[Samba] Failed to find DC in keytab, gpupdate fails

Kacper Wirski kacper.wirski at gmail.com
Thu Mar 29 16:18:02 UTC 2018 

Try verifying kvno from the client that gives the error message. That 
kvno = 2 for dc$ must've come from somewhere. You can also double check 
e.g. via ADUC ldap attributes of the dc$: lastpwdset and kvno. If  kvno 
is definately 1 that means that client connecting has some error, if 
it's 2, than it means that dc has outdated keytab. And if it's the 
former, than I really am not sure why. My DC's have kvno 2 or 3 (those 
that were rejoined to the domain once).

I've seen scenario the other way round (clients knew about kvno 2 but 
keytab was already kvno 3 and that was when password change occured on 
the server, so kvno went up to 3. . Client reboot made them look up for 
the "new" kvno in the AD and they reconnected fine.

Regards,

Kacper


W dniu 29.03.2018 o 17:28, Krzysztof Paszkowski via samba pisze:
> Hi,
> you're right about kvno.
>
> kvno dc gives me:
> dc at DOMAIN.NET.PL: kvno = 1
>
> I'm pretty sure I didn't change dc$ password nor keytab wasn't recreated (the file is from 2015).
>
> I've checked other DCs.
> It looks like two of them with CentOS 7 have kvno = 2, and one with CentOS 6 has also v 1.
> DCs on CentOS 7 are pretty new, with samba version 4.7.4 from the scratch. Main DC and the second with CentOS 6 are from the beginning adventure with Samba4.
>
> So, how to fix it?
>
> Regards,
> Kris
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kacper Wirski via samba
> Sent: Thursday, March 29, 2018 4:26 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Failed to find DC in keytab, gpupdate fails
>
> what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated?
> If You made some upgrades, maybe during process You for example rejoined the domain (that would set new password for the machine in AD).
>
> If "kvno dc.domain.net.pl" will give you answer = 2, than maybe You can just export keytab of the dc$ account and replace old secrets.keytab with new?
>
>
> Regards,
>
> Kacper
>
>
> W dniu 29.03.2018 o 16:01, Krzysztof Paszkowski via samba pisze:
>> Hi,
>> Setting dc's IP on top of resolv.conf file, as you suggested, didn't help.
>> Perhaps there's something else I could try.
>>
>> Regards,
>> Kris
>>
>> -----Original Message-----
>> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
>> Sent: Thursday, March 29, 2018 1:14 PM
>> To: samba at lists.samba.org
>> Cc: Krzysztof Paszkowski <kylo at kimpa.pl>
>> Subject: RE: Failed to find DC in keytab, gpupdate fails
>>
>> Hi,
>>
>> I suggest you post this to samba at list.samba.org that more for these
>> questions.
>>
>> Try this setting in resolv.conf
>>
>> search domain.net.pl
>> nameserver 10.1.10.11		# IP of DC itself.
>> #nameserver 			# and extra nameserver that has access to
>> the DC dns info. (a second dc maybe)
>> nameserver 8.8.8.8		# IP of forwarder in SMB.conf as backup for
>> internet access.
>> # and max 3 nameservers in resolv.conf.
>>
>> Stop samba and start it again, and check again.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba-technical
>>> [mailto:samba-technical-bounces at lists.samba.org] Namens Krzysztof
>>> Paszkowski via samba-technical
>>> Verzonden: donderdag 29 maart 2018 12:42
>>> Aan: samba-technical at lists.samba.org
>>> Onderwerp: Failed to find DC in keytab, gpupdate fails
>>>
>>> Hi all,
>>>
>>> I'm using Samba4 AD DC  for a while. I was starting from 4.1, now I
>>> have last version from 4.7.
>>>
>>> Everything was great, but suddenly computers were unable to install
>>> software via gpo.
>>>
>>> I'm looking for a  help, because I'm fighting almost for a week and
>>> I'm unable to find the  cause.
>>>
>>>    
>>>
>>> I saw such a logs on my main DC (and only there):
>>>
>>>    
>>>
>>> [2018/03/28 09:11:29.622673,  1]
>>> ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>>>
>>>     SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>>
>>> [2018/03/28 09:11:29.695783,  1]
>>> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat
>>> e_internal)
>>>
>>>     GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
>>> (see
>>> text): Failed to find DC$@DOMAIN.NET.PL(kvno
>>> <mailto:DC$@DOMAIN.NET.PL(kvno>
>>> 2) in keytab FILE:/usr/local/samba/private/secrets.keytab
>>> (aes256-cts-hmac-sha1-96)
>>>
>>>    
>>>
>>> This error repeats every time, the computer is turning on and trying
>>> to obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
>>> <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
>>> <file:///\\dc.domain.net.pl>  and shares of all others DCs.
>>>
>>>    
>>>
>>> I was googling, but I couldn't find resolution to my problem.
>>> The closest
>>> one had unnecessary  lines in smb.conf (with idmap and acl_xattr).
>>>
>>>    
>>>
>>> [root at dc samba-4.7.6]# klist -ke
>>> FILE:/usr/local/samba/private/secrets.keytab
>>>
>>> Keytab name: FILE:/usr/local/samba/private/secrets.keytab
>>>
>>> KVNO Principal
>>>
>>> ----
>>> --------------------------------------------------------------
>>> ------------
>>>
>>>      1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (des-cbc-crc)
>>>
>>>      1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (des-cbc-crc)
>>>
>>>      1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-crc)
>>>
>>>      1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (des-cbc-md5)
>>>
>>>      1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (des-cbc-md5)
>>>
>>>      1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (des-cbc-md5)
>>>
>>>      1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (arcfour-hmac)
>>>
>>>      1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>  (arcfour-hmac)
>>>
>>>      1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>  (arcfour-hmac)
>>>
>>>      1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (aes128-cts-hmac-sha1-96)
>>>
>>>      1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>
>>> (aes128-cts-hmac-sha1-96)
>>>
>>>      1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
>>> (aes128-cts-hmac-sha1-96)
>>>
>>>      1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (aes256-cts-hmac-sha1-96)
>>>
>>>      1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>
>>> (aes256-cts-hmac-sha1-96)
>>>
>>>      1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
>>> (aes256-cts-hmac-sha1-96)
>>>
>>>    
>>>
>>> Version 4.7.6, built from source, rather always according to Wiki.
>>>
>>> Internal DNS, DNS is working.
>>>
>>> Domain computers can connect to the domain.
>>>
>>> Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix  -
>>> not helping.
>>>
>>> I have updated from 4.7.4 to 4.7.6, but still the same.
>>>
>>> I have 5 AD DC in domain.
>>>
>>>    
>>>
>>> **smb.conf
>>>
>>> [global]
>>>
>>>           workgroup = DOMAIN
>>>
>>>           realm = DOMAIN.NET.PL
>>>
>>>           netbios name = DC
>>>
>>>           server role = active directory domain controller
>>>
>>>          dns forwarder = 8.8.8.8
>>>
>>> #       log level = 3 passdb:5 auth:5
>>>
>>>           bind interfaces only = yes
>>>
>>>           interfaces = lo eth0
>>>
>>>           log level = 1 auth_audit:1
>>>
>>>           allow dns updates = nonsecure
>>>
>>>           ntlm auth = yes
>>>
>>>           template shell = /bin/bash
>>>
>>>           template homedir = /tmp
>>>
>>>    
>>>
>>> [netlogon]
>>>
>>>           path =
>>> /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts
>>>
>>>           read only = No
>>>
>>> [sysvol]
>>>
>>>           path = /usr/local/samba/var/locks/sysvol
>>>
>>>           read only = No
>>>
>>> [users$]
>>>
>>>          path = /usr/local/samba/var/data/users
>>>
>>>          comment = user folders for folder redirection
>>>
>>>          read only = No
>>>
>>> [udzial]
>>>
>>>           path = /usr/local/samba/var/data/udzial
>>>
>>>           read only = No
>>>
>>>           vfs objects = recycle
>>>
>>>           recycle:repository = .recycle/%u
>>>
>>>           recycle:keeptree = yes
>>>
>>>           recycle:touch = yes
>>>
>>>           recycle:versions = yes
>>>
>>>           recycle:inherit_nt_acl = Yes
>>>
>>>           recycle:directory_mode = 0700
>>>
>>>    
>>>
>>>    
>>>
>>> ****/etc/krb5.conf
>>>
>>> [libdefaults]
>>>
>>>           default_realm = DOMAIN.NET.PL
>>>
>>>           dns_lookup_realm = false
>>>
>>>           dns_lookup_kdc = true
>>>
>>>    
>>>
>>> **** /etc/hosts
>>>
>>> 127.0.0.1   localhost.localdomain       localhost
>>>
>>> 10.1.10.11      dc.domain.net.pl        dc
>>>
>>>    
>>>
>>> ****/etc/resolv.conf
>>>
>>> search domain.net.pl
>>>
>>> nameserver 10.3.10.1
>>>
>>> nameserver 10.6.10.1
>>>
>>> nameserver 10.10.10.1
>>>
>>> nameserver 127.0.0.1
>>>
>>>    
>>>
>>> I would be grateful for any hint.
>>>
>>>    
>>>
>>> Regards,
>>>
>>> Kris
>>>
>>>
>>

More information about the samba mailing list