[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown

L.P.H. van Belle belle at bazuin.nl
Tue Sep 5 14:52:24 UTC 2017

Yes, if you flexible with reinstalling, you could..
(more below) 

> -----Oorspronkelijk bericht-----
> Van: Sven Schwedas [mailto:sven.schwedas at tao.at] 
> Verzonden: dinsdag 5 september 2017 16:32
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Server GC/name.dom/dom is not 
> registered with our KDC: Miscellaneous failure (see text): 
> Server (GC/name/dom at DOM) unknown
> On 2017-09-05 16:21, L.P.H. van Belle wrote:
> >> Keytabs look reasonable, as far as I can see, but why does 
> >> graz-dc-sem have the same SPN output as graz-dc-1b in 
> addition to its 
> >> own?
> > A snapshotted server/cloned server? I dont know but thats 
> not correct.
> Nope, both were created clean. There used to be a 
> graz-dc-bis, but removing and re-adding it completely broke 
> replication, so I nuked it and created 1b to replace it. That 
> odyssey is in the list archives somewhere…

Very strange then if they where all created clean. 
removing and re-adding is possible, but not without rist. 

> > I suggest, cleanup the DS with FSMO roles. 
> Clean up as in move FSMO roles to a clean server (leaves only
> villach-dc-*) ?
Yes and no.  ;-) 

I suggest the following, move fsmo roles to villach-dc and check database replications.

Remove the most faulty one first, graz-dc-1b, from the domain. ( check and cleanup DNS and AD! Very important ) 

You dont have to reinstall the complete os, just cleanup as told, and reprovisioning that server again. 
Reboot and then wait, and check database replication again. 
! Do reboot ! 

And repeat for all servers you dont trust. 

That should bring you network back as it should be. 

> > Then remove a failty server and re-add it as a new installed DC.
> > ( the good DS with FSMO)
> > First backup: /var/lib/samba/private/secrets.keytab
> > Remove the incorrect entries from keytab file with ktutil rkt 
> > /var/lib/samba/private/secrets.keytab
> > list -e -t
> Might as well just nuke graz-dc-sem and add a complete new DC 
> from scratch, no?
No, and yes, but i preffer no, not needed (yet). 
Start with the keytab cleanup 
Check the dns record if the uuid A PTR and hostnames resolve to the correct server. 
If thats the case, then no, cleanup of keytab is, i think, sufficient. 

Yes, if its really a mess. ;-) 
Then, first a an new DC, then remove, just make sure you always have 2 dc's up and running (correctly)

> > Check if dates here are related to other work you/someone did?
> > 
> > Now you can remove the failty one from the domain and 
> re-add it (with 
> > provisioning) Backup and cleanup /etc/samba/smb.conf  (rename)
> > /var/cache/samba	   ( remove all files from folder) 
> > /var/lib/samba	   ( remove all files and directories 
> from folder) 
> > 
> > Now re-provision and you should have correct working DC's again. 
> > 
> > ! Before re-provisioning, make sure all OLD records dns and 
> AD are gone. 
> I still have undeleteable replication records from the last 
> time I had to nuke a DC, nobody replied to my emails on that issue.

Ok, now, im out of office in about 10 min, but mail that subject for me again. 
I'll have a look. 
Own and if you dont use it, ApacheDirectoryStudio can help a lot with cleanup of these kind of things. 
But just make sure you know what you delete, for you mess up the AD even more. 



More information about the samba mailing list