Ns8 - migration NSDC -

Support
,
1

Last night I migrated the last remaining ns7 machine. All went fine, execpt the account provider. The situation: a working samba-dc container. Ldap auth works, but kerberos auth. does not work:

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC01$@AD.MYDOMAIN.NL(kvno 2) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)

So I went inside the samba-dc container and investigated the secrets.keytab. This file has a timestamp of the day the ns7 machine was installed in 2018:

ktutil
ktutil: rkt secrets.keytab
ktutil: l
slot KVNO Principal

1 1 HOST/nsdc-myserver@AD.MYDOMAIN.NL
2 1 HOST/nsdc-myserver.AD.MYDOMAIN.NL@AD.MYDOMAIN.NL
3 1 nsdc-myserver$@AD.MYDOMAIN.NL
4 1 HOST/nsdc-myserver@AD.MYDOMAIN.NL
5 1 HOST/nsdc-myserver.AD.MYDOMAIN.NL@AD.MYDOMAIN.NL
6 1 nsdc-myserver$@AD.MYDOMAIN.NL
7 1 HOST/nsdc-myserver@AD.MYDOMAIN.NL
8 1 HOST/nsdc-myserver.AD.MYDOMAIN.NL@AD.MYDOMAIN.NL
9 1 nsdc-myserver$@AD.MYDOMAIN.NL
10 1 HOST/nsdc-myserver@AD.MYDOMAIN.NL
11 1 HOST/nsdc-myserver.AD.MYDOMAIN.NL@AD.MYDOMAIN.NL
12 1 nsdc-myserver$@AD.MYDOMAIN.NL
13 1 HOST/nsdc-myserver@AD.MYDOMAIN.NL
14 1 HOST/nsdc-myserver.AD.MYDOMAIN.NL@AD.MYDOMAIN.NL
15 1 nsdc-myserver$@AD.MYDOMAIN.NL

It shows kvno=1. kvno is a mechanism used by samba to track password changes of computer accounts. Each new password increases the kvno, to make sure that the password change itself does not break authentication. The old password will still work for a while. The following samba bug report fits in with this problem:
samba bugzilla

Kerberos auth inside the container itself works as expected. A kinit for nsdc-myserver$@AD.MYDOMAIN.NL just works.

The problem is: how do I solve this? change the password of de computeraccount of the domain controller will create kvno 2 entries in the keytab, but this is only possible on a member server.

I finally stopped the samba-dc ns8-container, restarted the old NS7 nsdc container, re-started the ns7 services. It restored authentication for now.

My questions:

  1. How do I access the log files of the NS8 samba dc container on the local filesystem when the container is not running? I need the logs for troubleshooting.
  2. ns8 samba-dc should not to look for kvno 2 but 1? Any leads or options?
  3. Is it possible to start over the migration of the account provider?

Any other possible leads or options?

2

Did you change the DNS to point to the NS8 for AD domain queries? Did you follow the steps in NethServer 7 migration — NS8 documentation ?

The logs are stored in the loki instance so it should be possible to get the logs using the Logs page or journalctl on CLI.

To access the log files in the filesystem you may use podman cp, see also How to fetch files from an exited container ? - Red Hat Customer Portal

Yes, you can find more information here: nethserver-ns8-migration — NethServer 7 documentation