[Samba] Machine passwords refresh (sometimes not happening)
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Wed Sep 27 14:51:24 UTC 2023
Hi,
can anyone help me here? This problem keeps occuring, it seems to have
appeared after I upgraded vom 4.16 to 4.17. Full sequence of error in
winbind logs is
[2023/09/27 16:11:47.081424, 0]
../../source3/libads/kerberos_util.c:73(ads_kinit_password)
kerberos_kinit_password S0-L01$@MY.DOMAIN failed: Preauthentication
failed
[2023/09/27 16:11:47.087539, 0]
../../source3/winbindd/winbindd_ads.c:1199(lookup_groupmem)
ads_ranged_search failed with: Invalid credentials
Winbind restart solves the problem.
I admit I didn't try to use this "dedicated keytab file"/"kerberos
method"/"winbind refresh tickets" stanzas yet, but leaving/rejoining
domain is not a simple task. Also I'm confused by docs when to use them
(as described).
Thanks a lot
Matthias
Am 20.09.23 um 17:12 schrieb Matthias Leopold via samba:
> Hi,
>
> since a couple of days I'm having problems with machine passwords
> apparently not being refreshed on some domain members (which then blocks
> SSH login). I'm seeing this in logs:
>
> Sep 20 16:09:06 s0-l00 winbindd[4003715]: [2023/09/20 16:09:06.962774,
> 0] ../../source3/libads/kerberos_util.c:73(ads_kinit_password)
> Sep 20 16:09:06 s0-l00 winbindd[4003715]: kerberos_kinit_password
> S0-L00$@MY.DOMAIN failed: Preauthentication failed
>
> I searched this list for this topic and read about these config options
>
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> These config options are NOT mentioned on
> https://wiki.samba.org/index.php/Joining_a_Linux_or_Unix_Host_to_a_Domain, so I do NOT use them and didn't have a problem in the past.
> These config options ARE mentioned on
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting.
>
> So what should I do here?
> Why am I suddenly having problems?
>
> Time synchronization with domain controllers is OK.
> Samba is 4.17.10
>
> thx
> Matthias
>
> /etc/samba/smb.conf
>
> [global]
> realm = MY.DOMAIN
> security = ADS
> template homedir = /msc/home/%U
> template shell = /bin/bash
> winbind expand groups = 2
> winbind use default domain = Yes
> workgroup = SMB
> idmap config smb : range = 10000-999999
> idmap config smb : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
>
>
> /etc/krb5.conf
>
> [libdefaults]
> default_realm = MY.DOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
>
>
>
>
>
>
>
--
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 / Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200
More information about the samba
mailing list