[Samba] DC with outdated secrets

Johannes Engel jcnengel at gmail.com
Sun Nov 3 17:58:14 UTC 2019 

Hi Andrew,

thanks a lot, however, I am not entirely sure I understand your hint:
I have 3 DCs in the domain, the third of which is having the issue
described.
Now, here is what I did:
> samba-tool drs replicate DC3 DC2 dc=my,dc=domain --local -k no
Partition[dc=my,dc=domain] objects[0] linked_values[0]
Incremental replication of 0 objects and 0 links from DC2 to
tdb:///var/lib/samba/private/sam.ldb was successful.

> samba-tool drs replicate DC3 DC1 dc=my,dc=domain --local -k no
Partition[dc=my,dc=domain] objects[0] linked_values[0]
Incremental replication of 0 objects and 0 links from DC1 to
tdb:///var/lib/samba/private/sam.ldb was successful.

but:
> samba-tool drs replicate DC1 DC3 dc=my,dc=domain
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 389,
in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 87, in
sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)

Did I miss anything?

Best regards
Johannes

Am So., 3. Nov. 2019 um 17:52 Uhr schrieb Andrew Bartlett <
abartlet at samba.org>:

> On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote:
> > 2 hours and I am a little further:
> > Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass
> > which updated the machine password as well as the keytab.
> > After a restart samba keeps complaining now that the (outdated) KVNO 6 is
> > no longer part of the secrets.keytab:
> > [2019/11/03 16:22:12.319958,  1]
> >
> ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal)
> >   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
> > text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab
> > FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
> >
> > Apparently I missed one place in the update. Any ideas how to fix this
> last
> > part?
>
> Is there a second DC?
>
> If so, it is trying to use the last password it knew.  Try forcing it
> to use the first DC as the KDC until replication is back working, or
> force it with 'samba-tool drs replicate --local -k no' (to force
> NTLMSSP).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>

More information about the samba mailing list