[Samba] DC with outdated secrets

Andrew Bartlett abartlet at samba.org
Sun Nov 3 16:52:41 UTC 2019

On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote:
> 2 hours and I am a little further:
> Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass
> which updated the machine password as well as the keytab.
> After a restart samba keeps complaining now that the (outdated) KVNO 6 is
> no longer part of the secrets.keytab:
> [2019/11/03 16:22:12.319958,  1]
> ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
> text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab
> FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
> Apparently I missed one place in the update. Any ideas how to fix this last
> part?

Is there a second DC?

If so, it is trying to use the last password it knew.  Try forcing it
to use the first DC as the KDC until replication is back working, or
force it with 'samba-tool drs replicate --local -k no' (to force

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list