[Samba] DC with outdated secrets
Andrew Bartlett
abartlet at samba.org
Sun Nov 3 16:52:41 UTC 2019
On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote:
> 2 hours and I am a little further:
> Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass
> which updated the machine password as well as the keytab.
> After a restart samba keeps complaining now that the (outdated) KVNO 6 is
> no longer part of the secrets.keytab:
> [2019/11/03 16:22:12.319958, 1]
> ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal)
> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
> text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab
> FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
>
> Apparently I missed one place in the update. Any ideas how to fix this last
> part?
Is there a second DC?
If so, it is trying to use the last password it knew. Try forcing it
to use the first DC as the KDC until replication is back working, or
force it with 'samba-tool drs replicate --local -k no' (to force
NTLMSSP).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list