[Samba] winbind terminates after machine password change and needs domain rejoin
alban.rodriguez at univ-lr.fr
alban.rodriguez at univ-lr.fr
Wed Dec 7 08:08:35 UTC 2016
Le 6 déc. 2016 à 18:18, Andrew Morgan <morgan at orst.edu> a écrit :
> On Tue, 6 Dec 2016, Rodriguez Alban via samba wrote:
>
>> Hello,
>>
>> Samba 4.4.7 AD member on Linux SLES 12 here ...
>>
>> We've been running flawlessly for weeks with version 4.4.5 until we updated to 4.4.6 and experienced this bug: https://bugzilla.samba.org/show_bug.cgi?id=12369 So we updated to 4.4.7 in which this issue was fixed with an interim downgrade to version 4.4.5 until 4.4.7 was available.
>>
>> Now, we're experiencing another issue and it seems related to machine (trusted account) password change.
>> When this happens:
>> - users get an 'access denied' error to their home directory.
>> - winbindd is not running anymore on the Samba server
>> - restarting winbindd is not enough to fix the issue. We also need to join the domain again.
>>
>> We first had the issue Mon 28th early in the afternoon and then yesterday early in the afternoon which is exactly 7 days after.
>>
>> log.wb-{DOMAINNAME} showed the same lines in either case:
>> [2016/11/30 10:25:26.114186, 1] ../source3/libsmb/trusts_util.c:264(trust_pw_change)
>> 2016/11/30 10:25:26 : trust_pw_change(UNIV-LR): Changed password locally
>> [2016/11/30 10:25:26.179269, 1] ../source3/libsmb/trusts_util.c:278(trust_pw_change)
>> 2016/11/30 10:25:26 : trust_pw_change(UNIV-LR): Changed password remotely.
>> [2016/11/30 10:25:26.516562, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)
>> Got sig[15] terminate (is_parent=0)
>>
>> The 'machine password timeout' parameter has the default value of 604800 seconds which is exactly 7 days.
>>
>> I'm not sure about disabling password change setting a 0 value to the machine password timeout parameters because it's a security feature and because it just worked before. Maybe I can try to force the password setting debug level to 10 using 'net ads changetrustpw' and see if I can reproduce the issue (users may be angry with another outage ...)
>>
>> Any help appreciated
>>
>> Thank you
>> Alban
>
> I'm seeing weird behavior with winbind around machine account password changes too. See my thread with subject "winbind trust account password management" (no one has responded yet).
>
> I'm running v4.4.4 right now. I'm planning to upgrade to v4.5.1 in a few weeks with the (misguided?) hope that it will work better in the latest version.
>
> Andy
Andy,
In fact, I've seen your post while searching for a known bug about my current issue. But it seemed different. Maybe both are related.
What is weird in your log is (simplified):
Changed password locally
Changed password remotely
Maybe ... the trust account password was changed and we didn't know it.
So the trust account password is changed (which I believe is triggered by the client or in this case member server) and then it pretends it didn't know !?
Also, I don't see winbindd receiving signal 15 just after password change on your side. So I wonder why, and which process is sending a terminate signal to winbind on mine ?
Anyways, I'll probably fill a bug report for that issue because I really think it's a new bug since 4.4.5 and I will probably downgrade to 4.4.5 (again).
Cheers
Alban
More information about the samba
mailing list