On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote:> 2 hours and I am a little further: > Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass > which updated the machine password as well as the keytab. > After a restart samba keeps complaining now that the (outdated) KVNO 6 is > no longer part of the secrets.keytab: > [2019/11/03 16:22:12.319958, 1] > ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal) > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see > text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab > FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96) > > Apparently I missed one place in the update. Any ideas how to fix this last > part?Is there a second DC? If so, it is trying to use the last password it knew. Try forcing it to use the first DC as the KDC until replication is back working, or force it with 'samba-tool drs replicate --local -k no' (to force NTLMSSP). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, thanks a lot, however, I am not entirely sure I understand your hint: I have 3 DCs in the domain, the third of which is having the issue described. Now, here is what I did:> samba-tool drs replicate DC3 DC2 dc=my,dc=domain --local -k noPartition[dc=my,dc=domain] objects[0] linked_values[0] Incremental replication of 0 objects and 0 links from DC2 to tdb:///var/lib/samba/private/sam.ldb was successful.> samba-tool drs replicate DC3 DC1 dc=my,dc=domain --local -k noPartition[dc=my,dc=domain] objects[0] linked_values[0] Incremental replication of 0 objects and 0 links from DC1 to tdb:///var/lib/samba/private/sam.ldb was successful. but:> samba-tool drs replicate DC1 DC3 dc=my,dc=domainERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE') File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 389, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 87, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) Did I miss anything? Best regards Johannes Am So., 3. Nov. 2019 um 17:52 Uhr schrieb Andrew Bartlett < abartlet at samba.org>:> On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote: > > 2 hours and I am a little further: > > Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass > > which updated the machine password as well as the keytab. > > After a restart samba keeps complaining now that the (outdated) KVNO 6 is > > no longer part of the secrets.keytab: > > [2019/11/03 16:22:12.319958, 1] > > > ../../source4/auth/gensec/gensec_gssapi.c:793(gensec_gssapi_update_internal) > > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see > > text): Failed to find DC3$@MY.DOMAIN(kvno 6) in keytab > > FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96) > > > > Apparently I missed one place in the update. Any ideas how to fix this > last > > part? > > Is there a second DC? > > If so, it is trying to use the last password it knew. Try forcing it > to use the first DC as the KDC until replication is back working, or > force it with 'samba-tool drs replicate --local -k no' (to force > NTLMSSP). > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > >
On Sun, 2019-11-03 at 18:58 +0100, Johannes Engel via samba wrote:> Hi Andrew, > > thanks a lot, however, I am not entirely sure I understand your hint: > I have 3 DCs in the domain, the third of which is having the issue > described. > Now, here is what I did: > > samba-tool drs replicate DC3 DC2 dc=my,dc=domain --local -k no > > Partition[dc=my,dc=domain] objects[0] linked_values[0] > Incremental replication of 0 objects and 0 links from DC2 to > tdb:///var/lib/samba/private/sam.ldb was successful. > > > samba-tool drs replicate DC3 DC1 dc=my,dc=domain --local -k no > > Partition[dc=my,dc=domain] objects[0] linked_values[0] > Incremental replication of 0 objects and 0 links from DC1 to > tdb:///var/lib/samba/private/sam.ldb was successful. > > but: > > samba-tool drs replicate DC1 DC3 dc=my,dc=domain > > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE') > File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line > 389, > in run > drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line > 87, in > sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > Did I miss anything?Did you run this on each DC? --local ignores the target DC argument and forces the replication into the local DB, whatever that happens to be. If you ran this on DC3 then "samba-tool drs replicate DC1 DC3" is really "samba-tool drs replicate DC3 DC3" which makes no sense (hence the failure). I'm glad it failed, as if it succeeded I have no idea what it would have done :-) Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba