[Samba] winbind terminates after machine password change and needs domain rejoin

alban.rodriguez at univ-lr.fr alban.rodriguez at univ-lr.fr
Tue Dec 6 08:56:10 UTC 2016


Samba 4.4.7 AD member on Linux SLES 12 here ...

We've been running flawlessly for weeks with version 4.4.5 until we updated to 4.4.6 and experienced this bug: https://bugzilla.samba.org/show_bug.cgi?id=12369
So we updated to 4.4.7 in which this issue was fixed with an interim downgrade to version 4.4.5 until 4.4.7 was available.

Now, we're experiencing another issue and it seems related to machine (trusted account) password change.
When this happens:
- users get an 'access denied' error to their home directory.
- winbindd is not running anymore on the Samba server
- restarting winbindd is not enough to fix the issue. We also need to join the domain again.

We first had the issue Mon 28th early in the afternoon and then yesterday early in the afternoon which is exactly 7 days after.

log.wb-{DOMAINNAME} showed the same lines in either case:
[2016/11/30 10:25:26.114186,  1] ../source3/libsmb/trusts_util.c:264(trust_pw_change)
  2016/11/30 10:25:26 : trust_pw_change(UNIV-LR): Changed password locally
[2016/11/30 10:25:26.179269,  1] ../source3/libsmb/trusts_util.c:278(trust_pw_change)
  2016/11/30 10:25:26 : trust_pw_change(UNIV-LR): Changed password remotely.
[2016/11/30 10:25:26.516562,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)

The 'machine password timeout' parameter has the default value of 604800 seconds which is exactly 7 days.

I'm not sure about disabling password change setting a 0 value to the machine password timeout parameters because it's a security feature and because it just worked before.
Maybe I can try to force the password setting debug level to 10  using 'net ads changetrustpw' and see if I can reproduce the issue (users may be angry with another outage ...)

Any help appreciated

Thank you

More information about the samba mailing list