[Samba] DC with outdated secrets

Johannes Engel jcnengel at gmail.com
Sun Nov 3 15:24:40 UTC 2019

2 hours and I am a little further:
Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass
which updated the machine password as well as the keytab.
After a restart samba keeps complaining now that the (outdated) KVNO 6 is
no longer part of the secrets.keytab:
[2019/11/03 16:22:12.319958,  1]
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab
FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)

Apparently I missed one place in the update. Any ideas how to fix this last

Thanks a lot!

Best regards

Am So., 3. Nov. 2019 um 13:37 Uhr schrieb Johannes Engel <jcnengel at gmail.com

> Dear list,
> by mistake some script (msktutil) has updated machine password and keytab
> for one of my DCs (samba-4.10.10). While I could restore the keytab
> (/var/lib/samba/private/secrets.keytab) using samba-tool domain
> exportkeytab, I fail to come up with a way to update the secrets file
> (/var/lib/samba/private/secrets.ldb) with a new machine password.
> Can you please help me with an idea how to fix this?
> Currently I have a lot of these:
> [2019/11/03 13:36:15.516141,  1]
> ../../source4/auth/gensec/gensec_gssapi.c:331(gensec_gssapi_client_creds)
>   Wrong username or password: kinit for DC3$@MY.DOMAIN failed
> (Preauthentication failed)
> and subsequently failing DRS replication.
> Thanks a lot!
> Best regards
> Johannes

More information about the samba mailing list