[Samba] Failed to find DC in keytab, gpupdate fails
L.P.H. van Belle
belle at bazuin.nl
Thu Mar 29 11:14:08 UTC 2018
Hi,
I suggest you post this to samba at list.samba.org that more for these questions.
Try this setting in resolv.conf
search domain.net.pl
nameserver 10.1.10.11 # IP of DC itself.
#nameserver # and extra nameserver that has access to the DC dns info. (a second dc maybe)
nameserver 8.8.8.8 # IP of forwarder in SMB.conf as backup for internet access.
# and max 3 nameservers in resolv.conf.
Stop samba and start it again, and check again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens
> Krzysztof Paszkowski via samba-technical
> Verzonden: donderdag 29 maart 2018 12:42
> Aan: samba-technical at lists.samba.org
> Onderwerp: Failed to find DC in keytab, gpupdate fails
>
> Hi all,
>
> I'm using Samba4 AD DC for a while. I was starting from 4.1,
> now I have
> last version from 4.7.
>
> Everything was great, but suddenly computers were unable to
> install software
> via gpo.
>
> I'm looking for a help, because I'm fighting almost for a
> week and I'm
> unable to find the cause.
>
>
>
> I saw such a logs on my main DC (and only there):
>
>
>
> [2018/03/28 09:11:29.622673, 1]
> ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>
> [2018/03/28 09:11:29.695783, 1]
> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat
> e_internal)
>
> GSS server Update(krb5)(1) Update failed: Miscellaneous
> failure (see
> text): Failed to find DC$@DOMAIN.NET.PL(kvno
> <mailto:DC$@DOMAIN.NET.PL(kvno>
> 2) in keytab FILE:/usr/local/samba/private/secrets.keytab
> (aes256-cts-hmac-sha1-96)
>
>
>
> This error repeats every time, the computer is turning on and
> trying to
> obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
> <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
> <file:///\\dc.domain.net.pl> and shares of all others DCs.
>
>
>
> I was googling, but I couldn't find resolution to my problem.
> The closest
> one had unnecessary lines in smb.conf (with idmap and acl_xattr).
>
>
>
> [root at dc samba-4.7.6]# klist -ke
> FILE:/usr/local/samba/private/secrets.keytab
>
> Keytab name: FILE:/usr/local/samba/private/secrets.keytab
>
> KVNO Principal
>
> ----
> --------------------------------------------------------------
> ------------
>
> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
> (des-cbc-crc)
>
> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-crc)
>
> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-crc)
>
> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
> (des-cbc-md5)
>
> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-md5)
>
> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-md5)
>
> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
> (arcfour-hmac)
>
> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (arcfour-hmac)
>
> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (arcfour-hmac)
>
> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
> (aes128-cts-hmac-sha1-96)
>
> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>
> (aes128-cts-hmac-sha1-96)
>
> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
> (aes128-cts-hmac-sha1-96)
>
> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
> (aes256-cts-hmac-sha1-96)
>
> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>
> (aes256-cts-hmac-sha1-96)
>
> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
> (aes256-cts-hmac-sha1-96)
>
>
>
> Version 4.7.6, built from source, rather always according to Wiki.
>
> Internal DNS, DNS is working.
>
> Domain computers can connect to the domain.
>
> Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs
> --fix - not
> helping.
>
> I have updated from 4.7.4 to 4.7.6, but still the same.
>
> I have 5 AD DC in domain.
>
>
>
> **smb.conf
>
> [global]
>
> workgroup = DOMAIN
>
> realm = DOMAIN.NET.PL
>
> netbios name = DC
>
> server role = active directory domain controller
>
> dns forwarder = 8.8.8.8
>
> # log level = 3 passdb:5 auth:5
>
> bind interfaces only = yes
>
> interfaces = lo eth0
>
> log level = 1 auth_audit:1
>
> allow dns updates = nonsecure
>
> ntlm auth = yes
>
> template shell = /bin/bash
>
> template homedir = /tmp
>
>
>
> [netlogon]
>
> path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts
>
> read only = No
>
> [sysvol]
>
> path = /usr/local/samba/var/locks/sysvol
>
> read only = No
>
> [users$]
>
> path = /usr/local/samba/var/data/users
>
> comment = user folders for folder redirection
>
> read only = No
>
> [udzial]
>
> path = /usr/local/samba/var/data/udzial
>
> read only = No
>
> vfs objects = recycle
>
> recycle:repository = .recycle/%u
>
> recycle:keeptree = yes
>
> recycle:touch = yes
>
> recycle:versions = yes
>
> recycle:inherit_nt_acl = Yes
>
> recycle:directory_mode = 0700
>
>
>
>
>
> ****/etc/krb5.conf
>
> [libdefaults]
>
> default_realm = DOMAIN.NET.PL
>
> dns_lookup_realm = false
>
> dns_lookup_kdc = true
>
>
>
> **** /etc/hosts
>
> 127.0.0.1 localhost.localdomain localhost
>
> 10.1.10.11 dc.domain.net.pl dc
>
>
>
> ****/etc/resolv.conf
>
> search domain.net.pl
>
> nameserver 10.3.10.1
>
> nameserver 10.6.10.1
>
> nameserver 10.10.10.1
>
> nameserver 127.0.0.1
>
>
>
> I would be grateful for any hint.
>
>
>
> Regards,
>
> Kris
>
>
More information about the samba
mailing list