[Samba] Machine passwords refresh (sometimes not happening)
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Wed Sep 20 15:12:52 UTC 2023
Hi,
since a couple of days I'm having problems with machine passwords
apparently not being refreshed on some domain members (which then blocks
SSH login). I'm seeing this in logs:
Sep 20 16:09:06 s0-l00 winbindd[4003715]: [2023/09/20 16:09:06.962774,
0] ../../source3/libads/kerberos_util.c:73(ads_kinit_password)
Sep 20 16:09:06 s0-l00 winbindd[4003715]: kerberos_kinit_password
S0-L00$@MY.DOMAIN failed: Preauthentication failed
I searched this list for this topic and read about these config options
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
These config options are NOT mentioned on
https://wiki.samba.org/index.php/Joining_a_Linux_or_Unix_Host_to_a_Domain,
so I do NOT use them and didn't have a problem in the past.
These config options ARE mentioned on
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting.
So what should I do here?
Why am I suddenly having problems?
Time synchronization with domain controllers is OK.
Samba is 4.17.10
thx
Matthias
/etc/samba/smb.conf
[global]
realm = MY.DOMAIN
security = ADS
template homedir = /msc/home/%U
template shell = /bin/bash
winbind expand groups = 2
winbind use default domain = Yes
workgroup = SMB
idmap config smb : range = 10000-999999
idmap config smb : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
/etc/krb5.conf
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
More information about the samba
mailing list