[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE
Christian Naumer
christian.naumer at greyfish.net
Wed Jun 5 12:55:28 UTC 2024
OK. You can see the file in /etc was updated the other one was not. So
you can try to replace the
/opt/reddc/private/secrets.keytab
with the
/etc/krb5.keytab
But be aware that Samba also stores some "secrets" in other ldb files in
the private dir. I am not that much of an expert to say that this will
work. But now you AD is broken anyway.
Regards
Christian
Am 05.06.24 um 14:50 schrieb Omnis ludis - game> klist -ke /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 host/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 1 host/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 1 host/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 1 host/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 1 host/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 1 host/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 1 ldap/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 1 ldap/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 1 ldap/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 1 ldap/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 1 ldap/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 1 ldap/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 1 gc/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 1 gc/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 1 gc/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 1 gc/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 1 gc/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 1 gc/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom
> (aes256-cts-hmac-sha1-96)
> 1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom
> (aes256-cts-hmac-sha1-96)
> 1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom
> (aes128-cts-hmac-sha1-96)
> 1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom
> (aes128-cts-hmac-sha1-96)
> 1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom
> (DEPRECATED:arcfour-hmac)
> 1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom
> (DEPRECATED:arcfour-hmac)
> 1 restrictedkrbhost/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 1 restrictedkrbhost/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 1 restrictedkrbhost/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 1 restrictedkrbhost/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 1 restrictedkrbhost/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 1 restrictedkrbhost/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 1 DC1$@test.dom (aes256-cts-hmac-sha1-96)
> 1 DC1$@test.dom (aes128-cts-hmac-sha1-96)
> 1 DC1$@test.dom (DEPRECATED:arcfour-hmac)
> 2 DC1$@test.dom (DEPRECATED:arcfour-hmac)
> 2 DC1$@test.dom (aes128-cts-hmac-sha1-96)
> 2 DC1$@test.dom (aes256-cts-hmac-sha1-96)
> 2 host/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 host/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 host/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 host/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 2 host/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 2 host/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 ldap/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 ldap/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 2 ldap/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 2 ldap/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 2 gc/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 gc/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 gc/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 gc/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 2 gc/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 2 gc/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom
> (DEPRECATED:arcfour-hmac)
> 2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom
> (aes128-cts-hmac-sha1-96)
> 2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom
> (aes256-cts-hmac-sha1-96)
> 2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom
> (DEPRECATED:arcfour-hmac)
> 2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom
> (aes128-cts-hmac-sha1-96)
> 2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom
> (aes256-cts-hmac-sha1-96)
> 2 restrictedkrbhost/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 restrictedkrbhost/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 restrictedkrbhost/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 restrictedkrbhost/DC1 at test.dom (DEPRECATED:arcfour-hmac)
> 2 restrictedkrbhost/DC1 at test.dom (aes128-cts-hmac-sha1-96)
> 2 restrictedkrbhost/DC1 at test.dom (aes256-cts-hmac-sha1-96)
> 2 HOST/dc1.test.dom/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 HOST/dc1.test.dom/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 HOST/dc1.test.dom/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 HOST/dc1.test.dom/RED-SOFT at test.dom (DEPRECATED:arcfour-hmac)
> 2 HOST/dc1.test.dom/RED-SOFT at test.dom (aes128-cts-hmac-sha1-96)
> 2 HOST/dc1.test.dom/RED-SOFT at test.dom (aes256-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/RED-SOFT at test.dom (DEPRECATED:arcfour-hmac)
> 2 ldap/dc1.test.dom/RED-SOFT at test.dom (aes128-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/RED-SOFT at test.dom (aes256-cts-hmac-sha1-96)
> 2 GC/dc1.test.dom/test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 GC/dc1.test.dom/test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 GC/dc1.test.dom/test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 HOST/dc1.test.dom/test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 HOST/dc1.test.dom/test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 HOST/dc1.test.dom/test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2 ldap/dc1.test.dom/test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b51045d-a81d-457b-a74a-19ef609cb1fe/test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 2
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b51045d-a81d-457b-a74a-19ef609cb1fe/test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 2
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b51045d-a81d-457b-a74a-19ef609cb1fe/test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 2 ldap/7b51045d-a81d-457b-a74a-19ef609cb1fe._msdcs.test.dom at test.dom
> (DEPRECATED:arcfour-hmac)
> 2 ldap/7b51045d-a81d-457b-a74a-19ef609cb1fe._msdcs.test.dom at test.dom
> (aes128-cts-hmac-sha1-96)
> 2 ldap/7b51045d-a81d-457b-a74a-19ef609cb1fe._msdcs.test.dom at test.dom
> (aes256-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/DomainDnsZones.test.dom at test.dom
> (DEPRECATED:arcfour-hmac)
> 2 ldap/dc1.test.dom/DomainDnsZones.test.dom at test.dom
> (aes128-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/DomainDnsZones.test.dom at test.dom
> (aes256-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/ForestDnsZones.test.dom at test.dom
> (DEPRECATED:arcfour-hmac)
> 2 ldap/dc1.test.dom/ForestDnsZones.test.dom at test.dom
> (aes128-cts-hmac-sha1-96)
> 2 ldap/dc1.test.dom/ForestDnsZones.test.dom at test.dom
> (aes256-cts-hmac-sha1-96)
>
> klist -ke /opt/reddc/private/secrets.keytab
> Keytab name: FILE:/opt/reddc/private/secrets.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 HOST/dc1 at test.dom (aes256-cts-hmac-sha1-96)
> 1 HOST/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
> 1 DC1$@test.dom (aes256-cts-hmac-sha1-96)
> 1 HOST/dc1 at test.dom (aes128-cts-hmac-sha1-96)
> 1 HOST/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
> 1 DC1$@test.dom (aes128-cts-hmac-sha1-96)
> 1 HOST/dc1 at test.dom (DEPRECATED:arcfour-hmac)
> 1 HOST/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
> 1 DC1$@test.dom (DEPRECATED:arcfour-hmac)
>
> It looks like it's been successful but mb problems kvno or something
>
> ср, 5 июн. 2024 г. в 15:41, Christian Naumer via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>:
>
> Am 05.06.24 um 14:33 schrieb Omnis ludis - games via samba:
> > this is the only controller in the domain, it is on its own, yes,
> I use
> > krb5.keytab to log domain administrator accounts on the machine,
> it seems
> > to me there must be some way to defeat this and restore the
> controller's
> > functionality
>
> what does
>
> klist -ke
>
>
> show?
>
> and is there "secrets.keytab" in the PRIVATE_DIR eg
> "/usr/local/samba/private/" ?
>
> And is yes what does
>
> klist -ke secrets.keytab
>
>
> show?
>
> Regards
>
>
> Christian
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
>
More information about the samba
mailing list