search for: kvno

Try verifying kvno from the client that gives the error message. That kvno = 2 for dc$ must've come from somewhere. You can also double check e.g. via ADUC ldap attributes of the dc$: lastpwdset and kvno. If  kvno is definately 1 that means that client connecting has some error, if it's 2, than it means t...

Hi! I have a samba4 domain with two r/w directory controllers. DNS is set up so that domain.com name adresses both servers for redundancy. But workstaions can't contact second server with address \\domain.com becuse the kvno is different that first servers kvno and when using \\domain.com address the kvno seems to be always first servers kvno. Can I somehow increase the second servers kvno or is there other solutions Hannu

Hello I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a while however I have to regenerate a keytab, because for reasons unknown to me, the KVNO is increased by one. I'm not doing anything with an account the SPN is bound to. The KVNO seems to change automagically after few days and service cannot talk to the KDC unless I create a new keytab. What can cause the KVNO (and probably the keys) to change automagically? Is there a way to dis...

...gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE [2019/10/08 10:58:09.634532, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno 109. Il giorno mar 8 ott 2019 alle ore 22:26 Rowland penny via samba < samba at lists.samba.org> ha scritto: > On 08/10/2019 21:11, banda bassotti wrote: &g...

what is the output of "kvno dc.domain.net.pl"? There seems to be mismatch kvno of the secrets keytab, and what is client expecting (kvno 2). Kvno increments by 1 for every password change. Was there by any chance password change for the dc$ account and keytab was not recreated? If You made some upgrades, maybe during...

Hello everyone, I have a FreeNAS server (9.10 running samba 4.3.11-GIT-UNKNOWN) that's recently started emitting this error: gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/nas01 at EXAMPLE.COM(kvno 4) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] I've looked at bug 12262 [1], which is why I've cc'd Stefan Metzmacher. I don't think this is is the same as that bug, and I will explain why. I've looked at a lot of mailing list/forum posts, and the problem either &quot...

hello, today the following problem occurred: [2019/10/08 09: 57: 23.568282, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [Miscellaneous failure (see text): Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab MEMORY: cifs_srv_keytab (arcfour-hmac-md5)] in my smb.conf I have the lines: kerberos method = dedicated keytab dedicated keytab file = /etc/samba/fs.keytab # net ads keytab list Vno Type Principal 108 arcfour-hmac-md5 cifs/fs-sahre at dom.corp 108 des-cbc-md5 cifs/fs-sahre at...

...different hostname to both OS, joigning Win7 to AD and joigning linux to AD, using winbind for users and groups. I've chosen the first one (may be it's not the better choice....), but actually I'm facing a strange problem... some times my keytab on the Samba4 server is updated (KVNO incremented) without any human intervention.... so my sssd on linux side can't speak with the server anymore.... Is anybody know why a keytab can change internaly ? Can Win7 change keytab (refresh or modify or anything else) when any user using it ? I just want to understan...

...the long way" and - maybe not the safest. What worries me is this: I added those DC with same names they were previously (basically dc1 -> demote ->  install fresh samba -> dc1 join again as DC with some editing inbetween) the secrets.keytab was created anew, but right now it has KVNO 2, instead of 1 (kind of supposed to happen I guess, or I didn't clean something from LDAP after demote?) I don't know if it's an issue (so far I don't have any errors), but I understand that the way I upgraded wasn't the most obvious one. The way I upgraded: In 4.5 I got h...

...m git on a debian wheezy system. Initially, I was able to join Windows 7 clients to the AD controller. However, trying to get freenas 8 to join has been failing. In the end, trying to get it to work I changed administrator's password (via dsa.msc) which broke AD joining for windows clients too. KVNO in secrets.keytab file has always been "1". Could this mismatch be the cause of the failures? I rebooted all clients (to get rid of stale tickets) to no avail. The only way to fix this was to run the provision script again, but now samba is not very stable (I managed to join the AD domai...

...failed (next[(null)]): NT_STATUS_LOGON_FAILURE > > [2019/10/08 10:58:09.634532, 1] > > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > > Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > > before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno > > 109. > > > It looks like your kerberos ticket has expired and not been renewed, a > new one has been created instead...

Hi, you're right about kvno. kvno dc gives me: dc at DOMAIN.NET.PL: kvno = 1 I'm pretty sure I didn't change dc$ password nor keytab wasn't recreated (the file is from 2015). I've checked other DCs. It looks like two of them with CentOS 7 have kvno = 2, and one with CentOS 6 has also v 1. DCs on CentOS 7...

...happens when I try to mount a Samba3 share that should authenticate against the domain. [2012/04/23 01:58:29, 1] ../source4/auth/gensec/gensec_gssapi.c:639(gensec_gssapi_update) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find VIE-SRV001$@VENTUM.AT(kvno 3) in keytab FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5) [2012/04/23 01:58:29, 1] ../auth/gensec/spnego.c:574(gensec_spnego_parse_negTokenInit) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE Indeed, klist -ke FILE:/usr/local/samba/private/secrets.keyt...

...RP You then add to the keytab > test from windows machine: > > [2019/11/05 13:14:49.108879, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] Then something reads the keytab in memory and cannot find the required SPN, or to put it another way, whatever is trying to find the SPN isn't reading the keytab you created above, it is reading the one in memory. I did ask just...

...4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done) ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - NT_STATUS_ACCESS_DENIED [2018/04/04 10:26:57.344688, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/rndc: rndc: neither /etc/rndc.conf nor /etc/rndc.key was found 2. KVNO mismatch - on the main DC [2018/04/03 14:36:46.822531, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2018/04/03 14:36:46.968728, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)...

...exactly what's going on here, to determine if this is a new bug, or an existing one. I'm worried that upgrading will make the problem "go away" but not actually be resolved. I mainly don't understand how two clients can be presenting tickets for the exact same principal (and kvno), but Samba says that one of them can't be found, but the other is acceptable. On Mon, Dec 16, 2019 at 3:46 PM Rowland penny via samba <samba at lists.samba.org> wrote: > > I have a FreeNAS server (9.10 running samba 4.3.11-GIT-UNKNOWN) that's recently > > started emitti...

...The DCs are small machines, one Rasberry Pi and one Cubietruck, which are allways on. I only have one nasty issue: every couple of days one of member servers or the Linux client sssd stops working and I have to produce a new keytab file. When doing a klist -k /etc/sssd.keytab I see that the KVNO of the newly generated keytab is incremented by one. Does anybody have a clue on how to troubleshoot this? Did I miss to copy something from the main DC to the secondary one? Any help is greatly appretiated. I did try to search, but all the references I found, exceed the level of my technical...

...or the reply Banda, most welkom. ? ? Greetz, ? Louis? ? ------------------------- ? Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 17:10 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab samba-tool computer remove oldsamba? Il giorno mar 5 nov 2019 alle ore 17:04 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Hai, ? Well that great you found it. ? Ah.. so you removed the entry from the DNS or ADDB?? Can?you tell what you exactly did, that might help...

...my RH to my AD domain and then used Samba to generate a Keytab and add an HTTP SPN to it: - export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab - net ads keytab CREATE - net ads keytab ADD HTTP - unset KRB5_KTNAME All this works perfectly however, at random times in the week my Squid reports that the KVNO is invalid. Users are prompted by an unsatisfiable login prompt I check in AD and notice the number has incremented. I can create a new keytab, reload Squid and everything works again. I believe Samba is updating the AD account and thus invalidating the exported keytab. Is there are way to auto-u...

...> Rowland > I updated to FreeNAS 11.1u7 which shows samba at "Version 4.7.0-GIT-ea139bffada-FreeNAS". The issue persists just as it did on the old version. Can anyone answer my questions about the in-memory keytab? How can two clients both use the same service principal name (and kvno) but one can't be found in the keytab? Thanks, Jonathon