[Samba] Failed to bind to uuid NT_STATUS_LOGON_FAILURE

Christian Naumer christian.naumer at greyfish.net
Wed Jun 5 12:55:28 UTC 2024 

OK. You can see the file in /etc was updated the other one was not. So 
you can try to replace the

/opt/reddc/private/secrets.keytab

with the

/etc/krb5.keytab


But be aware that Samba also stores some "secrets" in other ldb files in 
the private dir. I am not that much of an expert to say that this will 
work. But now you AD is broken anyway.


Regards


Christian

Am 05.06.24 um 14:50 schrieb Omnis ludis - game> klist -ke /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>     1 host/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     1 host/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     1 host/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     1 host/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     1 host/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     1 host/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     1 ldap/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     1 ldap/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     1 ldap/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     1 ldap/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     1 ldap/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     1 ldap/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     1 gc/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     1 gc/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     1 gc/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     1 gc/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     1 gc/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     1 gc/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom 
> (aes256-cts-hmac-sha1-96)
>     1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom 
> (aes256-cts-hmac-sha1-96)
>     1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom 
> (aes128-cts-hmac-sha1-96)
>     1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom 
> (aes128-cts-hmac-sha1-96)
>     1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom 
> (DEPRECATED:arcfour-hmac)
>     1 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom 
> (DEPRECATED:arcfour-hmac)
>     1 restrictedkrbhost/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     1 restrictedkrbhost/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     1 restrictedkrbhost/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     1 restrictedkrbhost/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     1 restrictedkrbhost/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     1 restrictedkrbhost/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     1 DC1$@test.dom (aes256-cts-hmac-sha1-96)
>     1 DC1$@test.dom (aes128-cts-hmac-sha1-96)
>     1 DC1$@test.dom (DEPRECATED:arcfour-hmac)
>     2 DC1$@test.dom (DEPRECATED:arcfour-hmac)
>     2 DC1$@test.dom (aes128-cts-hmac-sha1-96)
>     2 DC1$@test.dom (aes256-cts-hmac-sha1-96)
>     2 host/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 host/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 host/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 host/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     2 host/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     2 host/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 ldap/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 ldap/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     2 ldap/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     2 ldap/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     2 gc/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 gc/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 gc/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 gc/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     2 gc/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     2 gc/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom 
> (DEPRECATED:arcfour-hmac)
>     2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom 
> (aes128-cts-hmac-sha1-96)
>     2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc1.test.dom at test.dom 
> (aes256-cts-hmac-sha1-96)
>     2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom 
> (DEPRECATED:arcfour-hmac)
>     2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom 
> (aes128-cts-hmac-sha1-96)
>     2 e3514235-4b06-11d1-ab04-00c04fc2dcd2/DC1 at test.dom 
> (aes256-cts-hmac-sha1-96)
>     2 restrictedkrbhost/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 restrictedkrbhost/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 restrictedkrbhost/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 restrictedkrbhost/DC1 at test.dom (DEPRECATED:arcfour-hmac)
>     2 restrictedkrbhost/DC1 at test.dom (aes128-cts-hmac-sha1-96)
>     2 restrictedkrbhost/DC1 at test.dom (aes256-cts-hmac-sha1-96)
>     2 HOST/dc1.test.dom/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 HOST/dc1.test.dom/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 HOST/dc1.test.dom/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 HOST/dc1.test.dom/RED-SOFT at test.dom (DEPRECATED:arcfour-hmac)
>     2 HOST/dc1.test.dom/RED-SOFT at test.dom (aes128-cts-hmac-sha1-96)
>     2 HOST/dc1.test.dom/RED-SOFT at test.dom (aes256-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/RED-SOFT at test.dom (DEPRECATED:arcfour-hmac)
>     2 ldap/dc1.test.dom/RED-SOFT at test.dom (aes128-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/RED-SOFT at test.dom (aes256-cts-hmac-sha1-96)
>     2 GC/dc1.test.dom/test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 GC/dc1.test.dom/test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 GC/dc1.test.dom/test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 HOST/dc1.test.dom/test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 HOST/dc1.test.dom/test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 HOST/dc1.test.dom/test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 ldap/dc1.test.dom/test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b51045d-a81d-457b-a74a-19ef609cb1fe/test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     2 
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b51045d-a81d-457b-a74a-19ef609cb1fe/test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     2 
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b51045d-a81d-457b-a74a-19ef609cb1fe/test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     2 ldap/7b51045d-a81d-457b-a74a-19ef609cb1fe._msdcs.test.dom at test.dom 
> (DEPRECATED:arcfour-hmac)
>     2 ldap/7b51045d-a81d-457b-a74a-19ef609cb1fe._msdcs.test.dom at test.dom 
> (aes128-cts-hmac-sha1-96)
>     2 ldap/7b51045d-a81d-457b-a74a-19ef609cb1fe._msdcs.test.dom at test.dom 
> (aes256-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/DomainDnsZones.test.dom at test.dom 
> (DEPRECATED:arcfour-hmac)
>     2 ldap/dc1.test.dom/DomainDnsZones.test.dom at test.dom 
> (aes128-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/DomainDnsZones.test.dom at test.dom 
> (aes256-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/ForestDnsZones.test.dom at test.dom 
> (DEPRECATED:arcfour-hmac)
>     2 ldap/dc1.test.dom/ForestDnsZones.test.dom at test.dom 
> (aes128-cts-hmac-sha1-96)
>     2 ldap/dc1.test.dom/ForestDnsZones.test.dom at test.dom 
> (aes256-cts-hmac-sha1-96)
> 
> klist -ke /opt/reddc/private/secrets.keytab
> Keytab name: FILE:/opt/reddc/private/secrets.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>     1 HOST/dc1 at test.dom (aes256-cts-hmac-sha1-96)
>     1 HOST/dc1.test.dom at test.dom (aes256-cts-hmac-sha1-96)
>     1 DC1$@test.dom (aes256-cts-hmac-sha1-96)
>     1 HOST/dc1 at test.dom (aes128-cts-hmac-sha1-96)
>     1 HOST/dc1.test.dom at test.dom (aes128-cts-hmac-sha1-96)
>     1 DC1$@test.dom (aes128-cts-hmac-sha1-96)
>     1 HOST/dc1 at test.dom (DEPRECATED:arcfour-hmac)
>     1 HOST/dc1.test.dom at test.dom (DEPRECATED:arcfour-hmac)
>     1 DC1$@test.dom (DEPRECATED:arcfour-hmac)
> 
> It looks like it's been successful but mb problems kvno or something
> 
> ср, 5 июн. 2024 г. в 15:41, Christian Naumer via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>:
> 
>     Am 05.06.24 um 14:33 schrieb Omnis ludis - games via samba:
>      > this is the only controller in the domain, it is on its own, yes,
>     I use
>      > krb5.keytab to log domain administrator accounts on the machine,
>     it seems
>      > to me there must be some way to defeat this and restore the
>     controller's
>      > functionality
> 
>     what does
> 
>     klist -ke
> 
> 
>     show?
> 
>     and is there "secrets.keytab" in the PRIVATE_DIR eg
>     "/usr/local/samba/private/" ?
> 
>     And is yes what does
> 
>     klist -ke secrets.keytab
> 
> 
>     show?
> 
>     Regards
> 
> 
>     Christian
> 
> 
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
>

More information about the samba mailing list