Hi, This is strange what you are writing. Are you saying, that if Administrator is in Domain Users group = ALL my users have admins rights? Hard to believe. Moreover, I'm unable to delete Administrator from Domain Users group, as this is my basic group (I received such an info). I believe the keytab is needed to sth, cause without it I keep receiving: [2018/04/03 17:32:39.331938, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): keytab /usr/local/samba/private/secrets.keytab open failed: No such file or directory About previous errors according: " Decrypt integrity check failed " - I just needed to wait (I believe the ticket time). Now it seems to be fine. I have two more errors to resolve: 1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with ./configure --disable-cups samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator" --dns-backend=SAMBA_INTERNAL I do not use bind, only DNS build-in samba. The errors in log.samba (all the time): [2018/04/04 09:46:58.532467, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc: Failed to exec child - No such file or directory [2018/04/04 09:46:58.535167, 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_UNSUCCESSFUL I saw such a problem in mailing lists, almost 2 years ago. Then it ended up as a bug. What does it mean now? On one of these DCs I've installed bind and now the error is: [2018/04/04 10:25:57.313345, 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_ACCESS_DENIED [2018/04/04 10:26:57.344688, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc: rndc: neither /etc/rndc.conf nor /etc/rndc.key was found 2. KVNO mismatch - on the main DC [2018/04/03 14:36:46.822531, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2018/04/03 14:36:46.968728, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96) kvno DC DC at DOMAIN.NET.PL: kvno = 1 Is there any other way to increase the key version to 2 than demote dc and rejoin domain? I was trying with the command: ktutil: add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key with -key option in add_entry) - can I leave it empty, just hit enter key? Any help appreciated. Regards, Kris -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Tuesday, April 3, 2018 6:27 PM To: samba at lists.samba.org Subject: Re: [Samba] Unable to rejoin domain, LDAP error 50 On Tue, 3 Apr 2018 18:09:18 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> There was lack of membership in Administrators domain/Builtin group. > I had only: > Domain Users > Group Policy Creator Owners > Enterprise Admins > Schema Admins > Domain AdminsYou should only have: Domain Admins Administrator Enterprise Admins You definitely shouldn't have Domain Users, this make ALL your domain users into admins and I don't think you want that ;-)> > Any hint with the recreation of keytab file? >Do you actually need the keytab ? It is only required if something like Dovecot needs to auth to AD. If you do need the keytab, you can create it with samba-tool: samba-tool domain exportkeytab This will create a keytab with all the keytabs in it, if you just want one keytab, add '--principal=PRINCIPAL'. Add '--help' to the command above for more info Rowland -- To unsubscribe from this list go to the following URL and read the instructions: lists.samba.org/mailman/options/samba
On Wed, 4 Apr 2018 10:54:22 +0200 Krzysztof Paszkowski via samba <samba at lists.samba.org> wrote:> Hi, > This is strange what you are writing. Are you saying, that if > Administrator is in Domain Users group = ALL my users have admins > rights? Hard to believe. Moreover, I'm unable to delete Administrator > from Domain Users group, as this is my basic group (I received such > an info).No, you posted this: There was lack of membership in Administrators domain/Builtin group. I had only: Domain Users Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins Which seems to suggest that 'Domain Users' is a member of the 'Administrators' group, this is definitely not a good idea. All users are members of 'Domain Users' and hence, if 'Domain Users' is a member of 'Administrators', they are members of the 'Administrators' group.> > I believe the keytab is needed to sth, cause without it I keep > receiving: [2018/04/03 17:32:39.331938, > 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see > text): keytab /usr/local/samba/private/secrets.keytab open failed: No > such file or directoryAh, that is a different keytab to the one I thought you were referring to, you definitely need that one ;-)> > About previous errors according: " Decrypt integrity check failed " - > I just needed to wait (I believe the ticket time). Now it seems to be > fine. > > I have two more errors to resolve: > > 1. Two my DCs: Centos 7, Samba 4.7.6, built from sources with > ./configure --disable-cups > samba-tool domain join domain.net.pl DC -U"DOMAIN\administrator" > --dns-backend=SAMBA_INTERNAL > > I do not use bind, only DNS build-in samba. > > The errors in log.samba (all the time): > [2018/04/04 09:46:58.532467, > 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc: > Failed to exec child - No such file or directory [2018/04/04 > 09:46:58.535167, > 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91: > Failed rndc update - NT_STATUS_UNSUCCESSFUL > > I saw such a problem in mailing lists, almost 2 years ago. Then it > ended up as a bug. What does it mean now? On one of these DCs I've > installed bind and now the error is: [2018/04/04 10:25:57.313345, > 0] ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91: > Failed rndc update - NT_STATUS_ACCESS_DENIED [2018/04/04 > 10:26:57.344688, > 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc: > rndc: neither /etc/rndc.conf nor /etc/rndc.key was foundTry adding this to smb.conf: dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool> > > 2. KVNO mismatch - on the main DC > > [2018/04/03 14:36:46.822531, > 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > [2018/04/03 14:36:46.968728, > 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see > text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab > FILE:/usr/local/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96) > > kvno DC > DC at DOMAIN.NET.PL: kvno = 1 > > Is there any other way to increase the key version to 2 than demote > dc and rejoin domain? I was trying with the command: > ktutil: add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e > aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key > with -key option in add_entry) - can I leave it empty, just hit enter > key? > >You could try running 'samba_upgradeprovision', this will reset the passwords: samba_upgradeprovision --realm=<YOUR REALM> -U Administrator NOTE: I have never had to do this, So I would urge you to backup everything before trying it. However, the errors could be coming from something that is using stale passwords, they may go away if you wait long enough or reboot everything. Rowland
>>> 2. KVNO mismatch - on the main DC >>> >>> [2018/04/03 14:36:46.822531, >>> 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) >>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE >>> [2018/04/03 14:36:46.968728, >>> 1] >>> ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) >>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see >>> text): Failed to find DC$@DOMAIN.NET.PL(kvno 2) in keytab >>> FILE:/usr/local/samba/private/secrets.keytab >>> (aes256-cts-hmac-sha1-96) >>> >>> kvno DC >>> DC at DOMAIN.NET.PL: kvno = 1 >>> >>> Is there any other way to increase the key version to 2 than demote >>> dc and rejoin domain? I was trying with the command: >>> ktutil: add_entry -password -p DC$@DOMAIN.NET.PL -k 2 -e >>> aes256-cts-hmac-sha1-96 but then I'm asking to enter password (or key >>> with -key option in add_entry) - can I leave it empty, just hit enter >>> key? >>> >>> >> >> You could try running 'samba_upgradeprovision', this will reset the >> passwords: >> >> samba_upgradeprovision --realm=<YOUR REALM> -U Administrator >> >> NOTE: I have never had to do this, So I would urge you to backup >> everything before trying it. >> >> However, the errors could be coming from something that is using stale >> passwords, they may go away if you wait long enough or reboot >> everything. >> >> Rowland > > I'll try it this weekend, making before full backup of my DC. I'm > facing this error about KVNO mismatch at least three weeks (and I'm > not sure where did it get from). > > Thank you for your assistance, I'll give you a feedback about > samba_upgradeprovision. > > Regards, > KrisI should try this command sooner. Now I have made full backup and something is missing: [root at dc ~]# cd /opt/samba-4.7.6/bin [root at dc bin]# ./samba_upgradeprovision --realm=DOMAIN.NET.PL -U Administrator Traceback (most recent call last): File "./samba_upgradeprovision", line 36, in <module> import ldb I have the same output running the script from /opt/samba-4.7.6/source4/scripting/bin/ directory. OS is CentOS 6. Google returns nothing really special about it. Any hint? Regards, Kris
On Sun, 08 Apr 2018 12:31:26 +0200 Kris via samba <samba at lists.samba.org> wrote:> I should try this command sooner. Now I have made full backup and > something is missing: > > [root at dc ~]# cd /opt/samba-4.7.6/bin > [root at dc bin]# ./samba_upgradeprovision --realm=DOMAIN.NET.PL -U > Administrator > Traceback (most recent call last): > File "./samba_upgradeprovision", line 36, in <module> > import ldb > > I have the same output running the script from > /opt/samba-4.7.6/source4/scripting/bin/ directory. > OS is CentOS 6. Google returns nothing really special about it. > > Any hint? >Have you got python-ldb installed ? I think it is called pyldb on Centos. Rowland