[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown

L.P.H. van Belle belle at bazuin.nl
Tue Sep 5 14:21:22 UTC 2017 

> Keytabs look reasonable, as far as I can see, but why does 
> graz-dc-sem have the same SPN output as graz-dc-1b in 
> addition to its own?
A snapshotted server/cloned server? I dont know but thats not correct.

I suggest, cleanup the DS with FSMO roles. 
Then remove a failty server and re-add it as a new installed DC.

( the good DS with FSMO) 
First backup: /var/lib/samba/private/secrets.keytab 
Remove the incorrect entries from keytab file with ktutil 
rkt /var/lib/samba/private/secrets.keytab
list -e -t

Check if dates here are related to other work you/someone did?

Now you can remove the failty one from the domain and re-add it (with provisioning) 
Backup and cleanup
/etc/samba/smb.conf  (rename) 
/var/cache/samba	   ( remove all files from folder) 
/var/lib/samba	   ( remove all files and directories from folder) 

Now re-provision and you should have correct working DC's again. 

! Before re-provisioning, make sure all OLD records dns and AD are gone. 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Sven Schwedas [mailto:sven.schwedas at tao.at] 
> Verzonden: dinsdag 5 september 2017 15:34
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Server GC/name.dom/dom is not 
> registered with our KDC: Miscellaneous failure (see text): 
> Server (GC/name/dom at DOM) unknown
> 
> On 2017-09-05 14:40, L.P.H. van Belle wrote:
> > Ah.. I had a "member break down" ..  
> > 
> > Out of the blue,.. Kerberos problem, but pretty simple to fix. 
> > 
> > kinit Administrator
> 
> Works on all DCs.
> 
> > Check your spn of the ad server with :  
> > samba-tool spn list DC_HOSTNAME$
> >
> > Check keytab
> > klist -ke /var/lib/samba/private/secrets.keytab
> 
> Outputs attached. graz-dc-1b is the one making trouble, 
> graz-dc-sem is the FSMO role holder.
> 
> Keytabs look reasonable, as far as I can see, but why does 
> graz-dc-sem have the same SPN output as graz-dc-1b in 
> addition to its own?
> 
> > Can you check this. 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
> >> Schwedas via samba
> >> Verzonden: dinsdag 5 september 2017 14:28
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Server GC/name.dom/dom is not 
> registered with our 
> >> KDC: Miscellaneous failure (see text): Server
> >> (GC/name/dom at DOM) unknown
> >>
> >> Today's episode of "why is AD break", brought to you by:
> >>
> >>> [2017/09/05 10:17:06.015617,  3]
> >> ../source4/auth/gensec/gensec_gssapi.c:613(gensec_gssapi_update)
> >>>   Server GC/graz-dc-1b.ad.tao.at/ad.tao.at is not
> >> registered with our
> >>> KDC:  Miscellaneous failure (see text): Server
> >>> (GC/graz-dc-1b.ad.tao.at/ad.tao.at at AD.TAO.AT) unknown
> >>> [2017/09/05 10:17:06.015717,  0]
> >> ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
> >>>   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> >>>
> >> 
> ncacn_ip_tcp:192.168.17.66[1024,seal,krb5,target_hostname=bcffbad8-1a
> >> d
> >>>
> >> 
> d-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at,target_principal=GC/graz-dc
> >> -
> >>>
> >> 
> 1b.ad.tao.at/ad.tao.at,abstract_syntax=e3514235-4b06-11d1-ab04-00c04f
> >> c
> >>> 2dcd2/0x00000004,localaddress=192.168.16.213]
> >>> NT_STATUS_INVALID_PARAMETER
> >>> [2017/09/05 10:17:06.015869,  4]
> >> 
> ../source4/dsdb/repl/drepl_notify.c:196(dreplsrv_notify_op_callback)
> >>>   dreplsrv_notify: Failed to send DsReplicaSync to 
> >>> bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at for 
> >>> DC=ad,DC=tao,DC=at - NT_STATUS_INVALID_PARAMETER :
> >> WERR_INVALID_PARAM
> >>
> >> The few google results for this seem to indicate DNS 
> issues, but I'm 
> >> not sure where those should come from. The servers in question 
> >> resolve graz-dc-1b.ad.tao.at as well as 
> >> bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at to 
> the correct 
> >> IP.
> >> Same goes for _kerberos.* and the other SRV records in _msdcs. and 
> >> the AD domain itself.
> >>
> >> Any ideas where else to look?
> >>
> >> --
> >> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, 
> >> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype 
> >> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz 
> >> https://www.tao-digital.at | Tel +43 680 301 7167
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> > 
> 
> --
> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, 
> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype 
> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz 
> https://www.tao-digital.at | Tel +43 680 301 7167
>

More information about the samba mailing list