samba - Jun 2017 - DRS stopped working after upgrade from debian Jessie to Stretch

Thank you very much Louis, Rowland, Mike !

I have made all the changes proposed by Louis but still have the same problem.

-> kinit works now with /var/lib/samba/private/secrets.keytab
------------------------
~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$
~#
------------------------

-> but samba-tool authentication with machine account fail :
------------------------
~# samba-tool time -P -d 8
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
Mapped to DCERPC endpoint \pipe\srvsvc
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=172.16.0.20 bcast=172.16.255.255 netmask=255.255.0.0
resolve_lmhosts: Attempting lmhosts lookup for name
fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Socket options:
    SO_KEEPALIVE = 0
    SO_REUSEADDR = 0
    SO_BROADCAST = 0
    TCP_NODELAY = 1
    TCP_KEEPCNT = 9
    TCP_KEEPIDLE = 7200
    TCP_KEEPINTVL = 75
    IPTOS_LOWDELAY = 0
    IPTOS_THROUGHPUT = 0
    SO_REUSEPORT = 0
    SO_SNDBUF = 2626560
    SO_RCVBUF = 1061808
    SO_SNDLOWAT = 1
    SO_RCVLOWAT = 1
    SO_SNDTIMEO = 0
    SO_RCVTIMEO = 0
    TCP_QUICKACK = 1
    TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 343
Received smb_krb5 packet of length 298
Failed to get kerberos credentials: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)

Wrong username or password: kinit for
FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR failed
(Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
ERROR(runtime): uncaught exception - (-1073741715, "Connection to
SRVSVC pipe of server 'fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr'
failed: NT_STATUS_LOGON_FAILURE")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/nettime.py",
line 59, in run
    self.outf.write(net.time(server_name)+"\n")
------------------------

-> samba.log give many errors like this :
------------------------
[2017/06/21 14:20:35.371312,  0]
../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:172.16.0.21[1024,seal,krb5,target_hostname=04c6b4b0-4584-4368-831e-42aa7ac08c04._msdcs.net.lyc-guillaume-fichet.ac-grenoble.fr,target_principal=GC/fichds01.net.lyc-guillaume-fichet.ac-grenoble.fr/net.lyc-guillaume-fichet.ac-grenoble.fr,abstract_syntax=e3514235--4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.16.0.20]
NT_STATUS_LOGON_FAILURE
------------------------

-> my msDS-SupportedEncryptionTypes value is 31 ? Is this bad ?
------------------------
~# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=FICHDC)'
# record 1
dn: CN=FICHDC,OU=Domain
Controllers,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: FICHDC
instanceType: 4
whenCreated: 20150630144451.0Z
uSNCreated: 3583
name: FICHDC
objectGUID: bfaf861f-1138-4597-beaa-c83722b86fcf
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
localPolicyFlags: 0
primaryGroupID: 516
objectSid: S-1-5-21-2690787391-1809550003-4172065244-1000
accountExpires: 9223372036854775807
sAMAccountName: FICHDC$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.1.17-Debian
dNSHostName: fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=net,DC=lyc-guillaume
 -fichet,DC=ac-grenoble,DC=fr
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-gui
 llaume-fichet,DC=ac-grenoble,DC=fr
serverReferenceBL: CN=FICHDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
 =Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
msDS-SupportedEncryptionTypes: 31
pwdLastSet: 131423563752421340
servicePrincipalName: nfs/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH
 NET
servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/FICH
 NET
servicePrincipalName: GC/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.ly
 c-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: HOST/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
 lyc-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/net.
 lyc-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: HOST/FICHDC
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/b339b873-f01c-4672-
 8984-61e1e48422ea/net.lyc-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: ldap/b339b873-f01c-4672-8984-61e1e48422ea._msdcs.net.lyc
 -guillaume-fichet.ac-grenoble.fr
servicePrincipalName: ldap/FICHDC
servicePrincipalName: RestrictedKrbHost/FICHDC
servicePrincipalName: RestrictedKrbHost/fichdc.net.lyc-guillaume-fichet.ac-gre
 noble.fr
servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Doma
 inDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
servicePrincipalName: ldap/fichdc.net.lyc-guillaume-fichet.ac-grenoble.fr/Fore
 stDnsZones.net.lyc-guillaume-fichet.ac-grenoble.fr
lastLogonTimestamp: 131424581015653910
whenChanged: 20170620184821.0Z
uSNChanged: 12626339
lastLogon: 131425180561432210
logonCount: 70
distinguishedName: CN=FICHDC,OU=Domain Controllers,DC=net,DC=lyc-guillaume-fic
 het,DC=ac-grenoble,DC=fr

# Referral
ref:
ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/CN=Configuration,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr

# Referral
ref:
ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=DomainDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr

# Referral
ref:
ldap://net.lyc-guillaume-fichet.ac-grenoble.fr/DC=ForestDnsZones,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr

# returned 4 records
# 1 entries
# 3 referrals
-------------------------------


Even if I increase the debug level. I could not get more info on the
Kerberos authentication.

Thanks again !

Baptiste.