[Samba] Failed to find DC in keytab, gpupdate fails
Krzysztof Paszkowski
kylo at kimpa.pl
Fri Mar 30 09:10:02 UTC 2018
I confirmed kvno=1 on DC from one of the client:
dsquery * -filter sAMAccountName=DC* -attr msDS-KeyVersionNumber
msDS-KeyVersionNumber
1
I'll try to demote and rejoin to the domain, what should refresh the keytab and increase kvno. Am I right?
Regards,
Kris
-----Original Message-----
From: Krzysztof Paszkowski [mailto:kylo at kimpa.pl]
Sent: Thursday, March 29, 2018 10:39 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: RE: [Samba] Failed to find DC in keytab, gpupdate fails
I believe that every client, that has DC as his %LOGONSERVER% and is trying to obtain GPO cause this error, because there's a lot of them. I couldn't find yet how to verify kvno from the client. I saw somewhere that I might need to sniff this with Wireshark. I verified only (via ADUC) that pwdLastSet value for DC is 2015-02-11 (exactly like date of secrets.keytab file).
Can I generate somehow kvno 2 for DC?
Does migration to MIT KDC resolve this problem, or is there any easier method?
Regards,
Kris
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kacper Wirski via samba
Sent: Thursday, March 29, 2018 6:18 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Failed to find DC in keytab, gpupdate fails
Try verifying kvno from the client that gives the error message. That kvno = 2 for dc$ must've come from somewhere. You can also double check e.g. via ADUC ldap attributes of the dc$: lastpwdset and kvno. If kvno is definately 1 that means that client connecting has some error, if it's 2, than it means that dc has outdated keytab. And if it's the former, than I really am not sure why. My DC's have kvno 2 or 3 (those that were rejoined to the domain once).
I've seen scenario the other way round (clients knew about kvno 2 but keytab was already kvno 3 and that was when password change occured on the server, so kvno went up to 3. . Client reboot made them look up for the "new" kvno in the AD and they reconnected fine.
Regards,
Kacper
W dniu 29.03.2018 o 17:28, Krzysztof Paszkowski via samba pisze:
> Hi,
> you're right about kvno.
>
> kvno dc gives me:
> dc at DOMAIN.NET.PL: kvno = 1
>
> I'm pretty sure I didn't change dc$ password nor keytab wasn't recreated (the file is from 2015).
>
> I've checked other DCs.
> It looks like two of them with CentOS 7 have kvno = 2, and one with CentOS 6 has also v 1.
> DCs on CentOS 7 are pretty new, with samba version 4.7.4 from the scratch. Main DC and the second with CentOS 6 are from the beginning adventure with Samba4.
>
> So, how to fix it?
>
> Regards,
> Kris
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kacper
> Wirski via samba
> Sent: Thursday, March 29, 2018 4:26 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Failed to find DC in keytab, gpupdate fails
>
> what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated?
> If You made some upgrades, maybe during process You for example rejoined the domain (that would set new password for the machine in AD).
>
> If "kvno dc.domain.net.pl" will give you answer = 2, than maybe You can just export keytab of the dc$ account and replace old secrets.keytab with new?
>
>
> Regards,
>
> Kacper
>
>
> W dniu 29.03.2018 o 16:01, Krzysztof Paszkowski via samba pisze:
>> Hi,
>> Setting dc's IP on top of resolv.conf file, as you suggested, didn't help.
>> Perhaps there's something else I could try.
>>
>> Regards,
>> Kris
>>
>> -----Original Message-----
>> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
>> Sent: Thursday, March 29, 2018 1:14 PM
>> To: samba at lists.samba.org
>> Cc: Krzysztof Paszkowski <kylo at kimpa.pl>
>> Subject: RE: Failed to find DC in keytab, gpupdate fails
>>
>> Hi,
>>
>> I suggest you post this to samba at list.samba.org that more for these
>> questions.
>>
>> Try this setting in resolv.conf
>>
>> search domain.net.pl
>> nameserver 10.1.10.11 # IP of DC itself.
>> #nameserver # and extra nameserver that has access to
>> the DC dns info. (a second dc maybe)
>> nameserver 8.8.8.8 # IP of forwarder in SMB.conf as backup for
>> internet access.
>> # and max 3 nameservers in resolv.conf.
>>
>> Stop samba and start it again, and check again.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba-technical
>>> [mailto:samba-technical-bounces at lists.samba.org] Namens Krzysztof
>>> Paszkowski via samba-technical
>>> Verzonden: donderdag 29 maart 2018 12:42
>>> Aan: samba-technical at lists.samba.org
>>> Onderwerp: Failed to find DC in keytab, gpupdate fails
>>>
>>> Hi all,
>>>
>>> I'm using Samba4 AD DC for a while. I was starting from 4.1, now I
>>> have last version from 4.7.
>>>
>>> Everything was great, but suddenly computers were unable to install
>>> software via gpo.
>>>
>>> I'm looking for a help, because I'm fighting almost for a week and
>>> I'm unable to find the cause.
>>>
>>>
>>>
>>> I saw such a logs on my main DC (and only there):
>>>
>>>
>>>
>>> [2018/03/28 09:11:29.622673, 1]
>>> ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>>>
>>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed:
>>> NT_STATUS_LOGON_FAILURE
>>>
>>> [2018/03/28 09:11:29.695783, 1]
>>> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat
>>> e_internal)
>>>
>>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure
>>> (see
>>> text): Failed to find DC$@DOMAIN.NET.PL(kvno
>>> <mailto:DC$@DOMAIN.NET.PL(kvno>
>>> 2) in keytab FILE:/usr/local/samba/private/secrets.keytab
>>> (aes256-cts-hmac-sha1-96)
>>>
>>>
>>>
>>> This error repeats every time, the computer is turning on and trying
>>> to obtain group policy or when I'm trying to open \\DOMAIN.NET.PL
>>> <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl
>>> <file:///\\dc.domain.net.pl> and shares of all others DCs.
>>>
>>>
>>>
>>> I was googling, but I couldn't find resolution to my problem.
>>> The closest
>>> one had unnecessary lines in smb.conf (with idmap and acl_xattr).
>>>
>>>
>>>
>>> [root at dc samba-4.7.6]# klist -ke
>>> FILE:/usr/local/samba/private/secrets.keytab
>>>
>>> Keytab name: FILE:/usr/local/samba/private/secrets.keytab
>>>
>>> KVNO Principal
>>>
>>> ----
>>> --------------------------------------------------------------
>>> ------------
>>>
>>> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (des-cbc-crc)
>>>
>>> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-crc)
>>>
>>> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-crc)
>>>
>>> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (des-cbc-md5)
>>>
>>> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-md5)
>>>
>>> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-md5)
>>>
>>> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (arcfour-hmac)
>>>
>>> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (arcfour-hmac)
>>>
>>> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (arcfour-hmac)
>>>
>>> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (aes128-cts-hmac-sha1-96)
>>>
>>> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>
>>> (aes128-cts-hmac-sha1-96)
>>>
>>> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
>>> (aes128-cts-hmac-sha1-96)
>>>
>>> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL>
>>> (aes256-cts-hmac-sha1-96)
>>>
>>> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL
>>> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL>
>>> (aes256-cts-hmac-sha1-96)
>>>
>>> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL>
>>> (aes256-cts-hmac-sha1-96)
>>>
>>>
>>>
>>> Version 4.7.6, built from source, rather always according to Wiki.
>>>
>>> Internal DNS, DNS is working.
>>>
>>> Domain computers can connect to the domain.
>>>
>>> Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix
>>> - not helping.
>>>
>>> I have updated from 4.7.4 to 4.7.6, but still the same.
>>>
>>> I have 5 AD DC in domain.
>>>
>>>
>>>
>>> **smb.conf
>>>
>>> [global]
>>>
>>> workgroup = DOMAIN
>>>
>>> realm = DOMAIN.NET.PL
>>>
>>> netbios name = DC
>>>
>>> server role = active directory domain controller
>>>
>>> dns forwarder = 8.8.8.8
>>>
>>> # log level = 3 passdb:5 auth:5
>>>
>>> bind interfaces only = yes
>>>
>>> interfaces = lo eth0
>>>
>>> log level = 1 auth_audit:1
>>>
>>> allow dns updates = nonsecure
>>>
>>> ntlm auth = yes
>>>
>>> template shell = /bin/bash
>>>
>>> template homedir = /tmp
>>>
>>>
>>>
>>> [netlogon]
>>>
>>> path =
>>> /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts
>>>
>>> read only = No
>>>
>>> [sysvol]
>>>
>>> path = /usr/local/samba/var/locks/sysvol
>>>
>>> read only = No
>>>
>>> [users$]
>>>
>>> path = /usr/local/samba/var/data/users
>>>
>>> comment = user folders for folder redirection
>>>
>>> read only = No
>>>
>>> [udzial]
>>>
>>> path = /usr/local/samba/var/data/udzial
>>>
>>> read only = No
>>>
>>> vfs objects = recycle
>>>
>>> recycle:repository = .recycle/%u
>>>
>>> recycle:keeptree = yes
>>>
>>> recycle:touch = yes
>>>
>>> recycle:versions = yes
>>>
>>> recycle:inherit_nt_acl = Yes
>>>
>>> recycle:directory_mode = 0700
>>>
>>>
>>>
>>>
>>>
>>> ****/etc/krb5.conf
>>>
>>> [libdefaults]
>>>
>>> default_realm = DOMAIN.NET.PL
>>>
>>> dns_lookup_realm = false
>>>
>>> dns_lookup_kdc = true
>>>
>>>
>>>
>>> **** /etc/hosts
>>>
>>> 127.0.0.1 localhost.localdomain localhost
>>>
>>> 10.1.10.11 dc.domain.net.pl dc
>>>
>>>
>>>
>>> ****/etc/resolv.conf
>>>
>>> search domain.net.pl
>>>
>>> nameserver 10.3.10.1
>>>
>>> nameserver 10.6.10.1
>>>
>>> nameserver 10.10.10.1
>>>
>>> nameserver 127.0.0.1
>>>
>>>
>>>
>>> I would be grateful for any hint.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Kris
>>>
>>>
>>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list