[Samba] Problem with SAMBA 4 on Debian default installation

[Szostak Grzegorz]

Dear All,
I have samba 4 installation which was upgraded from samba 3. Everything was
working fine for about 6 months. Then I don't remember what I have done but
after restart of server, it is impossible to log into Windows using
Workgroup.
The setup consists of several Windows XP and Windows 7 computer. Samba jest
PDC.

Looks like problems with configuration of Kerberos or around it.

Configuration:
/etc/samba/smb.conf:
[global]
        server role = active directory domain controller
        host msdfs = yes
        workgroup = DOMAIN
        realm = net.domain.com.pl
        netbios name = PR254
        passdb backend = samba4
        server services = -smb +s3fs +dnsupdate +winbind +kdc +cldap +ldap
+drepl +nbt
        dcerpc endpoint servers = +winreg +srvsvc
        log level = 5
        interfaces = eth3
        bind interfaces only = yes
        rpc_server:samr = external

[netlogon]
        path = /var/lib/samba/sysvol/net.domain.com.pl/scripts
        browsable = yes
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

/etc/krb5.conf:
[libdefaults]
        default_realm = NET.DOMAIN.COM.PL
        dns_lookup_realm = false
        dns_lookup_kdc = true
#       clock-skew = 600

[realms]
        NET.DOMAIN.COM.PL = {
                kdc = pr254.net.domain.com.pl
                default_domain = DOMAIN
                admin_server = pr254.net.domain.com.pl
        }

Bind as Dns backend.

Kerberos:
kadmin:  getprincs
K/M at NET.DOMAIN.COM.PL
administrator/admin at NET.DOMAIN.COM.PL
administrator at NET.DOMAIN.COM.PL
kadmin/admin at NET.DOMAIN.COM.PL
kadmin/changepw at NET.DOMAIN.COM.PL
kadmin/pr254.net.domain.com.pl at NET.DOMAIN.COM.PL
krbtgt/NET.DOMAIN.COM.PL at NET.DOMAIN.COM.PL

pr254:~# less /var/lib/samba/private/smbd.tmp/fileserver.conf
# auto-generated config for fileserver
passdb backend = samba4
rpc_server:default = external
rpc_server:svcctl = embedded
rpc_server:srvsvc = embedded
rpc_server:eventlog = embedded
rpc_server:ntsvcs = embedded
rpc_server:winreg = embedded
rpc_server:spoolss = embedded
rpc_daemon:spoolssd = disabled
rpc_server:tcpip = no
vfs objects = acl_xattr
map hidden = no
map system = no
map readonly = no
store dos attributes = yes
include = /etc/samba/smb.conf
[IPC$]
 vfs objects = dfs_samba4


Symptoms:
- on windows, windows says that user doesn't exists or has wrong password
- on linux:
When I issue: pr254:~# samba-tool user password -U administrator

finddcs: searching for a DC by DNS domain net.domain.com.pl
finddcs: looking for SRV records for _ldap._tcp.net.domain.com.pl
ads_dns_lookup_srv: 1 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.199.254'
finddcs: DNS SRV response 1 at '192.168.10.243'
finddcs: DNS SRV response 2 at '10.255.255.1'
finddcs: DNS SRV response 3 at '10.10.10.1'

Result is: finddcs:
No matching CLDAP server found
ERROR: Failed to change password : Connection to SAMR pipe of PDC of domain
'PROSPIN' failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 455,
in run
    net.change_password(password)

Thank you for help.
Grzegorz