[Samba] winbind trust account password management

Andrew Morgan morgan at orst.edu
Mon Nov 21 22:34:10 UTC 2016


This same issue happened to us again yesterday, causing a 5-hour outage 
because we weren't actively monitoring the service.  Here are the log 
entries:

Nov 20 08:30:02 onid-fs1 winbindd[31619]: [2016/11/20 08:30:02.146549,  1] ../source3/winbindd/winbindd_pam.c:1439(winbind_samlogon_retry_loop)
Nov 20 08:30:02 onid-fs1 winbindd[31619]:   winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.  Maybe the DC has Restrict NTLM set or the trust account password was changed and we didn't know it. Killing connections to domain onid

<these lines repeated thousands of times>
Nov 20 08:30:02 onid-fs1 winbindd[31619]: [2016/11/20 08:30:02.694952,  1] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
Nov 20 08:30:02 onid-fs1 winbindd[31619]:   SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR

<these lines after I restarted winbindd>
Nov 20 13:47:35 onid-fs1 winbindd[32021]: [2016/11/20 13:47:35.386790,  1] ../source3/rpc_client/cli_pipe.c:421(cli_pipe_validate_current_pdu)
Nov 20 13:47:35 onid-fs1 winbindd[32021]:   ../source3/rpc_client/cli_pipe.c:421: Bind NACK received from host DC3-ONID!
Nov 20 13:47:35 onid-fs1 winbindd[32021]: [2016/11/20 13:47:35.387108,  1] ../source3/rpc_client/cli_pipe.c:3316(cli_rpc_pipe_open_schannel_with_creds)
Nov 20 13:47:35 onid-fs1 winbindd[32021]:   cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED

What is happening here?

Thanks,
 	Andy

On Wed, 2 Nov 2016, Andrew Morgan via samba wrote:

> I'm running Samba v4.4.4 as a domain member server in security=domain 
> mode.  Our 3 domain controllers are Server 2012r2.
>
> Every 3-4 days, I see log messages from winbind saying 
> "winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED". 
> Sometimes this corresponds to a trust password change, but not always. 
> Today, new connections to Samba were failing with the error 
> "SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
> NT_STATUS_INTERNAL_ERROR" for an hour.  I restored service by re-running 
> "net rpc join" and restarting winbindd.
>
> I search bugzilla for any issues like this, and I looked at the release 
> notes for versions newer than v4.4.4.  I don't see anything specifically 
> related to this.
>
> Here are the recent winbind log entries that show this problem:
>
> Oct 15 08:10:40 onid-fs1 winbindd[11194]: [2016/10/15 08:10:40.373760,  1] 
> ../source3/libsmb/trusts_util.c:264(trust_pw_change)
> Oct 15 08:10:40 onid-fs1 winbindd[11194]:   2016/10/15 08:10:40 : 
> trust_pw_change(ONID): Changed password locally
> Oct 15 08:10:40 onid-fs1 winbindd[11194]: [2016/10/15 08:10:40.426325,  1] 
> ../source3/libsmb/trusts_util.c:278(trust_pw_change)
> Oct 15 08:10:40 onid-fs1 winbindd[11194]:   2016/10/15 08:10:40 : 
> trust_pw_change(ONID): Changed password remotely.
> Oct 19 08:13:53 onid-fs1 winbindd[11194]: [2016/10/19 08:13:53.347255,  1] 
> ../source3/winbindd/winbindd_pam.c:1439(winbind_samlogon_retry_loop)
> Oct 19 08:13:53 onid-fs1 winbindd[11194]:   winbind_samlogon_retry_loop: 
> sam_logon returned ACCESS_DENIED.  Maybe the DC has Restrict NTLM set or the 
> trust account password was changed and we didn't know it. Killing connections 
> to domain ONID
> Oct 19 08:13:53 onid-fs1 winbindd[11194]: [2016/10/19 08:13:53.931669,  1] 
> ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
> Oct 19 08:13:53 onid-fs1 winbindd[11194]:   SPNEGO(gse_krb5) creating 
> NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Oct 22 08:10:40 onid-fs1 winbindd[11194]: [2016/10/22 08:10:40.328862,  1] 
> ../source3/libsmb/trusts_util.c:264(trust_pw_change)
> Oct 22 08:10:40 onid-fs1 winbindd[11194]:   2016/10/22 08:10:40 : 
> trust_pw_change(ONID): Changed password locally
> Oct 22 08:10:40 onid-fs1 winbindd[11194]: [2016/10/22 08:10:40.412899,  1] 
> ../source3/libsmb/trusts_util.c:278(trust_pw_change)
> Oct 22 08:10:40 onid-fs1 winbindd[11194]:   2016/10/22 08:10:40 : 
> trust_pw_change(ONID): Changed password remotely.
> Oct 26 08:24:04 onid-fs1 winbindd[11194]: [2016/10/26 08:24:04.475864,  1] 
> ../source3/winbindd/winbindd_pam.c:1439(winbind_samlogon_retry_loop)
> Oct 26 08:24:04 onid-fs1 winbindd[11194]:   winbind_samlogon_retry_loop: 
> sam_logon returned ACCESS_DENIED.  Maybe the DC has Restrict NTLM set or the 
> trust account password was changed and we didn't know it. Killing connections 
> to domain ONID
> Oct 26 08:24:04 onid-fs1 winbindd[11194]: [2016/10/26 08:24:04.857873,  1] 
> ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
> Oct 26 08:24:04 onid-fs1 winbindd[11194]:   SPNEGO(gse_krb5) creating 
> NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Oct 26 08:24:05 onid-fs1 winbindd[11194]: [2016/10/26 08:24:05.061340,  1] 
> ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
> Oct 26 08:24:05 onid-fs1 winbindd[11194]:   SPNEGO(gse_krb5) creating 
> NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Oct 26 08:24:25 onid-fs1 winbindd[11194]: [2016/10/26 08:24:25.402327,  1] 
> ../source3/rpc_client/cli_pipe.c:421(cli_pipe_validate_current_pdu)
> Oct 26 08:24:25 onid-fs1 winbindd[11194]: 
> ../source3/rpc_client/cli_pipe.c:421: Bind NACK received from host DC1-ONID!
> Oct 26 08:24:25 onid-fs1 winbindd[11194]: [2016/10/26 08:24:25.403217,  1] 
> ../source3/rpc_client/cli_pipe.c:3316(cli_rpc_pipe_open_schannel_with_creds)
> Oct 26 08:24:25 onid-fs1 winbindd[11194]: 
> cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error 
> NT_STATUS_NETWORK_ACCESS_DENIED
> Oct 29 08:10:40 onid-fs1 winbindd[11194]: [2016/10/29 08:10:40.585520,  1] 
> ../source3/libsmb/trusts_util.c:264(trust_pw_change)
> Oct 29 08:10:40 onid-fs1 winbindd[11194]:   2016/10/29 08:10:40 : 
> trust_pw_change(ONID): Changed password locally
> Oct 29 08:10:40 onid-fs1 winbindd[11194]: [2016/10/29 08:10:40.639099,  1] 
> ../source3/libsmb/trusts_util.c:278(trust_pw_change)
> Oct 29 08:10:40 onid-fs1 winbindd[11194]:   2016/10/29 08:10:40 : 
> trust_pw_change(ONID): Changed password remotely.
> Nov  2 08:14:01 onid-fs1 winbindd[11194]: [2016/11/02 08:14:01.521168,  1] 
> ../source3/winbindd/winbindd_pam.c:1439(winbind_samlogon_retry_loop)
> Nov  2 08:14:01 onid-fs1 winbindd[11194]:   winbind_samlogon_retry_loop: 
> sam_logon returned ACCESS_DENIED.  Maybe the DC has Restrict NTLM set or the 
> trust account password was changed and we didn't know it. Killing connections 
> to domain ONID
> Nov  2 08:14:02 onid-fs1 winbindd[11194]: [2016/11/02 08:14:02.039227,  1] 
> ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
> Nov  2 08:14:02 onid-fs1 winbindd[11194]:   SPNEGO(gse_krb5) creating 
> NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Nov  2 08:14:02 onid-fs1 winbindd[11194]: [2016/11/02 08:14:02.366355,  1] 
> ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
> Nov  2 08:14:02 onid-fs1 winbindd[11194]:   SPNEGO(gse_krb5) creating 
> NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> (many of this last error message - once for each connection attempt until 
> I fixed it)
>
>
> Is there a known issue here?
>
> How does winbindd manage the trust password?
>
> Should I be using security=ads mode instead?
>
> Thanks,
> 	Andy
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list