[Samba] gMSA cant not create
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Nov 6 01:17:46 UTC 2025
On 06/11/2025 01:27, Anton Shevtsov via samba wrote:
>
> 03.11.2025 07:51, Jennifer Sutton via samba пишет:
>> Hi Anton,
>>
>> Root keys created with ‘samba-tool domain kds root-key create’ are not
>> valid until the key cycle duration (ten hours) has elapsed. Try
>> waiting ten hours or creating a root key with use-start-time ten hours
>> in the past.
>>
>> Cheers,
>> Jennifer (she/her)
>
> Thanks Jennifer!
>
> All works fine! Is the ten-hour period you specified a constant? Can it
> be changed?
It is effectively a constant. I don't think there is no very good reason
for 10 hours, but Microsoft wanted to allow time for the information to
replicate around the AD network. The thing to do is what you did:
--use-start-time=$(date -d @$(( $(date +%s) - 36000)))
... unless you then get problems because it hasn't replicated.
I think samba-tool could provide better messages here -- perhaps
printing an "actually usable from" time.
Douglas
More information about the samba
mailing list