[Samba] 'Scripted' machine account renewal?!

Marco Gaiarin gaio at lilliput.linux.it
Sun Mar 24 16:42:03 UTC 2024 

Mandi! Kees van Vloten via samba
  In chel di` si favelave...

> Solution is easy: upgrading winbind from Debian backports solves the issue !

I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does
not work for me...

Now display:

 root at vfwacpn1:~# net ads changetrustpw
 get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
 Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
 Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.

if i force the target server:

 root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it
 ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
 Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
 Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.


In /etc/krb5.conf i've set:

 [libdefaults]
	default_realm = AD.AC.CONCORDIA-PORDENONE.IT
	dns_lookup_realm = false
	dns_lookup_kdc = false
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

 [realms]
	AD.AC.CONCORDIA-PORDENONE.IT = {
		kdc = kdc.ad.ac.concordia-pordenone.it
		master_kdc = kdc.ad.ac.concordia-pordenone.it
		admin_server = kdc.ad.ac.concordia-pordenone.it
		default_domain = ad.ac.concordia-pordenone.it
	}

clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts:

 root at vfwacpn1:~# grep kdc /etc/hosts
 10.172.1.8	vdcacpn1.ac.concordia-pordenone.it	kdc.ad.ac.concordia-pordenone.it	ad.ac.concordia-pordenone.it	vdcacpn1

Join still seems valid:

 root at vfwacpn1:~# net ads testjoin
 get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
 get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
 Join is OK
 root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it
 get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
 ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
 Join is OK

and i can get data i need:

 root at vfwacpn1:~# samba-tool group listmembers group1 -H ldap://ad.ac.concordia-pordenone.it -P
 user1
 user2
 user3

-- 
  Le vie del Signore sono infinite.
  E' la segnaletica che lascia a desiderare...

More information about the samba mailing list