[Samba] Unable to rejoin domain, LDAP error 50

kylo at kimpa.pl kylo at kimpa.pl
Sun Apr 8 10:31:26 UTC 2018


>>> 2. KVNO mismatch - on the main DC
>>> 
>>> [2018/04/03 14:36:46.822531,
>>> 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>> [2018/04/03 14:36:46.968728,
>>> 1] 
>>> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>>> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
>>> text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab
>>> FILE:/usr/local/samba/private/secrets.keytab 
>>> (aes256-cts-hmac-sha1-96)
>>> 
>>> kvno DC
>>> DC at DOMAIN.NET.PL: kvno = 1
>>> 
>>> Is there any other way to increase the key version to 2 than demote
>>> dc and rejoin domain? I was trying with the command:
>>> ktutil:  add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e
>>> aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key
>>> with -key option in add_entry) - can I leave it empty, just hit enter
>>> key?
>>> 
>>> 
>> 
>> You could try running 'samba_upgradeprovision', this will reset the
>> passwords:
>> 
>> samba_upgradeprovision --realm=<YOUR REALM> -U Administrator
>> 
>> NOTE: I have never had to do this, So I would urge you to backup
>> everything before trying it.
>> 
>> However, the errors could be coming from something that is using stale
>> passwords, they may go away if you wait long enough or reboot
>> everything.
>> 
>> Rowland
> 
> I'll try it this weekend, making before full backup of my DC. I'm
> facing this error about KVNO mismatch at least three weeks (and I'm
> not sure where did it get from).
> 
> Thank you for your assistance, I'll give you a feedback about
> samba_upgradeprovision.
> 
> Regards,
> Kris

I should try this command sooner. Now I have made full backup and 
something is missing:

[root at dc ~]# cd /opt/samba-4.7.6/bin
[root at dc bin]# ./samba_upgradeprovision --realm=DOMAIN.NET.PL -U 
Administrator
Traceback (most recent call last):
   File "./samba_upgradeprovision", line 36, in <module>
     import ldb

I have the same output running the script from 
/opt/samba-4.7.6/source4/scripting/bin/ directory.
OS is CentOS 6. Google returns nothing really special about it.

Any hint?

Regards,
Kris



More information about the samba mailing list