Univention Bugzilla – Bug 23569
Falsche Keytab
Last modified: 2023-03-25 06:42:06 CET
Mit der aktuellen DVD kann kein Windows 7 in die Domäne gejoint werden. Aus der samba Logdatei, wenn der Join erfolgt: [2011/09/09 08:12:08, 1] ../source4/auth/gensec/gensec_gssapi.c:614(gensec_gssapi_update) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find MASTER52$@DEADLOCK52.LOCAL(kvno 1) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96) root@master52:~# ls -la /etc/krb5.keytab* -rw------- 1 root nogroup 1068 9. Sep 01:00 /etc/krb5.keytab root@master52:~# ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 host/master52.deadlock52.local@DEADLOCK52.LOCAL 2 aes128-cts-hmac-sha1-96 host/master52.deadlock52.local@DEADLOCK52.LOCAL 2 des3-cbc-sha1 host/master52.deadlock52.local@DEADLOCK52.LOCAL 2 des3-cbc-md5 host/master52.deadlock52.local@DEADLOCK52.LOCAL 2 arcfour-hmac-md5 host/master52.deadlock52.local@DEADLOCK52.LOCAL 2 des-cbc-md5 host/master52.deadlock52.local@DEADLOCK52.LOCAL 2 des-cbc-md4 host/master52.deadlock52.local@DEADLOCK52.LOCAL 2 des-cbc-crc host/master52.deadlock52.local@DEADLOCK52.LOCAL 1 aes256-cts-hmac-sha1-96 ldap/master52.deadlock52.local@DEADLOCK52.LOCAL 1 des3-cbc-sha1 ldap/master52.deadlock52.local@DEADLOCK52.LOCAL 1 arcfour-hmac-md5 ldap/master52.deadlock52.local@DEADLOCK52.LOCAL Das sieht so aus, als ob die Keytab von UCS verwendet wurde. Im S4 LDAP ist die Info entsprechend gesetzt, dass sich S4 darum kümmern soll: root@master52:~# ldbsearch -H /var/lib/samba/private/secrets.ldb flatname=$windows_domain krb5Keytab -d0 # record 1 dn: flatname=DEADLOCK52,cn=Primary Domains krb5Keytab: /etc/krb5.keytab
Das Exportieren der Keytab funktioniert leider nicht: root@master52:~# samba-tool export keytab /etc/krb5.keytab ERROR(runtime): uncaught exception - Unknown code hdb 3 File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 135, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/export.py", line 48, in run net.export_keytab(keytab=keytab) Nachdem ich die m-key-Datei verschoben habe, hat es funktioniert: mv /var/lib/heimdal-kdc/m-key /var/lib/heimdal-kdc/m-keyX root@master52:~# samba-tool export keytab /etc/krb5.keytab root@master52:~# ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 1 arcfour-hmac-md5 MASTER52$@DEADLOCK52.LOCAL 1 aes256-cts-hmac-sha1-96 MASTER52$@DEADLOCK52.LOCAL 1 aes128-cts-hmac-sha1-96 MASTER52$@DEADLOCK52.LOCAL 1 des-cbc-md5 MASTER52$@DEADLOCK52.LOCAL 1 des-cbc-crc MASTER52$@DEADLOCK52.LOCAL 2 arcfour-hmac-md5 Administrator@DEADLOCK52.LOCAL 2 aes256-cts-hmac-sha1-96 Administrator@DEADLOCK52.LOCAL 2 aes128-cts-hmac-sha1-96 Administrator@DEADLOCK52.LOCAL 2 des-cbc-md5 Administrator@DEADLOCK52.LOCAL 2 des-cbc-crc Administrator@DEADLOCK52.LOCAL 2 arcfour-hmac-md5 dns-master52@DEADLOCK52.LOCAL 2 aes256-cts-hmac-sha1-96 dns-master52@DEADLOCK52.LOCAL 2 aes128-cts-hmac-sha1-96 dns-master52@DEADLOCK52.LOCAL 2 des-cbc-md5 dns-master52@DEADLOCK52.LOCAL 2 des-cbc-crc dns-master52@DEADLOCK52.LOCAL 1 arcfour-hmac-md5 join-backup@DEADLOCK52.LOCAL 1 aes256-cts-hmac-sha1-96 join-backup@DEADLOCK52.LOCAL 1 aes128-cts-hmac-sha1-96 join-backup@DEADLOCK52.LOCAL 1 des-cbc-md5 join-backup@DEADLOCK52.LOCAL 1 des-cbc-crc join-backup@DEADLOCK52.LOCAL 1 arcfour-hmac-md5 join-slave@DEADLOCK52.LOCAL 1 aes256-cts-hmac-sha1-96 join-slave@DEADLOCK52.LOCAL 1 aes128-cts-hmac-sha1-96 join-slave@DEADLOCK52.LOCAL 1 des-cbc-md5 join-slave@DEADLOCK52.LOCAL 1 des-cbc-crc join-slave@DEADLOCK52.LOCAL 1 arcfour-hmac-md5 ucs-s4sync@DEADLOCK52.LOCAL 1 aes256-cts-hmac-sha1-96 ucs-s4sync@DEADLOCK52.LOCAL 1 aes128-cts-hmac-sha1-96 ucs-s4sync@DEADLOCK52.LOCAL 1 des-cbc-md5 ucs-s4sync@DEADLOCK52.LOCAL 1 des-cbc-crc ucs-s4sync@DEADLOCK52.LOCAL 2 arcfour-hmac-md5 krbtgt@DEADLOCK52.LOCAL 2 aes256-cts-hmac-sha1-96 krbtgt@DEADLOCK52.LOCAL 2 aes128-cts-hmac-sha1-96 krbtgt@DEADLOCK52.LOCAL 2 des-cbc-md5 krbtgt@DEADLOCK52.LOCAL 2 des-cbc-crc krbtgt@DEADLOCK52.LOCAL 1 arcfour-hmac-md5 Guest@DEADLOCK52.LOCAL 1 aes256-cts-hmac-sha1-96 Guest@DEADLOCK52.LOCAL 1 aes128-cts-hmac-sha1-96 Guest@DEADLOCK52.LOCAL 1 des-cbc-md5 Guest@DEADLOCK52.LOCAL 1 des-cbc-crc Guest@DEADLOCK52.LOCAL root@master52:~#
*** This bug has been marked as a duplicate of bug 22600 ***
Trat nicht mehr auf, verified per Bug 22600.