Hello,
i have a samba4 ad domain with 5 domain controllers.
Since 2-3 weeks, i have problems with kerberos, log.samba:
[2012/11/16 16:21:11, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:21:12, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=local
[2012/11/16 16:21:12, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:21:14, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:21:24, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=local
[2012/11/16 16:21:24, 0]
../source4/dsdb/repl/drepl_out_helpers.c:829(dreplsrv_update_refs_done)
UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
0854286a-4fd6-42a8-bc79-4487b61c7733._msdcs.test.local
CN=Schema,CN=Configuration,DC=test,DC=local
[2012/11/16 16:21:44, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 3 objects (0 linked attributes) for DC=test,DC=local
[2012/11/16 16:21:53, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for DC=test,DC=local
[2012/11/16 16:21:53, 0]
../source4/dsdb/repl/drepl_out_helpers.c:829(dreplsrv_update_refs_done)
UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
0854286a-4fd6-42a8-bc79-4487b61c7733._msdcs.test.local DC=test,DC=local
[2012/11/16 16:23:49, 2]
../source4/libcli/dgram/dgramsocket.c:92(dgm_socket_recv)
No mailslot handler for '?MAILSLOT?LANMAN'
[2012/11/16 16:25:06, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=local
[2012/11/16 16:25:19, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
CN=Configuration,DC=test,DC=local
[2012/11/16 16:25:19, 0]
../source4/dsdb/repl/drepl_out_helpers.c:829(dreplsrv_update_refs_done)
UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
0854286a-4fd6-42a8-bc79-4487b61c7733._msdcs.test.local
CN=Configuration,DC=test,DC=local
[2012/11/16 16:26:01, 0]
../source4/librpc/rpc/dcerpc_util.c:660(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at
ncacn_ip_tcp:da93641c-ad62-4a93-bf2d-5eae845237ab._msdcs.test.local[1024,seal,krb5]
NT_STATUS_INVALID_PARAMETER
[2012/11/16 16:26:01, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=local
[2012/11/16 16:26:11, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:26:12, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:26:13, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=local
[2012/11/16 16:26:13, 0]
../source4/dsdb/repl/drepl_out_helpers.c:829(dreplsrv_update_refs_done)
UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
0854286a-4fd6-42a8-bc79-4487b61c7733._msdcs.test.local
CN=Schema,CN=Configuration,DC=test,DC=local
[2012/11/16 16:26:14, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:26:49, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=test,DC=local
[2012/11/16 16:26:50, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for DC=test,DC=local
[2012/11/16 16:26:51, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:26:56, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:27:01, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:27:02, 2]
../source4/dsdb/repl/replicated_objects.c:779(dsdb_replicated_objects_commit)
Replicated 0 objects (0 linked attributes) for DC=test,DC=local
[2012/11/16 16:27:02, 0]
../source4/dsdb/repl/drepl_out_helpers.c:829(dreplsrv_update_refs_done)
UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for
0854286a-4fd6-42a8-bc79-4487b61c7733._msdcs.test.local DC=test,DC=local
[2012/11/16 16:27:07, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:27:11, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:27:16, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
[2012/11/16 16:27:21, 1]
../source4/auth/gensec/gensec_gssapi.c:645(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text):
Decrypt integrity check failed
When i execute "ldbsearch --debug-stderr -H ldaps://s-vucs04.koller.local
-UUsername", at the first line, i get the message:
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS
root at s-vucs01:~# smbclient -L s-vucs01 --machine-pass
Domain=[test] OS=[Unix] Server=[Samba 4.0.0rc2]
Sharename Type Comment
--------- ---- -------
netlogon Disk Domain logon service
sysvol Disk
IPC$ IPC IPC Service (Univention Corporate Server)
homes Disk Heimatverzeichnisse
print$ Disk Printer Drivers
CD Disk
Holz-Vitis Disk
IT Disk
p-v05 Printer test-Holz/HP OfficeJet Pro 8000
p-v06 Printer Umkleideraum/Sharp MX2300N
p-v02 Printer B??ro/HP BusinessJet 1200d
p-v01 Printer B??ro/HP LaserJet 4
p-v03 Printer Einkauf/HP OfficeJet Pro 8000
p-v04 Printer Entwicklung/OKI C5400N
Domain=[test] OS=[Unix] Server=[Samba 4.0.0rc2]
Server Comment
--------- -------
S-VUCS01 Univention Corporate Server
S-VUCS02 Univention Corporate Server
Workgroup Master
--------- -------
test S-VUCS02
I can see, that the master is "s-vucs02", who can i change this
entry?????
root at s-vucs01:~# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=S-VUCS01,CN=Servers,CN=VITIS-LAN,CN=Sites,CN=Configuration,DC=test,DC=local
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=S-VUCS01,CN=Servers,CN=VITIS-LAN,CN=Sites,CN=Configuration,DC=test,DC=local
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=S-VUCS01,CN=Servers,CN=VITIS-LAN,CN=Sites,CN=Configuration,DC=test,DC=local
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=S-VUCS01,CN=Servers,CN=VITIS-LAN,CN=Sites,CN=Configuration,DC=test,DC=local
SchemaMasterRole owner: CN=NTDS
Settings,CN=S-VUCS01,CN=Servers,CN=VITIS-LAN,CN=Sites,CN=Configuration,DC=test,DC=local
On the windows clients, every think works fine...
Why i have this errors, what can i do?
Thanks for help!
Regards,
Thomas
