[Samba] machine password change timeout (was: Re: Old, reliable samba 3.5 and Active directory suddenly not reliable)

Andrew Bartlett abartlet at samba.org
Tue Oct 23 18:35:33 MDT 2012 

On Tue, 2012-10-23 at 11:14 -0400, Robert M. Martel - CSU wrote:
> 
> On 10/22/2012 05:10 PM, Andrew Bartlett wrote:
> > On Mon, 2012-10-22 at 14:51 -0400, Robert M. Martel - CSU wrote:
> 
> >> [2012/10/22 14:23:07.353280,  0] libads/kerberos.c:333(ads_kinit_password)
> >>     kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
> >> credentials have been revoked
> >> Join to domain is not valid: Access denied
> >>
> >>
> >> The Active Directory admins are still saying that they have not changed
> >> anything on their side.
> >
> > It seems unlikely if you just re-joined, but in case we are talking
> > about multiple machines, could the password have been expired?
> 
> The problem existed for multiple machines.
> 
> After Brian Campbell's note I double-checked the clock-sync on the 
> servers and found it to be okay.
> 
> The Active Directory (AD) admins that "did not change anything" finally 
> reported having some vague problem with their domain server replication 
> that only seem to affect *my* Samba servers (I may be the only person on 
> campus running Samba servers that are members of the university's Active 
> Directory system.)
> 
> There was some more hand waving, reports of trying to get some support 
> out of Microsoft, and finally a mention that *someone* had been making 
> some changes to AD config in preparation of moving from Lotus Notes 
> Email to MS Exchange.
> 
> The AD admins then "did something else" and now the problem no longer 
> exists.  I am still trying to get some real information as to what happened.
> 
> If I (ever) find out I will note it here.  I always hate seeing problem 
> reports in Email archives that never talk about resolution.
> 
> Thank you!
> 
> At least I got my Samba versions less out of date.  Have to see if 
> building 3.6 is as much of a pain on Solaris as 3.5 has been.

This might be password change replication.

We recently (fixed in latest 3.6) introduced a change to the timeout
applied when we change our machine account password.  In short, when we
contacted AD, we would time out after 30 seconds, but it can take longer
than that for AD to change a machine account password, because (using
replication, the clue from the above) it must forward the change to the
PDC emulator before returning.  

On the then boken connection the password is successfully changed but
the 'OK' is lost, so we still use the old pw (considering it a failure).
This then breaks the domain trust, quite possibly in the way you
describe.

Andrew Bartlett 

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list