L.P.H. van Belle
2018-Mar-29 11:14 UTC
[Samba] Failed to find DC in keytab, gpupdate fails
Hi, I suggest you post this to samba at list.samba.org that more for these questions. Try this setting in resolv.conf search domain.net.pl nameserver 10.1.10.11 # IP of DC itself. #nameserver # and extra nameserver that has access to the DC dns info. (a second dc maybe) nameserver 8.8.8.8 # IP of forwarder in SMB.conf as backup for internet access. # and max 3 nameservers in resolv.conf. Stop samba and start it again, and check again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba-technical > [mailto:samba-technical-bounces at lists.samba.org] Namens > Krzysztof Paszkowski via samba-technical > Verzonden: donderdag 29 maart 2018 12:42 > Aan: samba-technical at lists.samba.org > Onderwerp: Failed to find DC in keytab, gpupdate fails > > Hi all, > > I'm using Samba4 AD DC for a while. I was starting from 4.1, > now I have > last version from 4.7. > > Everything was great, but suddenly computers were unable to > install software > via gpo. > > I'm looking for a help, because I'm fighting almost for a > week and I'm > unable to find the cause. > > > > I saw such a logs on my main DC (and only there): > > > > [2018/03/28 09:11:29.622673, 1] > ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) > > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > > [2018/03/28 09:11:29.695783, 1] > ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat > e_internal) > > GSS server Update(krb5)(1) Update failed: Miscellaneous > failure (see > text): Failed to find DC$@DOMAIN.NET.PL(kvno > <mailto:DC$@DOMAIN.NET.PL(kvno> > 2) in keytab FILE:/usr/local/samba/private/secrets.keytab > (aes256-cts-hmac-sha1-96) > > > > This error repeats every time, the computer is turning on and > trying to > obtain group policy or when I'm trying to open \\DOMAIN.NET.PL > <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl > <file:///\\dc.domain.net.pl> and shares of all others DCs. > > > > I was googling, but I couldn't find resolution to my problem. > The closest > one had unnecessary lines in smb.conf (with idmap and acl_xattr). > > > > [root at dc samba-4.7.6]# klist -ke > FILE:/usr/local/samba/private/secrets.keytab > > Keytab name: FILE:/usr/local/samba/private/secrets.keytab > > KVNO Principal > > ---- > -------------------------------------------------------------- > ------------ > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (des-cbc-crc) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-crc) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-crc) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (des-cbc-md5) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-md5) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-md5) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (arcfour-hmac) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (arcfour-hmac) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (arcfour-hmac) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (aes128-cts-hmac-sha1-96) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> > (aes128-cts-hmac-sha1-96) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> > (aes128-cts-hmac-sha1-96) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (aes256-cts-hmac-sha1-96) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> > (aes256-cts-hmac-sha1-96) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> > (aes256-cts-hmac-sha1-96) > > > > Version 4.7.6, built from source, rather always according to Wiki. > > Internal DNS, DNS is working. > > Domain computers can connect to the domain. > > Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs > --fix - not > helping. > > I have updated from 4.7.4 to 4.7.6, but still the same. > > I have 5 AD DC in domain. > > > > **smb.conf > > [global] > > workgroup = DOMAIN > > realm = DOMAIN.NET.PL > > netbios name = DC > > server role = active directory domain controller > > dns forwarder = 8.8.8.8 > > # log level = 3 passdb:5 auth:5 > > bind interfaces only = yes > > interfaces = lo eth0 > > log level = 1 auth_audit:1 > > allow dns updates = nonsecure > > ntlm auth = yes > > template shell = /bin/bash > > template homedir = /tmp > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts > > read only = No > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > [users$] > > path = /usr/local/samba/var/data/users > > comment = user folders for folder redirection > > read only = No > > [udzial] > > path = /usr/local/samba/var/data/udzial > > read only = No > > vfs objects = recycle > > recycle:repository = .recycle/%u > > recycle:keeptree = yes > > recycle:touch = yes > > recycle:versions = yes > > recycle:inherit_nt_acl = Yes > > recycle:directory_mode = 0700 > > > > > > ****/etc/krb5.conf > > [libdefaults] > > default_realm = DOMAIN.NET.PL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > **** /etc/hosts > > 127.0.0.1 localhost.localdomain localhost > > 10.1.10.11 dc.domain.net.pl dc > > > > ****/etc/resolv.conf > > search domain.net.pl > > nameserver 10.3.10.1 > > nameserver 10.6.10.1 > > nameserver 10.10.10.1 > > nameserver 127.0.0.1 > > > > I would be grateful for any hint. > > > > Regards, > > Kris > >
Krzysztof Paszkowski
2018-Mar-29 14:01 UTC
[Samba] Failed to find DC in keytab, gpupdate fails
Hi, Setting dc's IP on top of resolv.conf file, as you suggested, didn't help. Perhaps there's something else I could try. Regards, Kris -----Original Message----- From: L.P.H. van Belle [mailto:belle at bazuin.nl] Sent: Thursday, March 29, 2018 1:14 PM To: samba at lists.samba.org Cc: Krzysztof Paszkowski <kylo at kimpa.pl> Subject: RE: Failed to find DC in keytab, gpupdate fails Hi, I suggest you post this to samba at list.samba.org that more for these questions. Try this setting in resolv.conf search domain.net.pl nameserver 10.1.10.11 # IP of DC itself. #nameserver # and extra nameserver that has access to the DC dns info. (a second dc maybe) nameserver 8.8.8.8 # IP of forwarder in SMB.conf as backup for internet access. # and max 3 nameservers in resolv.conf. Stop samba and start it again, and check again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba-technical > [mailto:samba-technical-bounces at lists.samba.org] Namens Krzysztof > Paszkowski via samba-technical > Verzonden: donderdag 29 maart 2018 12:42 > Aan: samba-technical at lists.samba.org > Onderwerp: Failed to find DC in keytab, gpupdate fails > > Hi all, > > I'm using Samba4 AD DC for a while. I was starting from 4.1, now I > have last version from 4.7. > > Everything was great, but suddenly computers were unable to install > software via gpo. > > I'm looking for a help, because I'm fighting almost for a week and > I'm unable to find the cause. > > > > I saw such a logs on my main DC (and only there): > > > > [2018/03/28 09:11:29.622673, 1] > ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) > > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > > [2018/03/28 09:11:29.695783, 1] > ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat > e_internal) > > GSS server Update(krb5)(1) Update failed: Miscellaneous failure > (see > text): Failed to find DC$@DOMAIN.NET.PL(kvno > <mailto:DC$@DOMAIN.NET.PL(kvno> > 2) in keytab FILE:/usr/local/samba/private/secrets.keytab > (aes256-cts-hmac-sha1-96) > > > > This error repeats every time, the computer is turning on and trying > to obtain group policy or when I'm trying to open \\DOMAIN.NET.PL > <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl > <file:///\\dc.domain.net.pl> and shares of all others DCs. > > > > I was googling, but I couldn't find resolution to my problem. > The closest > one had unnecessary lines in smb.conf (with idmap and acl_xattr). > > > > [root at dc samba-4.7.6]# klist -ke > FILE:/usr/local/samba/private/secrets.keytab > > Keytab name: FILE:/usr/local/samba/private/secrets.keytab > > KVNO Principal > > ---- > -------------------------------------------------------------- > ------------ > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (des-cbc-crc) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-crc) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-crc) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (des-cbc-md5) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-md5) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-md5) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (arcfour-hmac) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (arcfour-hmac) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (arcfour-hmac) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (aes128-cts-hmac-sha1-96) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> > (aes128-cts-hmac-sha1-96) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> > (aes128-cts-hmac-sha1-96) > > 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> > (aes256-cts-hmac-sha1-96) > > 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL > <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> > (aes256-cts-hmac-sha1-96) > > 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> > (aes256-cts-hmac-sha1-96) > > > > Version 4.7.6, built from source, rather always according to Wiki. > > Internal DNS, DNS is working. > > Domain computers can connect to the domain. > > Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix - > not helping. > > I have updated from 4.7.4 to 4.7.6, but still the same. > > I have 5 AD DC in domain. > > > > **smb.conf > > [global] > > workgroup = DOMAIN > > realm = DOMAIN.NET.PL > > netbios name = DC > > server role = active directory domain controller > > dns forwarder = 8.8.8.8 > > # log level = 3 passdb:5 auth:5 > > bind interfaces only = yes > > interfaces = lo eth0 > > log level = 1 auth_audit:1 > > allow dns updates = nonsecure > > ntlm auth = yes > > template shell = /bin/bash > > template homedir = /tmp > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts > > read only = No > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > [users$] > > path = /usr/local/samba/var/data/users > > comment = user folders for folder redirection > > read only = No > > [udzial] > > path = /usr/local/samba/var/data/udzial > > read only = No > > vfs objects = recycle > > recycle:repository = .recycle/%u > > recycle:keeptree = yes > > recycle:touch = yes > > recycle:versions = yes > > recycle:inherit_nt_acl = Yes > > recycle:directory_mode = 0700 > > > > > > ****/etc/krb5.conf > > [libdefaults] > > default_realm = DOMAIN.NET.PL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > **** /etc/hosts > > 127.0.0.1 localhost.localdomain localhost > > 10.1.10.11 dc.domain.net.pl dc > > > > ****/etc/resolv.conf > > search domain.net.pl > > nameserver 10.3.10.1 > > nameserver 10.6.10.1 > > nameserver 10.10.10.1 > > nameserver 127.0.0.1 > > > > I would be grateful for any hint. > > > > Regards, > > Kris > >
what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated? If You made some upgrades, maybe during process You for example rejoined the domain (that would set new password for the machine in AD). If "kvno dc.domain.net.pl" will give you answer = 2, than maybe You can just export keytab of the dc$ account and replace old secrets.keytab with new? Regards, Kacper W dniu 29.03.2018 o 16:01, Krzysztof Paszkowski via samba pisze:> Hi, > Setting dc's IP on top of resolv.conf file, as you suggested, didn't help. > Perhaps there's something else I could try. > > Regards, > Kris > > -----Original Message----- > From: L.P.H. van Belle [mailto:belle at bazuin.nl] > Sent: Thursday, March 29, 2018 1:14 PM > To: samba at lists.samba.org > Cc: Krzysztof Paszkowski <kylo at kimpa.pl> > Subject: RE: Failed to find DC in keytab, gpupdate fails > > Hi, > > I suggest you post this to samba at list.samba.org that more for these > questions. > > Try this setting in resolv.conf > > search domain.net.pl > nameserver 10.1.10.11 # IP of DC itself. > #nameserver # and extra nameserver that has access to > the DC dns info. (a second dc maybe) > nameserver 8.8.8.8 # IP of forwarder in SMB.conf as backup for > internet access. > # and max 3 nameservers in resolv.conf. > > Stop samba and start it again, and check again. > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba-technical >> [mailto:samba-technical-bounces at lists.samba.org] Namens Krzysztof >> Paszkowski via samba-technical >> Verzonden: donderdag 29 maart 2018 12:42 >> Aan: samba-technical at lists.samba.org >> Onderwerp: Failed to find DC in keytab, gpupdate fails >> >> Hi all, >> >> I'm using Samba4 AD DC for a while. I was starting from 4.1, now I >> have last version from 4.7. >> >> Everything was great, but suddenly computers were unable to install >> software via gpo. >> >> I'm looking for a help, because I'm fighting almost for a week and >> I'm unable to find the cause. >> >> >> >> I saw such a logs on my main DC (and only there): >> >> >> >> [2018/03/28 09:11:29.622673, 1] >> ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) >> >> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE >> >> [2018/03/28 09:11:29.695783, 1] >> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_updat >> e_internal) >> >> GSS server Update(krb5)(1) Update failed: Miscellaneous failure >> (see >> text): Failed to find DC$@DOMAIN.NET.PL(kvno >> <mailto:DC$@DOMAIN.NET.PL(kvno> >> 2) in keytab FILE:/usr/local/samba/private/secrets.keytab >> (aes256-cts-hmac-sha1-96) >> >> >> >> This error repeats every time, the computer is turning on and trying >> to obtain group policy or when I'm trying to open \\DOMAIN.NET.PL >> <file:///\\DOMAIN.NET.PL> , although I can reach \\dc.domain.net.pl >> <file:///\\dc.domain.net.pl> and shares of all others DCs. >> >> >> >> I was googling, but I couldn't find resolution to my problem. >> The closest >> one had unnecessary lines in smb.conf (with idmap and acl_xattr). >> >> >> >> [root at dc samba-4.7.6]# klist -ke >> FILE:/usr/local/samba/private/secrets.keytab >> >> Keytab name: FILE:/usr/local/samba/private/secrets.keytab >> >> KVNO Principal >> >> ---- >> -------------------------------------------------------------- >> ------------ >> >> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> >> (des-cbc-crc) >> >> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL >> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-crc) >> >> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-crc) >> >> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> >> (des-cbc-md5) >> >> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL >> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (des-cbc-md5) >> >> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (des-cbc-md5) >> >> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> >> (arcfour-hmac) >> >> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL >> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> (arcfour-hmac) >> >> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> (arcfour-hmac) >> >> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> >> (aes128-cts-hmac-sha1-96) >> >> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL >> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> >> (aes128-cts-hmac-sha1-96) >> >> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> >> (aes128-cts-hmac-sha1-96) >> >> 1 HOST/dc at DOMAIN.NET.PL <mailto:HOST/dc at DOMAIN.NET.PL> >> (aes256-cts-hmac-sha1-96) >> >> 1 HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL >> <mailto:HOST/dc.DOMAIN.net.pl at DOMAIN.NET.PL> >> (aes256-cts-hmac-sha1-96) >> >> 1 DC$@DOMAIN.NET.PL <mailto:DC$@DOMAIN.NET.PL> >> (aes256-cts-hmac-sha1-96) >> >> >> >> Version 4.7.6, built from source, rather always according to Wiki. >> >> Internal DNS, DNS is working. >> >> Domain computers can connect to the domain. >> >> Samba-tool ntacl sysvolreset, samba-tool dbcheck --cross-ncs --fix - >> not helping. >> >> I have updated from 4.7.4 to 4.7.6, but still the same. >> >> I have 5 AD DC in domain. >> >> >> >> **smb.conf >> >> [global] >> >> workgroup = DOMAIN >> >> realm = DOMAIN.NET.PL >> >> netbios name = DC >> >> server role = active directory domain controller >> >> dns forwarder = 8.8.8.8 >> >> # log level = 3 passdb:5 auth:5 >> >> bind interfaces only = yes >> >> interfaces = lo eth0 >> >> log level = 1 auth_audit:1 >> >> allow dns updates = nonsecure >> >> ntlm auth = yes >> >> template shell = /bin/bash >> >> template homedir = /tmp >> >> >> >> [netlogon] >> >> path = /usr/local/samba/var/locks/sysvol/DOMAIN.net.pl/scripts >> >> read only = No >> >> [sysvol] >> >> path = /usr/local/samba/var/locks/sysvol >> >> read only = No >> >> [users$] >> >> path = /usr/local/samba/var/data/users >> >> comment = user folders for folder redirection >> >> read only = No >> >> [udzial] >> >> path = /usr/local/samba/var/data/udzial >> >> read only = No >> >> vfs objects = recycle >> >> recycle:repository = .recycle/%u >> >> recycle:keeptree = yes >> >> recycle:touch = yes >> >> recycle:versions = yes >> >> recycle:inherit_nt_acl = Yes >> >> recycle:directory_mode = 0700 >> >> >> >> >> >> ****/etc/krb5.conf >> >> [libdefaults] >> >> default_realm = DOMAIN.NET.PL >> >> dns_lookup_realm = false >> >> dns_lookup_kdc = true >> >> >> >> **** /etc/hosts >> >> 127.0.0.1 localhost.localdomain localhost >> >> 10.1.10.11 dc.domain.net.pl dc >> >> >> >> ****/etc/resolv.conf >> >> search domain.net.pl >> >> nameserver 10.3.10.1 >> >> nameserver 10.6.10.1 >> >> nameserver 10.10.10.1 >> >> nameserver 127.0.0.1 >> >> >> >> I would be grateful for any hint. >> >> >> >> Regards, >> >> Kris >> >> > >-- Z poważaniem, Kacper Wirski tel. +48 608 421 424 tel: + 48 22 637 50 01 fax: + 48 22 637 50 04 Babka Medica Spółka z ograniczoną odpowiedzialnością Spółka komandytowa ul. Słomińskiego 19 lok.517, 00-195 Warszawa Sąd Rejonowy dla M.St. Warszawy w Warszawie XII Wydział Gospodarczy KRS 0000491764 NIP 525-234-00-28 www.babkamedica.pl <http://www.babkamedica.pl/> ---------------------------------------------------------------------------- Informacja zawarta w niniejszej korespondencji jest poufna. Korespondencja skierowana jest wyłącznie do osoby (firmy) wymienionej wyżej. Rozpowszechnianie, kopiowanie, ujawnianie lub przekazywanie osobom trzecim w jakiejkolwiek formie informacji zawartych w niniejszym dokumencie w całości lub w części jest zakazane bez uprzedniej pisemnej (pod rygorem nieważności) zgody Babka Medica Sp. z o.o. Sp. k.