[Samba] 'Scripted' machine account renewal?!

Kees van Vloten keesvanvloten at gmail.com
Sun Mar 24 17:22:18 UTC 2024 

On 24-03-2024 17:42, Marco Gaiarin via samba wrote:
> Mandi! Kees van Vloten via samba
>    In chel di` si favelave...
>
>> Solution is easy: upgrading winbind from Debian backports solves the issue !
> I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does
> not work for me...

As said both my DCs and the domain-members are on 4.19.N and that solved 
the issue. I came from 4.17 on the clients and 4.19 on the DCs, so I am 
sure that 4.17 had the issue. I don't know about 4.18, but reading your 
comment suggests that it was only fixed in 4.19.

- Kees.

>
> Now display:
>
>   root at vfwacpn1:~# net ads changetrustpw
>   get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
>   Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
>   Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.
>
> if i force the target server:
>
>   root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it
>   ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
>   Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
>   Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.
>
>
> In /etc/krb5.conf i've set:
>
>   [libdefaults]
> 	default_realm = AD.AC.CONCORDIA-PORDENONE.IT
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = false
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
>
>   [realms]
> 	AD.AC.CONCORDIA-PORDENONE.IT = {
> 		kdc = kdc.ad.ac.concordia-pordenone.it
> 		master_kdc = kdc.ad.ac.concordia-pordenone.it
> 		admin_server = kdc.ad.ac.concordia-pordenone.it
> 		default_domain = ad.ac.concordia-pordenone.it
> 	}
>
> clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts:
>
>   root at vfwacpn1:~# grep kdc /etc/hosts
>   10.172.1.8	vdcacpn1.ac.concordia-pordenone.it	kdc.ad.ac.concordia-pordenone.it	ad.ac.concordia-pordenone.it	vdcacpn1
>
> Join still seems valid:
>
>   root at vfwacpn1:~# net ads testjoin
>   get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
>   get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
>   Join is OK
>   root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it
>   get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
>   ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
>   Join is OK
>
> and i can get data i need:
>
>   root at vfwacpn1:~# samba-tool group listmembers group1 -H ldap://ad.ac.concordia-pordenone.it -P
>   user1
>   user2
>   user3
>

More information about the samba mailing list