[Samba] DC with outdated secrets
Johannes Engel
jcnengel at gmail.com
Sun Nov 3 15:24:40 UTC 2019
2 hours and I am a little further:
Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass
which updated the machine password as well as the keytab.
After a restart samba keeps complaining now that the (outdated) KVNO 6 is
no longer part of the secrets.keytab:
[2019/11/03 16:22:12.319958, 1]
../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab
FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
Apparently I missed one place in the update. Any ideas how to fix this last
part?
Thanks a lot!
Best regards
Johannes
Am So., 3. Nov. 2019 um 13:37 Uhr schrieb Johannes Engel <jcnengel at gmail.com
>:
> Dear list,
>
> by mistake some script (msktutil) has updated machine password and keytab
> for one of my DCs (samba-4.10.10). While I could restore the keytab
> (/var/lib/samba/private/secrets.keytab) using samba-tool domain
> exportkeytab, I fail to come up with a way to update the secrets file
> (/var/lib/samba/private/secrets.ldb) with a new machine password.
> Can you please help me with an idea how to fix this?
> Currently I have a lot of these:
>
> [2019/11/03 13:36:15.516141, 1]
> ../../source4/auth/gensec/gensec_gssapi.c:331(gensec_gssapi_client_creds)
> Wrong username or password: kinit for DC3$@MY.DOMAIN failed
> (Preauthentication failed)
>
> and subsequently failing DRS replication.
> Thanks a lot!
>
> Best regards
> Johannes
>
More information about the samba
mailing list