thr3ads.net - samba - [Samba] gMSA cant not create [Nov 2025]

If this information is useful, please help other people find it:
Share via:

Jennifer Sutton

2025-Nov-03 02:51 UTC

[Samba] gMSA cant not create

Hi Anton,

Root keys created with ?samba-tool domain kds root-key create? are not 
valid until the key cycle duration (ten hours) has elapsed. Try waiting 
ten hours or creating a root key with use-start-time ten hours in the past.

Cheers,
Jennifer (she/her)

On 29/10/25 9:22 pm, Anton Shevtsov via samba wrote:> Hi
> 
> i use?samba-4.21.7?as DC
> 
> [root at dc ~]# samba-tool domain kds root-key list
> no root keys found.
> 
> [root at dc ~]# samba-tool domain kds root-key create
> created root key 151a8fb1-a962-8487-a6b7-4f2a88fc949b, usable from 
> 2025-10-29T07:30:16.406020+00:00 (about now)
> 
> [root at dc ~]# samba-tool domain kds root-key view --name 151a8fb1- 
> a962-8487-a6b7-4f2a88fc949b
> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>  ? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 64 seconds ago)
>  ? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 64 seconds ago)
>  ? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
> Keys,CN=Group Key Distribution 
> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>  ? ?cn? ? ? ? ? ? ?151a8fb1-a962-8487-a6b7-4f2a88fc949b
>  ? ?whenCreated? ? 20251029073016.0Z
>  ? ?whenChanged? ? 20251029073016.0Z
>  ? ?objectGUID? ? ?6b34e82e-2369-47e3-a752-c4c8bda9fc73
>  ? ?msKds-KDFAlgorithmID SP800_108_CTR_HMAC
>  ? ?msKds-KDFParam 
> 00000000010000000e000000000000005300480041003500310032000000
>  ? ?msKds-SecretAgreementAlgorithmID DH
>  ? ?msKds-PublicKeyLength 2048
>  ? ?msKds-PrivateKeyLength 256
>  ? ?msKds-Version? 1
>  ? ?msKds-DomainID CN=DC,OU=Domain Controllers,DC=test,DC=alt
> 
> [root at dc ~]# samba-tool domain kds root-key list
> 1 root key found.
> 
> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>  ? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 5 minutes ago)
>  ? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 5 minutes ago)
>  ? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
> Keys,CN=Group Key Distribution 
> Service,CN=Services,CN=Configuration,DC=test,DC=alt
> 
> 
> If I try to create a gMSA record I get an error
> 
> [root at dc ~]# samba-tool service-account create --name=gMSAkey1 --dns- 
> host-name=gMSAkey1.test.alt -UAdministrator
> 
> ERROR(ldb): uncaught exception - 8009000D: failed to find a suitable 
> root key at ../../source4/dsdb/gmsa/ 
> gkdi.c:738:gkdi_most_recently_created_root_key
>  ?File "/usr/lib64/samba-dc/python3.12/samba/netcmd/__init__.py",
line
> 353, in _run
>  ???return self.run(*args, **kwargs)
>  ??????????^^^^^^^^^^^^^^^^^^^^^^^^^
>  ?File "/usr/lib64/samba-dc/python3.12/samba/netcmd/service_account/ 
> service_account.py", line 133, in run
>  ???gmsa.save(ldb)
>  ?File
"/usr/lib64/samba-dc/python3.12/samba/domain/models/model.py",
> line 362, in save
>  ???samdb.add(message)
> 
> 
> 
> I see 'usable from', my key is valid
> 
> [root at dc ~]# samba-tool domain kds root-key list
> 1 root key found.
> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>  ? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 33 minutes ago)
>  ? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 33 minutes ago)
>  ? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
> Keys,CN=Group Key Distribution 
> Service,CN=Services,CN=Configuration,DC=test,DC=alt
> [root at dc ~]# date -u +"%Y-%m-%dT%H:%M:%S.%6N%:z"
> 2025-10-29T08:03:59.257474+00:00
> 
> What i can do wrong?
>

Anton Shevtsov

2025-Nov-05 12:27 UTC

head link

[Samba] gMSA cant not create

03.11.2025 07:51, Jennifer Sutton via samba ?????:> Hi Anton,
>
> Root keys created with ?samba-tool domain kds root-key create? are not 
> valid until the key cycle duration (ten hours) has elapsed. Try 
> waiting ten hours or creating a root key with use-start-time ten hours 
> in the past.
>
> Cheers,
> Jennifer (she/her)
Thanks Jennifer!

All works fine!? Is the ten-hour period you specified a constant? Can it 
be changed?

>
> On 29/10/25 9:22 pm, Anton Shevtsov via samba wrote:
>> Hi
>>
>> i use?samba-4.21.7?as DC
>>
>> [root at dc ~]# samba-tool domain kds root-key list
>> no root keys found.
>>
>> [root at dc ~]# samba-tool domain kds root-key create
>> created root key 151a8fb1-a962-8487-a6b7-4f2a88fc949b, usable from 
>> 2025-10-29T07:30:16.406020+00:00 (about now)
>>
>> [root at dc ~]# samba-tool domain kds root-key view --name 151a8fb1- 
>> a962-8487-a6b7-4f2a88fc949b
>> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> ?? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 64 seconds 
>> ago)
>> ?? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 64 seconds 
>> ago)
>> ?? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
>> Keys,CN=Group Key Distribution 
>> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>> ?? ?cn? ? ? ? ? ? ?151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> ?? ?whenCreated? ? 20251029073016.0Z
>> ?? ?whenChanged? ? 20251029073016.0Z
>> ?? ?objectGUID? ? ?6b34e82e-2369-47e3-a752-c4c8bda9fc73
>> ?? ?msKds-KDFAlgorithmID SP800_108_CTR_HMAC
>> ?? ?msKds-KDFParam 
>> 00000000010000000e000000000000005300480041003500310032000000
>> ?? ?msKds-SecretAgreementAlgorithmID DH
>> ?? ?msKds-PublicKeyLength 2048
>> ?? ?msKds-PrivateKeyLength 256
>> ?? ?msKds-Version? 1
>> ?? ?msKds-DomainID CN=DC,OU=Domain Controllers,DC=test,DC=alt
>>
>> [root at dc ~]# samba-tool domain kds root-key list
>> 1 root key found.
>>
>> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> ?? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 5 minutes 
>> ago)
>> ?? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 5 minutes 
>> ago)
>> ?? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
>> Keys,CN=Group Key Distribution 
>> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>>
>>
>> If I try to create a gMSA record I get an error
>>
>> [root at dc ~]# samba-tool service-account create --name=gMSAkey1
--dns-
>> host-name=gMSAkey1.test.alt -UAdministrator
>>
>> ERROR(ldb): uncaught exception - 8009000D: failed to find a suitable 
>> root key at ../../source4/dsdb/gmsa/ 
>> gkdi.c:738:gkdi_most_recently_created_root_key
>> ??File
"/usr/lib64/samba-dc/python3.12/samba/netcmd/__init__.py",
>> line 353, in _run
>> ????return self.run(*args, **kwargs)
>> ???????????^^^^^^^^^^^^^^^^^^^^^^^^^
>> ??File
"/usr/lib64/samba-dc/python3.12/samba/netcmd/service_account/
>> service_account.py", line 133, in run
>> ????gmsa.save(ldb)
>> ??File
"/usr/lib64/samba-dc/python3.12/samba/domain/models/model.py",
>> line 362, in save
>> ????samdb.add(message)
>>
>>
>>
>> I see 'usable from', my key is valid
>>
>> [root at dc ~]# samba-tool domain kds root-key list
>> 1 root key found.
>> name 151a8fb1-a962-8487-a6b7-4f2a88fc949b
>> ?? ?created? ? ? ? 2025-10-29T07:30:16.406020+00:00 (about 33 minutes 
>> ago)
>> ?? ?usable from? ? 2025-10-29T07:30:16.406020+00:00 (about 33 minutes 
>> ago)
>> ?? ?dn ?CN=151a8fb1-a962-8487-a6b7-4f2a88fc949b,CN=Master Root 
>> Keys,CN=Group Key Distribution 
>> Service,CN=Services,CN=Configuration,DC=test,DC=alt
>> [root at dc ~]# date -u +"%Y-%m-%dT%H:%M:%S.%6N%:z"
>> 2025-10-29T08:03:59.257474+00:00
>>
>> What i can do wrong?
>>
>
>--
Anton

samba - Nov 2025 - gMSA cant not create

[Samba] gMSA cant not create

[Samba] gMSA cant not create