[Samba] 'Scripted' machine account renewal?!

Rowland Penny rpenny at samba.org
Sun Mar 24 17:32:31 UTC 2024 

On Sun, 24 Mar 2024 17:42:03 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Kees van Vloten via samba
>   In chel di` si favelave...
> 
> > Solution is easy: upgrading winbind from Debian backports solves
> > the issue !
> 
> I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but
> still does not work for me...

There must be a reason why you are still using Debian buster, but it
escapes me.

> 
> Now display:
> 
>  root at vfwacpn1:~# net ads changetrustpw
>  get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
>  Changing password for principal:
> vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No
> more connections can be made to this remote computer at this time
> because the computer has already accepted the maximum number of
> connections.
> 
> if i force the target server:
> 
>  root at vfwacpn1:~# net ads changetrustpw -S
> kdc.ad.ac.concordia-pordenone.it ads_sasl_spnego_bind: kinit
> succeeded but SPNEGO bind with Kerberos failed for
> ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$],
> realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed
> to a service or function. Changing password for principal:
> vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No
> more connections can be made to this remote computer at this time
> because the computer has already accepted the maximum number of
> connections.

Why do you have a computer with the short hostname 'kdc' ?

> 
> 
> In /etc/krb5.conf i've set:
> 
>  [libdefaults]
> 	default_realm = AD.AC.CONCORDIA-PORDENONE.IT
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = false
> 	kdc_timesync = 1
> 	ccache_type = 4
> 	forwardable = true
> 	proxiable = true
> 
>  [realms]
> 	AD.AC.CONCORDIA-PORDENONE.IT = {
> 		kdc = kdc.ad.ac.concordia-pordenone.it
> 		master_kdc = kdc.ad.ac.concordia-pordenone.it
> 		admin_server = kdc.ad.ac.concordia-pordenone.it
> 		default_domain = ad.ac.concordia-pordenone.it
> 	}
> 

The default Samba kbr5.conf is sufficient:

[libdefaults]
	default_realm = AD.AC.CONCORDIA-PORDENONE.IT
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
AD.AC.CONCORDIA-PORDENONE.IT = {
	default_domain = ad.ac.concordia.it
}

[domain_realm]
	VFWACPN1 = AD.AC.CONCORDIA-PORDENONE.IT

> clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts:
> 
>  root at vfwacpn1:~# grep kdc /etc/hosts
>  10.172.1.8	vdcacpn1.ac.concordia-pordenone.it
> kdc.ad.ac.concordia-pordenone.it
> ad.ac.concordia-pordenone.it	vdcacpn1

AAAARRRRGGGGHHHHH 
Why is 10.172.1.8 pointing to all that, it should be:

10.172.1.8 vdcacpn1.ad.ac.concordia-pordenone.it vdcacpn1

BUT the hostname was 'vfwacpn1' above., not sure what is going on here.

Rowland

More information about the samba mailing list