[Samba] Strange KVNO updating
Matthieu Patou
mat at samba.org
Thu Oct 2 19:48:56 MDT 2014
On 10/01/2014 10:25 PM, Bruno MACADRE wrote:
> Le 02/10/2014 00:07, Matthieu Patou a écrit :
>> Hi Bruno,
>> On 09/30/2014 11:12 PM, Bruno MACADRÉ wrote:
>>> Hi,
>>>
>>> I'm working in an educational environment so I've some
>>> obligations that complicate my work. For example in all rooms of
>>> practical class all the workstations are in dual boot (Win7 +
>>> XUbuntu 14.04). I've tried 2 solutions :
>>>
>>> 1- Setting the same hostname to both OS, joigning Win7 to AD
>>> and using the created (by joining) keytab on linux side for sssd.
>>>
>>> 2- Setting different hostname to both OS, joigning Win7 to
>>> AD and joigning linux to AD, using winbind for users and groups.
>>>
>>> I've chosen the first one (may be it's not the better
>>> choice....), but actually I'm facing a strange problem... some times
>>> my keytab on the Samba4 server is updated (KVNO incremented) without
>>> any human intervention.... so my sssd on linux side can't speak with
>>> the server anymore....
>> Is Samba4 your AD DC ?, if so when you say that the keytab is updated
>> is not really that it's the info stored in the computer object that
>> are changed (and amongst them the kvno).
> Yes I'm in Samba4 so I suppose that the keytab appears to be changed
> 'cause the computer object was modified.
>
>>>
>>> Is anybody know why a keytab can change internaly ?
>>>
>>> Can Win7 change keytab (refresh or modify or anything else) when
>>> any user using it ?
>> Windows machine are changing periodically their password, when the
>> password is changed the kvno is also changed.
> It's I supposed but I'm not advanced enough in win admin to know
> why..... this answer confirms my idea.
>>>
>>> I just want to understand why I have to upload new keytab on
>>> linux side frequently ?
>>>
>>> I know this problem isn't really a samba problem, but I hope
>>> that somebody on this list knows this behaviour...
>>>
>> You can create a GPO that will apply only on Computers to disable
>> password change.
> If it's possible to disable password changing I will do that
>>
>>
> Thanks a lot for your answers, it's what I've searched for long days !
In the mean time you can have a look at the samba-tool command: you can
chang the Maximum password age to something much bigger for the moment
(but it will apply to users as well).
./bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=dfsr12smb,DC=home,DC=matws,DC=net'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
> Best Regards,
> Bruno
>
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba
mailing list