Dear list, by mistake some script (msktutil) has updated machine password and keytab for one of my DCs (samba-4.10.10). While I could restore the keytab (/var/lib/samba/private/secrets.keytab) using samba-tool domain exportkeytab, I fail to come up with a way to update the secrets file (/var/lib/samba/private/secrets.ldb) with a new machine password. Can you please help me with an idea how to fix this? Currently I have a lot of these: [2019/11/03 13:36:15.516141, 1] ../../source4/auth/gensec/gensec_gssapi.c:331(gensec_gssapi_client_creds) Wrong username or password: kinit for DC3$@MY.DOMAIN failed (Preauthentication failed) and subsequently failing DRS replication. Thanks a lot! Best regards Johannes
2 hours and I am a little further: Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass which updated the machine password as well as the keytab. After a restart samba keeps complaining now that the (outdated) KVNO 6 is no longer part of the secrets.keytab: [2019/11/03 16:22:12.319958, 1] ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96) Apparently I missed one place in the update. Any ideas how to fix this last part? Thanks a lot! Best regards Johannes Am So., 3. Nov. 2019 um 13:37 Uhr schrieb Johannes Engel <jcnengel at gmail.com>:> Dear list, > > by mistake some script (msktutil) has updated machine password and keytab > for one of my DCs (samba-4.10.10). While I could restore the keytab > (/var/lib/samba/private/secrets.keytab) using samba-tool domain > exportkeytab, I fail to come up with a way to update the secrets file > (/var/lib/samba/private/secrets.ldb) with a new machine password. > Can you please help me with an idea how to fix this? > Currently I have a lot of these: > > [2019/11/03 13:36:15.516141, 1] > ../../source4/auth/gensec/gensec_gssapi.c:331(gensec_gssapi_client_creds) > Wrong username or password: kinit for DC3$@MY.DOMAIN failed > (Preauthentication failed) > > and subsequently failing DRS replication. > Thanks a lot! > > Best regards > Johannes >
On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote:> 2 hours and I am a little further: > Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass > which updated the machine password as well as the keytab. > After a restart samba keeps complaining now that the (outdated) KVNO 6 is > no longer part of the secrets.keytab: > [2019/11/03 16:22:12.319958, 1] > ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal) > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see > text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab > FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96) > > Apparently I missed one place in the update. Any ideas how to fix this last > part?Is there a second DC? If so, it is trying to use the last password it knew. Try forcing it to use the first DC as the KDC until replication is back working, or force it with 'samba-tool drs replicate --local -k no' (to force NTLMSSP). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba