[Samba] Machine passwords refresh (sometimes not happening)

Matthias Leopold matthias.leopold at meduniwien.ac.at
Wed Sep 27 14:51:24 UTC 2023 

Hi,

can anyone help me here? This problem keeps occuring, it seems to have 
appeared after I upgraded vom 4.16 to 4.17. Full sequence of error in 
winbind logs is

[2023/09/27 16:11:47.081424,  0] 
../../source3/libads/kerberos_util.c:73(ads_kinit_password)
   kerberos_kinit_password S0-L01$@MY.DOMAIN failed: Preauthentication 
failed
[2023/09/27 16:11:47.087539,  0] 
../../source3/winbindd/winbindd_ads.c:1199(lookup_groupmem)
   ads_ranged_search failed with: Invalid credentials

Winbind restart solves the problem.

I admit I didn't try to use this "dedicated keytab file"/"kerberos 
method"/"winbind refresh tickets" stanzas yet, but leaving/rejoining 
domain is not a simple task. Also I'm confused by docs when to use them 
(as described).

Thanks a lot
Matthias

Am 20.09.23 um 17:12 schrieb Matthias Leopold via samba:
> Hi,
> 
> since a couple of days I'm having problems with machine passwords 
> apparently not being refreshed on some domain members (which then blocks 
> SSH login). I'm seeing this in logs:
> 
> Sep 20 16:09:06 s0-l00 winbindd[4003715]: [2023/09/20 16:09:06.962774, 
> 0] ../../source3/libads/kerberos_util.c:73(ads_kinit_password)
> Sep 20 16:09:06 s0-l00 winbindd[4003715]:   kerberos_kinit_password 
> S0-L00$@MY.DOMAIN failed: Preauthentication failed
> 
> I searched this list for this topic and read about these config options
> 
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> These config options are NOT mentioned on 
> https://wiki.samba.org/index.php/Joining_a_Linux_or_Unix_Host_to_a_Domain, so I do NOT use them and didn't have a problem in the past.
> These config options ARE mentioned on 
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting.
> 
> So what should I do here?
> Why am I suddenly having problems?
> 
> Time synchronization with domain controllers is OK.
> Samba is 4.17.10
> 
> thx
> Matthias
> 
> /etc/samba/smb.conf
> 
> [global]
>          realm = MY.DOMAIN
>          security = ADS
>          template homedir = /msc/home/%U
>          template shell = /bin/bash
>          winbind expand groups = 2
>          winbind use default domain = Yes
>          workgroup = SMB
>          idmap config smb : range = 10000-999999
>          idmap config smb : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
> 
> 
> /etc/krb5.conf
> 
> [libdefaults]
>          default_realm = MY.DOMAIN
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> 
> 
> 
> 
> 
> 
> 
> 

-- 
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 / Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200

More information about the samba mailing list