Hi Anton,
Root keys created with ?samba-tool domain kds root-key create? are not
valid until the key cycle duration (ten hours) has elapsed. Try waiting
ten hours or creating a root key with use-start-time ten hours in the past.
Cheers,
Jennifer (she/her)
On 29/10/25 9:22 pm, Anton Shevtsov via samba wrote:> Hi
>
> i use?samba-4.21.7?as DC
>
> [root at dc ~]# samba-tool domain kds root-key list
> no root keys found.
>
> [root at dc ~]# samba-tool domain kds root-key create
> created root key 151a8fb1-a962-8487-a6b7-4f2a88fc949b, usable from
> 2025-10-29T07:30:16.406020+00:00 (about now)
>
> [root at dc ~]# samba-tool domain kds root-key view --name 151a8fb1-
> a962-8487-a6b7-4f2a88fc949b
> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
> ? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 64 seconds ago)
> ? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 64 seconds ago)
> ? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root
> Keys,CN=Group Key Distribution
> Service,CN=Services,CN=Configuration,DC=test,DC=alt
> ? ?cn? ? ? ? ? ? ?151a8fb1-a962-8487-a6b7-4f2a88fc949b
> ? ?whenCreated? ? 20251029073016.0Z
> ? ?whenChanged? ? 20251029073016.0Z
> ? ?objectGUID? ? ?6b34e82e-2369-47e3-a752-c4c8bda9fc73
> ? ?msKds-KDFAlgorithmID SP800_108_CTR_HMAC
> ? ?msKds-KDFParam
> 00000000010000000e000000000000005300480041003500310032000000
> ? ?msKds-SecretAgreementAlgorithmID DH
> ? ?msKds-PublicKeyLength 2048
> ? ?msKds-PrivateKeyLength 256
> ? ?msKds-Version? 1
> ? ?msKds-DomainID CN=DC,OU=Domain Controllers,DC=test,DC=alt
>
> [root at dc ~]# samba-tool domain kds root-key list
> 1 root key found.
>
> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
> ? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 5 minutes ago)
> ? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 5 minutes ago)
> ? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root
> Keys,CN=Group Key Distribution
> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>
>
> If I try to create a gMSA record I get an error
>
> [root at dc ~]# samba-tool service-account create --name=gMSAkey1 --dns-
> host-name=gMSAkey1.test.alt -UAdministrator
>
> ERROR(ldb): uncaught exception - 8009000D: failed to find a suitable
> root key at ../../source4/dsdb/gmsa/
> gkdi.c:738:gkdi_most_recently_created_root_key
> ?File "/usr/lib64/samba-dc/python3.12/samba/netcmd/__init__.py",
line
> 353, in _run
> ???return self.run(*args, **kwargs)
> ??????????^^^^^^^^^^^^^^^^^^^^^^^^^
> ?File "/usr/lib64/samba-dc/python3.12/samba/netcmd/service_account/
> service_account.py", line 133, in run
> ???gmsa.save(ldb)
> ?File
"/usr/lib64/samba-dc/python3.12/samba/domain/models/model.py",
> line 362, in save
> ???samdb.add(message)
>
>
>
> I see 'usable from', my key is valid
>
> [root at dc ~]# samba-tool domain kds root-key list
> 1 root key found.
> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
> ? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 33 minutes ago)
> ? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 33 minutes ago)
> ? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root
> Keys,CN=Group Key Distribution
> Service,CN=Services,CN=Configuration,DC=test,DC=alt
> [root at dc ~]# date -u +"%Y-%m-%dT%H:%M:%S.%6N%:z"
> 2025-10-29T08:03:59.257474+00:00
>
> What i can do wrong?
>