Achim Gottinger
2017-Jun-20 21:35 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Can you do this against the secrets.keytab in Samba's private/ dir?> You can reset the Samba machine account pw with > ./source4/scripting/devel/chgtdcpass, but: > - it wont be packaged so you will have to build Samba and tell it to > operate against the right paths > - it shouldn't be needed, upgrades shouldn't break this, and > understanding the root cause would be better > >Hello Andrew, May I ask a few questions in regards to chgtdcpass. Can this command be used to add newer enctypes on machines only having des and arcfour types? Is it save to use this command on all ad-dc's in an productive environment? Thanks in advance, achim~
Andrew Bartlett
2017-Jun-20 22:50 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
On Tue, 2017-06-20 at 23:35 +0200, Achim Gottinger via samba wrote:> Can you do this against the secrets.keytab in Samba's private/ dir? > > You can reset the Samba machine account pw with > > ./source4/scripting/devel/chgtdcpass, but: > > - it wont be packaged so you will have to build Samba and tell it > > to > > operate against the right paths > > - it shouldn't be needed, upgrades shouldn't break this, and > > understanding the root cause would be better > > > > > > Hello Andrew, > > May I ask a few questions in regards to chgtdcpass. > Can this command be used to add newer enctypes on machines only > having > des and arcfour types?After bumping the functional level, yes.> Is it save to use this command on all ad-dc's in an productive > environment?I would do it one at a time. Eventually I'll re-enable the code in winbindd that does this. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Achim Gottinger
2017-Jun-21 01:23 UTC
[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Am 21.06.2017 um 00:50 schrieb Andrew Bartlett:> On Tue, 2017-06-20 at 23:35 +0200, Achim Gottinger via samba wrote: >> Can you do this against the secrets.keytab in Samba's private/ dir? >>> You can reset the Samba machine account pw with >>> ./source4/scripting/devel/chgtdcpass, but: >>> - it wont be packaged so you will have to build Samba and tell it >>> to >>> operate against the right paths >>> - it shouldn't be needed, upgrades shouldn't break this, and >>> understanding the root cause would be better >>> >>> >> Hello Andrew, >> >> May I ask a few questions in regards to chgtdcpass. >> Can this command be used to add newer enctypes on machines only >> having >> des and arcfour types? > After bumping the functional level, yes. > >> Is it save to use this command on all ad-dc's in an productive >> environment? > I would do it one at a time. Eventually I'll re-enable the code in > winbindd that does this. > > Andrew BartlettThank you works fine on an single test machine. Raise forest and domain level to 2008_R2 and recerated the password with chgrdcpass. Raising the functional level did not set the krbtgt password (it does if the level is raised on an windows ad). But there is chgkrbtgtpass which does the trick. Sorry for the offtopic noise to the OP.
Possibly Parallel Threads
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch
- DRS stopped working after upgrade from debian Jessie to Stretch