[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown

Sven Schwedas sven.schwedas at tao.at
Tue Sep 5 14:32:30 UTC 2017 

On 2017-09-05 16:21, L.P.H. van Belle wrote:
>> Keytabs look reasonable, as far as I can see, but why does 
>> graz-dc-sem have the same SPN output as graz-dc-1b in 
>> addition to its own?
> A snapshotted server/cloned server? I dont know but thats not correct.

Nope, both were created clean. There used to be a graz-dc-bis, but
removing and re-adding it completely broke replication, so I nuked it
and created 1b to replace it. That odyssey is in the list archives
somewhere…

> I suggest, cleanup the DS with FSMO roles. 

Clean up as in move FSMO roles to a clean server (leaves only
villach-dc-*) ?

> Then remove a failty server and re-add it as a new installed DC.
> ( the good DS with FSMO) 
> First backup: /var/lib/samba/private/secrets.keytab 
> Remove the incorrect entries from keytab file with ktutil 
> rkt /var/lib/samba/private/secrets.keytab
> list -e -t

Might as well just nuke graz-dc-sem and add a complete new DC from
scratch, no?

> Check if dates here are related to other work you/someone did?
> 
> Now you can remove the failty one from the domain and re-add it (with provisioning) 
> Backup and cleanup
> /etc/samba/smb.conf  (rename) 
> /var/cache/samba	   ( remove all files from folder) 
> /var/lib/samba	   ( remove all files and directories from folder) 
> 
> Now re-provision and you should have correct working DC's again. 
> 
> ! Before re-provisioning, make sure all OLD records dns and AD are gone. 

I still have undeleteable replication records from the last time I had
to nuke a DC, nobody replied to my emails on that issue.

> 
> 
> 
> Greetz, 
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: Sven Schwedas [mailto:sven.schwedas at tao.at] 
>> Verzonden: dinsdag 5 september 2017 15:34
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Server GC/name.dom/dom is not 
>> registered with our KDC: Miscellaneous failure (see text): 
>> Server (GC/name/dom at DOM) unknown
>>
>> On 2017-09-05 14:40, L.P.H. van Belle wrote:
>>> Ah.. I had a "member break down" ..  
>>>
>>> Out of the blue,.. Kerberos problem, but pretty simple to fix. 
>>>
>>> kinit Administrator
>>
>> Works on all DCs.
>>
>>> Check your spn of the ad server with :  
>>> samba-tool spn list DC_HOSTNAME$
>>>
>>> Check keytab
>>> klist -ke /var/lib/samba/private/secrets.keytab
>>
>> Outputs attached. graz-dc-1b is the one making trouble, 
>> graz-dc-sem is the FSMO role holder.
>>
>> Keytabs look reasonable, as far as I can see, but why does 
>> graz-dc-sem have the same SPN output as graz-dc-1b in 
>> addition to its own?
>>
>>> Can you check this. 
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
>>>> Schwedas via samba
>>>> Verzonden: dinsdag 5 september 2017 14:28
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Server GC/name.dom/dom is not 
>> registered with our 
>>>> KDC: Miscellaneous failure (see text): Server
>>>> (GC/name/dom at DOM) unknown
>>>>
>>>> Today's episode of "why is AD break", brought to you by:
>>>>
>>>>> [2017/09/05 10:17:06.015617,  3]
>>>> ../source4/auth/gensec/gensec_gssapi.c:613(gensec_gssapi_update)
>>>>>   Server GC/graz-dc-1b.ad.tao.at/ad.tao.at is not
>>>> registered with our
>>>>> KDC:  Miscellaneous failure (see text): Server
>>>>> (GC/graz-dc-1b.ad.tao.at/ad.tao.at at AD.TAO.AT) unknown
>>>>> [2017/09/05 10:17:06.015717,  0]
>>>> ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
>>>>>   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>>>>>
>>>>
>> ncacn_ip_tcp:192.168.17.66[1024,seal,krb5,target_hostname=bcffbad8-1a
>>>> d
>>>>>
>>>>
>> d-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at,target_principal=GC/graz-dc
>>>> -
>>>>>
>>>>
>> 1b.ad.tao.at/ad.tao.at,abstract_syntax=e3514235-4b06-11d1-ab04-00c04f
>>>> c
>>>>> 2dcd2/0x00000004,localaddress=192.168.16.213]
>>>>> NT_STATUS_INVALID_PARAMETER
>>>>> [2017/09/05 10:17:06.015869,  4]
>>>>
>> ../source4/dsdb/repl/drepl_notify.c:196(dreplsrv_notify_op_callback)
>>>>>   dreplsrv_notify: Failed to send DsReplicaSync to 
>>>>> bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at for 
>>>>> DC=ad,DC=tao,DC=at - NT_STATUS_INVALID_PARAMETER :
>>>> WERR_INVALID_PARAM
>>>>
>>>> The few google results for this seem to indicate DNS 
>> issues, but I'm 
>>>> not sure where those should come from. The servers in question 
>>>> resolve graz-dc-1b.ad.tao.at as well as 
>>>> bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at to 
>> the correct 
>>>> IP.
>>>> Same goes for _kerberos.* and the other SRV records in _msdcs. and 
>>>> the AD domain itself.
>>>>
>>>> Any ideas where else to look?
>>>>
>>>> --
>>>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, 
>>>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype 
>>>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz 
>>>> https://www.tao-digital.at | Tel +43 680 301 7167
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>
>> --
>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, 
>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype 
>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz 
>> https://www.tao-digital.at | Tel +43 680 301 7167
>>
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

More information about the samba mailing list