAO.AT (aes128-cts-hmac-sha1-96)
2 HOST/graz-dc-1b.ad.tao.at at AD.TAO.AT (aes128-cts-hmac-sha1-96)
2 GRAZ-DC-1B$@AD.TAO.AT (aes128-cts-hmac-sha1-96)
2 HOST/graz-dc-1b at AD.TAO.AT (aes256-cts-hmac-sha1-96)
2 HOST/graz-dc-1b.ad.tao.at at AD.TAO.AT (aes256-cts-hmac-sha1-96)
2 GRAZ-DC-1B$@AD.TAO.AT (aes256-cts-hmac-sha1-96)
-------------- next part --------------
graz-dc-1b$
User CN=GRAZ-DC-1B,OU=Domain Controllers,DC=ad,DC=tao,DC=at has the following servicePrincipalName:
HOST/GRAZ-DC-1B
HOST/graz-dc-1b.ad.tao.at
GC/graz-dc-1b.ad.tao.at/ad.tao.at
E3514235-4B06-11D1-AB04-00C04FC2DCD2/bcffbad8-1add-46b9-bf69-90e52c0f09ea/ad.tao.at
HOST/graz-dc-1b.ad.tao.at/AD
ldap/graz-dc-1b.ad.tao.at/AD
ldap/graz-dc-1b.ad.tao.at
HOST/graz-dc-1b.ad.tao.at/ad.tao.at
ldap/graz-dc-1b.ad.tao.at/ad.tao.at
ldap/bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at
ldap/GRAZ-DC-1B
RestrictedKrbHost/GRAZ-DC-1B
RestrictedKrbHost/graz-dc-1b.ad.tao.at
ldap/graz-dc-1b.ad.tao.at/DomainDnsZones.ad.tao.at
ldap/graz-dc-1b.ad.tao.at/ForestDnsZones.ad.tao.at
-------------- next part --------------
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HOST/graz-dc-sem at AD.TAO.AT (des-cbc-crc)
1 HOST/graz-dc-sem.ad.tao.at at AD.TAO.AT (des-cbc-crc)
1 GRAZ-DC-SEM$@AD.TAO.AT (des-cbc-crc)
1 HOST/graz-dc-sem at AD.TAO.AT (des-cbc-md5)
1 HOST/graz-dc-sem.ad.tao.at at AD.TAO.AT (des-cbc-md5)
1 GRAZ-DC-SEM$@AD.TAO.AT (des-cbc-md5)
1 HOST/graz-dc-sem at AD.TAO.AT (arcfour-hmac)
1 HOST/graz-dc-sem.ad.tao.at at AD.TAO.AT (arcfour-hmac)
1 GRAZ-DC-SEM$@AD.TAO.AT (arcfour-hmac)
1 HOST/graz-dc-sem at AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 HOST/graz-dc-sem.ad.tao.at at AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 GRAZ-DC-SEM$@AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 HOST/graz-dc-sem at AD.TAO.AT (aes256-cts-hmac-sha1-96)
1 HOST/graz-dc-sem.ad.tao.at at AD.TAO.AT (aes256-cts-hmac-sha1-96)
1 GRAZ-DC-SEM$@AD.TAO.AT (aes256-cts-hmac-sha1-96)
-------------- next part --------------
graz-dc-sem$
User CN=GRAZ-DC-SEM,OU=Domain Controllers,DC=ad,DC=tao,DC=at has the following servicePrincipalName:
HOST/graz-dc-sem.ad.tao.at
HOST/graz-dc-sem.ad.tao.at/AD
ldap/graz-dc-sem.ad.tao.at/AD
GC/graz-dc-sem.ad.tao.at/ad.tao.at
ldap/graz-dc-sem.ad.tao.at
HOST/graz-dc-sem.ad.tao.at/ad.tao.at
ldap/graz-dc-sem.ad.tao.at/ad.tao.at
HOST/GRAZ-DC-SEM
E3514235-4B06-11D1-AB04-00C04FC2DCD2/160f5a53-5c29-4a83-aeee-6cb1dbabeed7/ad.tao.at
ldap/160f5a53-5c29-4a83-aeee-6cb1dbabeed7._msdcs.ad.tao.at
ldap/GRAZ-DC-SEM
RestrictedKrbHost/GRAZ-DC-SEM
RestrictedKrbHost/graz-dc-sem.ad.tao.at
ldap/graz-dc-sem.ad.tao.at/DomainDnsZones.ad.tao.at
ldap/graz-dc-sem.ad.tao.at/ForestDnsZones.ad.tao.at
HOST/graz-dc-1b.ad.tao.at
HOST/graz-dc-1b.ad.tao.at/AD
ldap/graz-dc-1b.ad.tao.at/AD
GC/graz-dc-1b.ad.tao.at/ad.tao.at
ldap/graz-dc-1b.ad.tao.at
HOST/graz-dc-1b.ad.tao.at/ad.tao.at
ldap/graz-dc-1b.ad.tao.at/ad.tao.at
E3514235-4B06-11D1-AB04-00C04FC2DCD2/bcffbad8-1add-46b9-bf69-90e52c0f09ea/ad.tao.at
ldap/bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at
RestrictedKrbHost/graz-dc-1b.ad.tao.at
ldap/graz-dc-1b.ad.tao.at/DomainDnsZones.ad.tao.at
ldap/graz-dc-1b.ad.tao.at/ForestDnsZones.ad.tao.at
-------------- next part --------------
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HOST/villach-dc-bis at AD.TAO.AT (des-cbc-crc)
1 HOST/villach-dc-bis.ad.tao.at at AD.TAO.AT (des-cbc-crc)
1 VILLACH-DC-BIS$@AD.TAO.AT (des-cbc-crc)
1 HOST/villach-dc-bis at AD.TAO.AT (des-cbc-md5)
1 HOST/villach-dc-bis.ad.tao.at at AD.TAO.AT (des-cbc-md5)
1 VILLACH-DC-BIS$@AD.TAO.AT (des-cbc-md5)
1 HOST/villach-dc-bis at AD.TAO.AT (arcfour-hmac)
1 HOST/villach-dc-bis.ad.tao.at at AD.TAO.AT (arcfour-hmac)
1 VILLACH-DC-BIS$@AD.TAO.AT (arcfour-hmac)
1 HOST/villach-dc-bis at AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 HOST/villach-dc-bis.ad.tao.at at AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 VILLACH-DC-BIS$@AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 HOST/villach-dc-bis at AD.TAO.AT (aes256-cts-hmac-sha1-96)
1 HOST/villach-dc-bis.ad.tao.at at AD.TAO.AT (aes256-cts-hmac-sha1-96)
1 VILLACH-DC-BIS$@AD.TAO.AT (aes256-cts-hmac-sha1-96)
-------------- next part --------------
villach-dc-bis$
User CN=VILLACH-DC-BIS,OU=Domain Controllers,DC=ad,DC=tao,DC=at has the following servicePrincipalName:
HOST/VILLACH-DC-BIS
HOST/VILLACH-DC-BIS.ad.tao.at
GC/VILLACH-DC-BIS.ad.tao.at/ad.tao.at
E3514235-4B06-11D1-AB04-00C04FC2DCD2/e1569c90-50f9-4bb5-bd85-79145e3ff6fd/ad.tao.at
HOST/VILLACH-DC-BIS.ad.tao.at/AD
ldap/VILLACH-DC-BIS.ad.tao.at/AD
ldap/VILLACH-DC-BIS.ad.tao.at
HOST/VILLACH-DC-BIS.ad.tao.at/ad.tao.at
ldap/VILLACH-DC-BIS.ad.tao.at/ad.tao.at
ldap/e1569c90-50f9-4bb5-bd85-79145e3ff6fd._msdcs.ad.tao.at
ldap/VILLACH-DC-BIS
RestrictedKrbHost/VILLACH-DC-BIS
RestrictedKrbHost/VILLACH-DC-BIS.ad.tao.at
ldap/VILLACH-DC-BIS.ad.tao.at/DomainDnsZones.ad.tao.at
ldap/VILLACH-DC-BIS.ad.tao.at/ForestDnsZones.ad.tao.at
-------------- next part --------------
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HOST/villach-dc-sem at AD.TAO.AT (des-cbc-crc)
1 HOST/villach-dc-sem.ad.tao.at at AD.TAO.AT (des-cbc-crc)
1 VILLACH-DC-SEM$@AD.TAO.AT (des-cbc-crc)
1 HOST/villach-dc-sem at AD.TAO.AT (des-cbc-md5)
1 HOST/villach-dc-sem.ad.tao.at at AD.TAO.AT (des-cbc-md5)
1 VILLACH-DC-SEM$@AD.TAO.AT (des-cbc-md5)
1 HOST/villach-dc-sem at AD.TAO.AT (arcfour-hmac)
1 HOST/villach-dc-sem.ad.tao.at at AD.TAO.AT (arcfour-hmac)
1 VILLACH-DC-SEM$@AD.TAO.AT (arcfour-hmac)
1 HOST/villach-dc-sem at AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 HOST/villach-dc-sem.ad.tao.at at AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 VILLACH-DC-SEM$@AD.TAO.AT (aes128-cts-hmac-sha1-96)
1 HOST/villach-dc-sem at AD.TAO.AT (aes256-cts-hmac-sha1-96)
1 HOST/villach-dc-sem.ad.tao.at at AD.TAO.AT (aes256-cts-hmac-sha1-96)
1 VILLACH-DC-SEM$@AD.TAO.AT (aes256-cts-hmac-sha1-96)
-------------- next part --------------
villach-dc-sem$
User CN=VILLACH-DC-SEM,OU=Domain Controllers,DC=ad,DC=tao,DC=at has the following servicePrincipalName:
HOST/VILLACH-DC-SEM
HOST/VILLACH-DC-SEM.ad.tao.at
GC/VILLACH-DC-SEM.ad.tao.at/ad.tao.at
E3514235-4B06-11D1-AB04-00C04FC2DCD2/eb5f9772-cd8f-4cde-9629-f1898c94aedd/ad.tao.at
HOST/VILLACH-DC-SEM.ad.tao.at/AD
ldap/VILLACH-DC-SEM.ad.tao.at/AD
ldap/VILLACH-DC-SEM.ad.tao.at
HOST/VILLACH-DC-SEM.ad.tao.at/ad.tao.at
ldap/VILLACH-DC-SEM.ad.tao.at/ad.tao.at
ldap/eb5f9772-cd8f-4cde-9629-f1898c94aedd._msdcs.ad.tao.at
ldap/VILLACH-DC-SEM
RestrictedKrbHost/VILLACH-DC-SEM
RestrictedKrbHost/VILLACH-DC-SEM.ad.tao.at
ldap/VILLACH-DC-SEM.ad.tao.at/DomainDnsZones.ad.tao.at
ldap/VILLACH-DC-SEM.ad.tao.at/ForestDnsZones.ad.tao.at
More information about the samba
mailing list