Failed to bind to uuid NT_STATUS_LOGON_FAILURE secrets.keytab broken

Omnis ludis - games sergey.gortinsc17 at gmail.com
Wed Jun 5 13:37:13 UTC 2024 

Good afternoon, tell me, this error occurs on the domain controller samba v
4.19.0, I paired the domain controller with sssd so that authentication
occurs under domain accounts on the domain controller, but as you know,
sssd changes the machine password every 30 days if this option is not
disabled
ad_maximum_machine_account_password_age = 0
I haven’t disabled it for 30 days and as I understand it, the password has
changed and when I call samba-tool drs showrepl the following error occurs
samba-tool drs showrepl -d 5
INFO: Current debug levels:
lpcfg_load: refreshing parameters from /opt/samba/etc/smb.conf
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc1.red-soft.biz[,seal]
Mapped to DCERPC endpoint 135
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.test.dom<0x20>
startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No
such file or directory
Mapped to DCERPC endpoint 49153
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
added interface ens3 ip=10.81.0.250 bcast=10.81.0.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-soft.biz<0x20>
startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts. Error was No
such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 294
Received smb_krb5 packet of length 203
Failed to get kerberos credentials: kinit for DC1$@TEST.DOM failed
(Preauthentication failed)
Wrong username or password: kinit for DC1$@TEST.DOM failed
(Preauthentication failed)
gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILURE
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
NEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]):
NT_STATUS_LOGON_FAILURE
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
dcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERROR
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.81.0.250]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc1.test.dom failed - drsException: DRS connection to dc1.test.dom failed:
(3221225581, 'The attempted logon is invalid. This is either due to a bad
username or authentication information.')
  File "samba/netcmd/drs.py", line 55, in samba.netcmd.drs.drsuapi_connect
  File "samba/drs_utils.py", line 78, in samba.drs_utils.drsuapi_connect


even if you can tell me the direction why this could happen, I will be
grateful, here is my samba config
# Global parameters
[global]
        netbios name = DC1
        realm = TEST.DOM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = TEST
        idmap_ldb:use rfc2307 = yes
        map acl inherit = yes
        allow dns updates = nonsecure
        dsdb:schema update allowed = true
        ldap server require strong auth = no
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = dedicated keytab


[sysvol]
        path = /opt/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /opt/samba/var/locks/sysvol/red-soft.biz/scripts
        read only = No


I also tried using krb5.keytab instead of secrets.keytab but the situation
did not change, I would like to know more about the insides of samba and
how to force it to accept the changed password of its own domain
controller, maybe this can be done somehow through the database

More information about the samba-technical mailing list