[Samba] gMSA cant not create

Anton Shevtsov shevtsovay at basealt.ru
Wed Oct 29 08:22:48 UTC 2025 

Hi

i use samba-4.21.7 as DC

[root at dc ~]# samba-tool domain kds root-key list
no root keys found.

[root at dc ~]# samba-tool domain kds root-key create
created root key 151a8fb1-a962-8487-a6b7-4f2a88fc949b, usable from 
2025-10-29T07:30:16.406020+00:00 (about now)

[root at dc ~]# samba-tool domain kds root-key view --name 
151a8fb1-a962-8487-a6b7-4f2a88fc949b
name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
    created        2025-10-29T07:30:16.406020+00:00 (about 64 seconds ago)
    usable from    2025-10-29T07:30:16.406020+00:00 (about 64 seconds ago)
    dn  CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
Keys,CN=Group Key Distribution 
Service,CN=Services,CN=Configuration,DC=test,DC=alt
    cn             151a8fb1-a962-8487-a6b7-4f2a88fc949b
    whenCreated    20251029073016.0Z
    whenChanged    20251029073016.0Z
    objectGUID     6b34e82e-2369-47e3-a752-c4c8bda9fc73
    msKds-KDFAlgorithmID SP800_108_CTR_HMAC
    msKds-KDFParam 
00000000010000000e000000000000005300480041003500310032000000
    msKds-SecretAgreementAlgorithmID DH
    msKds-PublicKeyLength 2048
    msKds-PrivateKeyLength 256
    msKds-Version  1
    msKds-DomainID CN=DC,OU=Domain Controllers,DC=test,DC=alt

[root at dc ~]# samba-tool domain kds root-key list
1 root key found.

name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
    created        2025-10-29T07:30:16.406020+00:00 (about 5 minutes ago)
    usable from    2025-10-29T07:30:16.406020+00:00 (about 5 minutes ago)
    dn  CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
Keys,CN=Group Key Distribution 
Service,CN=Services,CN=Configuration,DC=test,DC=alt


If I try to create a gMSA record I get an error

[root at dc ~]# samba-tool service-account create --name=gMSAkey1 
--dns-host-name=gMSAkey1.test.alt -UAdministrator

ERROR(ldb): uncaught exception - 8009000D: failed to find a suitable 
root key at 
../../source4/dsdb/gmsa/gkdi.c:738:gkdi_most_recently_created_root_key
  File "/usr/lib64/samba-dc/python3.12/samba/netcmd/__init__.py", line 
353, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/usr/lib64/samba-dc/python3.12/samba/netcmd/service_account/service_account.py", 
line 133, in run
    gmsa.save(ldb)
  File "/usr/lib64/samba-dc/python3.12/samba/domain/models/model.py", 
line 362, in save
    samdb.add(message)



I see 'usable from', my key is valid

[root at dc ~]# samba-tool domain kds root-key list
1 root key found.
name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
    created        2025-10-29T07:30:16.406020+00:00 (about 33 minutes ago)
    usable from    2025-10-29T07:30:16.406020+00:00 (about 33 minutes ago)
    dn  CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
Keys,CN=Group Key Distribution 
Service,CN=Services,CN=Configuration,DC=test,DC=alt
[root at dc ~]# date -u +"%Y-%m-%dT%H:%M:%S.%6N%:z"
2025-10-29T08:03:59.257474+00:00

What i can do wrong?

-- 
*Anton*

More information about the samba mailing list