GSS Update(krb5)(1) Update failed

Andrew Bartlett abartlet at samba.org
Thu May 6 23:10:26 MDT 2010 

On Tue, 2010-05-04 at 13:41 +0200, Marcel Ritter wrote:
> On 05/04/2010 12:23 PM, Andrew Bartlett wrote:
> > On Tue, 2010-05-04 at 11:16 +0200, Marcel Ritter wrote:
> >   
> >> On 05/04/2010 06:58 AM, Rohit Rajan wrote:
> >>     
> >>> Dear all,
> >>>       
> Hi Andrew,
> >> Hi,
> >>
> >> I'm seeing the same problems here:
> >>
> >> GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text):
> >> Failed to find S4-DC1$@LINEX.ORG(kvno 17) in keytab
> >> FILE:/var/lib/samba4/private/secrets.keytab (arcfour-hmac-md5)
> >> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> >> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> >>
> >> I guess the problem is not the missing entry, but the wrong
> >> KVNO (key version number):
> >>
> >> s4-dc1 # klist -ke FILE:/var/lib/samba4/private/secrets.keytab
> >> Keytab name: FILE:/var/lib/samba4/private/secrets.keytab
> >> KVNO Principal
> >> ----
> >> --------------------------------------------------------------------------
> >>   18 S4-DC1$@LINEX.ORG (DES cbc mode with RSA-MD5)
> >>   18 S4-DC1$@LINEX.ORG (AES-256 CTS mode with 96-bit SHA-1 HMAC)
> >>   18 S4-DC1$@LINEX.ORG (Triple DES cbc mode with HMAC/sha1)
> >>   18 S4-DC1$@LINEX.ORG (ArcFour with HMAC/md5)
> >>
> >> However I have no idea where the request with a lower KVNO comes from :-(
> >>     
> > Can you both describe your setups a bit more?
> >   
> I'm running a recent git checkout (about 2 day old), waf build,
> installed (using waf install).
> 
> Setup was a standard provision - nothing special.
> The samba4 version has been updated several times and the
> data was migrated using upgradeprovision.

> Any idea where else we could look for the older KVNO?
> I've done a quick ldbsearch on all .ldb files - without any luck.

OK, so the key thing here is upgradeprovision.  The issue could simply
be that an existing client has a ticket to the server with the old
password (they could have it for 10 hours so so, perhaps longer), and
that for some reason we have not maintained the old password in the
keytab.  

I'm currently looking into other issues around the kvno - we need to
rework this to use the correct algorithm (based on replPropertyMetaData,
not a simple increasing counter). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100507/3a3bab4e/attachment.pgp>

More information about the samba-technical mailing list