gpupdate - Failed to find DC1 in keytab

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
Can someone help me with samba4 with internal dns. Something strange
showing in log.smbd when computers are doing gpupdate (becouse of this
error computers cant apply gpo)

log.smbd on DC1:

[2017/01/13 13:49:16.075361,  1]
../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update)
      GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
(see text): Failed to find DC1$EXAMPLE.ORG(kvno 7) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
    [2017/01/13 13:49:16.075405,  1]
../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
      SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE


klist on secrets.keytab:

Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HOST/[hidden email] (des-cbc-crc)
   1 HOST/[hidden email] (des-cbc-crc)
   1 DC1$@EXAMPLE.ORG (des-cbc-crc)
   1 HOST/[hidden email] (des-cbc-md5)
   1 HOST/[hidden email] (des-cbc-md5)
   1 DC1$@EXAMPLE.ORG (des-cbc-md5)
   1 HOST/[hidden email] (arcfour-hmac)
   1 HOST/[hidden email] (arcfour-hmac)
   1 DC1$@EXAMPLE.ORG (arcfour-hmac)
   1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
   1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
   1 DC1$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
   1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
   1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
   1 DC1$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)


Samba version: Version 4.3.11-Ubuntu with Internl_dns

DC1 - has correct DNS configuration

ping dc1 from computers - resolves to dc1 IP

Domain computers can connect to the domain with no problems and has correct
dns (dc1 ip)

samba-tool ntacl sysvolreset - not resolving problem

Tried to generate secrets.keytab but still no results

(https://wiki.samba.org/index.php/Keytab_Extraction)

Tried to samba-tool user setpassword dc1$ (pasword dumped from tdbdumb
secrets.tdb ) - not resolving problem.

What should i check to resolve this error ?

Please any suggestions,


Regards
Lukasz
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
any ideas ? please i got stuck and have no ideas what else i can do


pozdrawiam

Łukasz Sellmann

2017-02-01 17:50 GMT+01:00 Łukasz Sellmann <[hidden email]>:

> Can someone help me with samba4 with internal dns. Something strange
> showing in log.smbd when computers are doing gpupdate (becouse of this
> error computers cant apply gpo)
>
> log.smbd on DC1:
>
> [2017/01/13 13:49:16.075361,  1] ../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update)
>       GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC1$EXAMPLE.ORG(kvno 7) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
>     [2017/01/13 13:49:16.075405,  1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>       SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>
>
> klist on secrets.keytab:
>
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    1 HOST/[hidden email] (des-cbc-crc)
>    1 HOST/[hidden email] (des-cbc-crc)
>    1 DC1$@EXAMPLE.ORG (des-cbc-crc)
>    1 HOST/[hidden email] (des-cbc-md5)
>    1 HOST/[hidden email] (des-cbc-md5)
>    1 DC1$@EXAMPLE.ORG (des-cbc-md5)
>    1 HOST/[hidden email] (arcfour-hmac)
>    1 HOST/[hidden email] (arcfour-hmac)
>    1 DC1$@EXAMPLE.ORG (arcfour-hmac)
>    1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
>    1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
>    1 DC1$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
>    1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
>    1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
>    1 DC1$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
>
>
> Samba version: Version 4.3.11-Ubuntu with Internl_dns
>
> DC1 - has correct DNS configuration
>
> ping dc1 from computers - resolves to dc1 IP
>
> Domain computers can connect to the domain with no problems and has
> correct dns (dc1 ip)
>
> samba-tool ntacl sysvolreset - not resolving problem
>
> Tried to generate secrets.keytab but still no results
>
> (https://wiki.samba.org/index.php/Keytab_Extraction)
>
> Tried to samba-tool user setpassword dc1$ (pasword dumped from tdbdumb
> secrets.tdb ) - not resolving problem.
>
> What should i check to resolve this error ?
>
> Please any suggestions,
>
>
> Regards
> Lukasz
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
On Fri, 3 Feb 2017 16:00:45 +0100
Łukasz Sellmann via samba <[hidden email]> wrote:

> any ideas ? please i got stuck and have no ideas what else i can do
>
>
> pozdrawiam
>
> Łukasz Sellmann
>
> 2017-02-01 17:50 GMT+01:00 Łukasz Sellmann <[hidden email]>:
>
> > Can someone help me with samba4 with internal dns. Something strange
> > showing in log.smbd when computers are doing gpupdate (becouse of
> > this error computers cant apply gpo)
> >
> > log.smbd on DC1:
> >
> > [2017/01/13 13:49:16.075361,
> > 1] ../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update)
> > GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
> > (see text): Failed to find DC1$EXAMPLE.ORG(kvno 7) in keytab
> > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> > [2017/01/13 13:49:16.075405,
> > 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
> > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> >
> >
> > klist on secrets.keytab:
> >
> > Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> > 1 HOST/[hidden email] (des-cbc-crc) 1
> > HOST/[hidden email] (des-cbc-crc) 1 DC1$@EXAMPLE.ORG
> > (des-cbc-crc) 1 HOST/[hidden email] (des-cbc-md5)
> >    1 HOST/[hidden email] (des-cbc-md5)
> >    1 DC1$@EXAMPLE.ORG (des-cbc-md5)
> >    1 HOST/[hidden email] (arcfour-hmac)
> >    1 HOST/[hidden email] (arcfour-hmac)
> >    1 DC1$@EXAMPLE.ORG (arcfour-hmac)
> >    1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
> >    1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
> >    1 DC1$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
> >    1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
> >    1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
> >    1 DC1$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
> >
> >
> > Samba version: Version 4.3.11-Ubuntu with Internl_dns
> >
> > DC1 - has correct DNS configuration
> >
> > ping dc1 from computers - resolves to dc1 IP
> >
> > Domain computers can connect to the domain with no problems and has
> > correct dns (dc1 ip)
> >
> > samba-tool ntacl sysvolreset - not resolving problem
> >
> > Tried to generate secrets.keytab but still no results
> >
> > (https://wiki.samba.org/index.php/Keytab_Extraction)
> >
> > Tried to samba-tool user setpassword dc1$ (pasword dumped from
> > tdbdumb secrets.tdb ) - not resolving problem.
> >
> > What should i check to resolve this error ?
> >
> > Please any suggestions,
> >
> >
> > Regards
> > Lukasz
> >

Have checked permissions on the keytab ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
yes, permissions are set as default by apt package instalator

> ls -al
> -rw------- 1 root root    1082 sty 13 23:25 secrets.keytab

samba,smbd deamons have run as root user

> > log.smbd on DC1:
> >
> > [2017/01/13 13:49:16.075361,
> > 1] ../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update)
> > GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
> > (see text): Failed to find DC1$EXAMPLE.ORG(kvno 7) in keytab
> > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> > [2017/01/13 13:49:16.075405,
> > 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
> > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> >
> >
> > klist on secrets.keytab:
> >
> > Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> > KVNO Principal
> > ----
> > ------------------------------------------------------------
--------------

> > 1 HOST/[hidden email] (des-cbc-crc) 1
> > HOST/[hidden email] (des-cbc-crc) 1 DC1$@EXAMPLE.ORG
> > (des-cbc-crc) 1 HOST/[hidden email] (des-cbc-md5)
> >    1 HOST/[hidden email] (des-cbc-md5)
> >    1 DC1$@EXAMPLE.ORG (des-cbc-md5)
> >    1 HOST/[hidden email] (arcfour-hmac)
> >    1 HOST/[hidden email] (arcfour-hmac)
> >    1 DC1$@EXAMPLE.ORG (arcfour-hmac)
> >    1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
> >    1 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
> >    1 DC1$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
> >    1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
> >    1 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
> >    1 DC1$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
> >
> >
> > Samba version: Version 4.3.11-Ubuntu with Internl_dns
> >
> > DC1 - has correct DNS configuration
> >
> > ping dc1 from computers - resolves to dc1 IP
> >
> > Domain computers can connect to the domain with no problems and has
> > correct dns (dc1 ip)
> >
> > samba-tool ntacl sysvolreset - not resolving problem
> >
> > Tried to generate secrets.keytab but still no results
> >
> > (https://wiki.samba.org/index.php/Keytab_Extraction)
> >
> > Tried to samba-tool user setpassword dc1$ (pasword dumped from
> > tdbdumb secrets.tdb ) - not resolving problem.


Have checked permissions on the keytab ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
On Fri, 3 Feb 2017 16:55:20 +0100
Łukasz Sellmann via samba <[hidden email]> wrote:

> yes, permissions are set as default by apt package instalator
>
> > ls -al
> > -rw------- 1 root root    1082 sty 13 23:25 secrets.keytab
>
> samba,smbd deamons have run as root user
>

can you post the smb.conf, /etc/hosts, /etc/hostname, /etc/resolv.conf
and /etc/krb5.conf.
Can you also give us the hostname and ipaddress of the DC

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
*/etc/samba/smb.conf *

# Global parameters
[global]

        workgroup = GSBK
        realm = biuro.gsbk.pl
        netbios name = DC1
        server role = active directory domain controller
        dns forwarder = 192.168.0.1

        ldap server require strong auth = no
        allow dns updates = nonsecure and secure
        require strong key = no

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        unix extensions = no

        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes
        idmap_ldb:use rfc2307 = yes


[netlogon]
        path = /var/lib/samba/sysvol/biuro.gsbk.pl/scripts
        read only = no
        browseable = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = no
        browseable = no

*/etc/krb.conf*

[libdefaults]
        default_realm = BIURO.GSBK.PL
        dns_lookup_realm = false
        dns_lookup_kdc = true


*/etc/hosts*

192.168.0.3     DC1
127.0.0.1       localhost
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

*/etc/hostname*

DC1

*/etc/resolv.conf*

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.3
search biuro.gsbk.pl


DC1 is the main DC




pozdrawiam

Łukasz Sellmann

2017-02-03 17:15 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Fri, 3 Feb 2017 16:55:20 +0100
> Łukasz Sellmann via samba <[hidden email]> wrote:
>
> > yes, permissions are set as default by apt package instalator
> >
> > > ls -al
> > > -rw------- 1 root root    1082 sty 13 23:25 secrets.keytab
> >
> > samba,smbd deamons have run as root user
> >
>
> can you post the smb.conf, /etc/hosts, /etc/hostname, /etc/resolv.conf
> and /etc/krb5.conf.
> Can you also give us the hostname and ipaddress of the DC
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
On Fri, 3 Feb 2017 17:39:17 +0100
Łukasz Sellmann via samba <[hidden email]> wrote:

> */etc/samba/smb.conf *
>
> # Global parameters
> [global]
>
>         workgroup = GSBK
>         realm = biuro.gsbk.pl
>         netbios name = DC1
>         server role = active directory domain controller
>         dns forwarder = 192.168.0.1
>
>         ldap server require strong auth = no
>         allow dns updates = nonsecure and secure
>         require strong key = no
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         unix extensions = no
>         winbind nss info = rfc2307

OK, just who is it that is telling people to add the above five lines to
a DC smb.conf ???

Whoever it is, will they please stop doing it, or to put it another way:

Remove those lines, they should only be in a Unix domain member smb.conf

>         winbind enum users = yes
>         winbind enum groups = yes
>         idmap_ldb:use rfc2307 = yes
>
>
> [netlogon]
>         path = /var/lib/samba/sysvol/biuro.gsbk.pl/scripts
>         read only = no
>         browseable = no
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = no
>         browseable = no


Again, remove the browseable lines, there is no browsing on a Samba AD
DC.

> */etc/krb.conf*
>
> [libdefaults]
>         default_realm = BIURO.GSBK.PL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
>
> */etc/hosts*
>
> 192.168.0.3     DC1
> 127.0.0.1       localhost
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>

The 192.168.0.3 line should be:
192.168.0.3 dc1.biuro.gsbk.pl dc1

Provided, of course, that DC1 has a fixed IP and it should have a fixed
IP

> */etc/hostname*
>
> DC1
>
> */etc/resolv.conf*
>
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN nameserver 192.168.0.3
> search biuro.gsbk.pl
>

I personally would remove resolvconf, it is totally unneeded on a
machine with a fixed IP
 
Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
thanks for your advices, especially about global parameters

> # Global parameters
> [global]
>
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         unix extensions = no
>         winbind nss info = rfc2307

When I removed the parameter vfs object = acl_xattr and then restart samba,
everything started to work properly
Yes its my bad, samba wiki says:
"
On a Samba Active Directory (AD) domain controller (DC), extended ACL
support is automatically enabled globally. You must not enable the support
manually.
"

Now computer can perform  gpupdate correctly.

But i can't understand why is this parameter caused an error of this type:

log.smbd on DC1:

[2017/01/13 13:49:16.075361,  1]
../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update)
      GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
(see text): Failed to find DC1$EXAMPLE.ORG(kvno 7) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
    [2017/01/13 13:49:16.075405,  1]
../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
      SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE



Thanks a lot

Regards

Łukasz Sellmann

2017-02-03 17:58 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Fri, 3 Feb 2017 17:39:17 +0100
> Łukasz Sellmann via samba <[hidden email]> wrote:
>
> > */etc/samba/smb.conf *
> >
> > # Global parameters
> > [global]
> >
> >         workgroup = GSBK
> >         realm = biuro.gsbk.pl
> >         netbios name = DC1
> >         server role = active directory domain controller
> >         dns forwarder = 192.168.0.1
> >
> >         ldap server require strong auth = no
> >         allow dns updates = nonsecure and secure
> >         require strong key = no
> >
> >         vfs objects = acl_xattr
> >         map acl inherit = yes
> >         store dos attributes = yes
> >         unix extensions = no
> >         winbind nss info = rfc2307
>
> OK, just who is it that is telling people to add the above five lines to
> a DC smb.conf ???
>
> Whoever it is, will they please stop doing it, or to put it another way:
>
> Remove those lines, they should only be in a Unix domain member smb.conf
>
> >         winbind enum users = yes
> >         winbind enum groups = yes
> >         idmap_ldb:use rfc2307 = yes
> >
> >
> > [netlogon]
> >         path = /var/lib/samba/sysvol/biuro.gsbk.pl/scripts
> >         read only = no
> >         browseable = no
> >
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = no
> >         browseable = no
>
>
> Again, remove the browseable lines, there is no browsing on a Samba AD
> DC.
>
> > */etc/krb.conf*
> >
> > [libdefaults]
> >         default_realm = BIURO.GSBK.PL
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> >
> > */etc/hosts*
> >
> > 192.168.0.3     DC1
> > 127.0.0.1       localhost
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
>
> The 192.168.0.3 line should be:
> 192.168.0.3     dc1.biuro.gsbk.pl dc1
>
> Provided, of course, that DC1 has a fixed IP and it should have a fixed
> IP
>
> > */etc/hostname*
> >
> > DC1
> >
> > */etc/resolv.conf*
> >
> > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> > resolvconf(8)
> > #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> > OVERWRITTEN nameserver 192.168.0.3
> > search biuro.gsbk.pl
> >
>
> I personally would remove resolvconf, it is totally unneeded on a
> machine with a fixed IP
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: gpupdate - Failed to find DC1 in keytab

Samba - General mailing list
On Wed, 15 Feb 2017 15:26:55 +0100
Łukasz Sellmann via samba <[hidden email]> wrote:

>
> But i can't understand why is this parameter caused an error of this
> type:
>

Because 'acl_xattr' is built into Samba when used as a DC, so the code
probably gets confused when it used again via the 'vfs'

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba