Problem: univention-s4search and samba-tool drs showrepl shows error messages

kerberos
samba4
keytab

#1

Problem:

After a successful server-password-change you still have error message with univention-s4search and samba-tool like this:

root@server:/etc/samba# samba-tool drs showrepl
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:10.200.43.10[1024,seal,target_hostname=server.schein.ig,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.200.43.10] NT_STATUS_UNSUCCESSFUL
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to server.schein.ig failed - drsException: DRS connection to server.schein.ig failed: (-1073741823, 'Undetermined error')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

and

univention-s4search cn=Administrator
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldaps://server.schein.ig' with backend 'ldaps': (null)
Failed to connect to ldaps://server.schein.ig - (null)

but kinit server$ with/etc/machine.secret works.

Solution:

Check the krb5.keytab, if it is corrupt:
ktutil -k /etc/krb5.keytab list

Check the msDS-KeyVersionNumber in the secrets.ldb and sam.ldp for the server-account:

ldbsearch -H /var/lib/samba/private/secrets.ldb 'samAccountName=server$' secret msDS-KeyVersionNumber | ldapsearch-wrapper
ldbsearch -H /var/lib/samba/private/sam.ldb 'samAccountName=server$' secret msDS-KeyVersionNumber | ldapsearch-wrapper

If there is a difference between these two msDS-KeyVersionNumber you have to set the msDS-KeyVersionNumber from the secrets.ldb to the value from sam.ldb
Samba automatically increases the value in sam.ldb by one each time the password hashes are changed. If you change the password in secrets.ldb you have to increase the stored msDS-KeyVersionNumber directly in the same step.
ldbedit -H /var/lib/samba/private/secrets.ldb 'samAccountName=server$'