[Samba] AD Computer Account Becoming Disabled on Re-Join

Rob Faulkner swrobf at googlemail.com
Tue Feb 2 04:18:34 MST 2010


Dear All,

Environment is:

- Squid proxy on linux
- Samba (have tried 3.2.8 and 3.4.3) as a domain client (ADS)
- Heimdal Kerberos
- Active Directory on multiple local Windows Server 2003 domain controllers
(single domain)

Squid is joining the AD domain with ADS via Samba in order to authenticate
users with NTLM etc and perform LDAP queries.

As part of the Squid configuration, on startup the system performs a net ads
join to join the domain and on restart of the squid services it leaves the
domain then re-joins.

Somewhere in the region of 2 out of 3 times that this leave/re-join process
occurs the computer account in AD becomes disabled and the box is unable to
complete the join.  In most cases going through the leave/re-join resolves
this issue and the account becomes re-enabled.

This is somewhat frustrating, as the "usual" things that can go wrong (bind
account credentials/logon names, DNS forward/reverse resolution, server
hostname, clock skew, AD permissions, etc) all seem to be fine - and indeed
some of the time the joins occur without a problem.

Investigating what happens when the account becomes disabled doesn't yield
anything interesting to me:



smb.conf

[global]
workgroup = DOMAIN
netbios name = SQUID-1
realm = DOMAIN.LOCAL
security = ads
password server = DC2.DOMAIN.LOCAL
winbind separator = /
winbind enum users = yes
winbind enum groups = yes



krb5.conf

[libdefaults]
        default_realm = DOMAIN.LOCAL
        clockskew = 300

[realms]
        DOMAIN.LOCAL = {
                admin_server = tcp/DC2.domain.local:749
                kdc = tcp/DC2.domain.local:88
                admin_server = tcp/DC5.domain.local:749
                kdc = tcp/DC5.domain.local:88
                default_domain = domain.local
        }


[domain_realm]
        .domain.local = DOMAIN.LOCAL
        domain.local = DOMAIN.LOCAL



AD Event Logs:

Event Type:    Error
Event Source:    NETLOGON
Event Category:    None
Event ID:    5723
Computer:    DC5
Description:
The session setup from computer 'SQUID-1' failed because the security
database does not contain a trust account 'SQUID-1$' referenced by the
specified computer.

Data:
0000: 8b 01 00 c0               ?..À

Event Type:    Error
Event Source:    NETLOGON
Event Category:    None
Event ID:    5805
Computer:    DC5
Description:
The session setup from the computer SQUID-1 failed to authenticate. The
following error occurred:
Access is denied.

Data:
0000: 22 00 00 c0               "..À




Winbind Logs:

[Object becomes disabled: ]
libsmb/cliconnect.c:996(cli_session_setup_spnego)
  Kinit failed: Preauthentication failed

[Object becomes re-enabled: ]
winbindd/winbindd.c:190(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)

[Object becomes disabled: ]
winbindd/winbindd.c:190(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)

libsmb/cliconnect.c:996(cli_session_setup_spnego)
  Kinit failed: Clients credentials have been revoked



I do have a number of packet traces of these exchanges, but briefly does
anyone know what the best things to look for are?

I can see the KRB5KDC_ERR_CLIENT_REVOKED NT Status: STATUS_ACCOUNT_DISABLED
that seems to go along with what winbind reports.

Is there any significance in this being a multi-DC environment in that I can
see the kerberos exchange occuring with one DC and the SMB exchange (Session
Setup, Tree Connect, etc) with a different DC?

There are fundamental gaps in my understanding of the end-to-end process
involved here, however I would appreciate if anyone can see anything
glaringly wrong, has seen this before, or can give me any more avenues of
investigation.

Many thanks in advance,


Rob.


More information about the samba mailing list