[Samba] gMSA cant not create
Anton Shevtsov
shevtsovay at basealt.ru
Wed Nov 5 12:27:57 UTC 2025
03.11.2025 07:51, Jennifer Sutton via samba пишет:
> Hi Anton,
>
> Root keys created with ‘samba-tool domain kds root-key create’ are not
> valid until the key cycle duration (ten hours) has elapsed. Try
> waiting ten hours or creating a root key with use-start-time ten hours
> in the past.
>
> Cheers,
> Jennifer (she/her)
Thanks Jennifer!
All works fine! Is the ten-hour period you specified a constant? Can it
be changed?
>
> On 29/10/25 9:22 pm, Anton Shevtsov via samba wrote:
>> Hi
>>
>> i use samba-4.21.7 as DC
>>
>> [root at dc ~]# samba-tool domain kds root-key list
>> no root keys found.
>>
>> [root at dc ~]# samba-tool domain kds root-key create
>> created root key 151a8fb1-a962-8487-a6b7-4f2a88fc949b, usable from
>> 2025-10-29T07:30:16.406020+00:00 (about now)
>>
>> [root at dc ~]# samba-tool domain kds root-key view --name 151a8fb1-
>> a962-8487-a6b7-4f2a88fc949b
>> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> created 2025-10-29T07:30:16.406020+00:00 (about 64 seconds
>> ago)
>> usable from 2025-10-29T07:30:16.406020+00:00 (about 64 seconds
>> ago)
>> dn CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root
>> Keys,CN=Group Key Distribution
>> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>> cn 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> whenCreated 20251029073016.0Z
>> whenChanged 20251029073016.0Z
>> objectGUID 6b34e82e-2369-47e3-a752-c4c8bda9fc73
>> msKds-KDFAlgorithmID SP800_108_CTR_HMAC
>> msKds-KDFParam
>> 00000000010000000e000000000000005300480041003500310032000000
>> msKds-SecretAgreementAlgorithmID DH
>> msKds-PublicKeyLength 2048
>> msKds-PrivateKeyLength 256
>> msKds-Version 1
>> msKds-DomainID CN=DC,OU=Domain Controllers,DC=test,DC=alt
>>
>> [root at dc ~]# samba-tool domain kds root-key list
>> 1 root key found.
>>
>> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> created 2025-10-29T07:30:16.406020+00:00 (about 5 minutes
>> ago)
>> usable from 2025-10-29T07:30:16.406020+00:00 (about 5 minutes
>> ago)
>> dn CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root
>> Keys,CN=Group Key Distribution
>> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>>
>>
>> If I try to create a gMSA record I get an error
>>
>> [root at dc ~]# samba-tool service-account create --name=gMSAkey1 --dns-
>> host-name=gMSAkey1.test.alt -UAdministrator
>>
>> ERROR(ldb): uncaught exception - 8009000D: failed to find a suitable
>> root key at ../../source4/dsdb/gmsa/
>> gkdi.c:738:gkdi_most_recently_created_root_key
>> File "/usr/lib64/samba-dc/python3.12/samba/netcmd/__init__.py",
>> line 353, in _run
>> return self.run(*args, **kwargs)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^
>> File "/usr/lib64/samba-dc/python3.12/samba/netcmd/service_account/
>> service_account.py", line 133, in run
>> gmsa.save(ldb)
>> File "/usr/lib64/samba-dc/python3.12/samba/domain/models/model.py",
>> line 362, in save
>> samdb.add(message)
>>
>>
>>
>> I see 'usable from', my key is valid
>>
>> [root at dc ~]# samba-tool domain kds root-key list
>> 1 root key found.
>> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> created 2025-10-29T07:30:16.406020+00:00 (about 33 minutes
>> ago)
>> usable from 2025-10-29T07:30:16.406020+00:00 (about 33 minutes
>> ago)
>> dn CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root
>> Keys,CN=Group Key Distribution
>> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>> [root at dc ~]# date -u +"%Y-%m-%dT%H:%M:%S.%6N%:z"
>> 2025-10-29T08:03:59.257474+00:00
>>
>> What i can do wrong?
>>
>
>
--
Anton
More information about the samba
mailing list