[Samba] winbind: machine password timeout and keytab

Johan Hattne johan at hattne.se
Wed Feb 19 00:44:44 UTC 2020

On 2020-02-18 11:44, Rowland penny via samba wrote:
> On 18/02/2020 19:14, Johan Hattne via samba wrote:
>> Dear all;
>> Is it possible to refresh the machine password in an AD setup while 
>> also using a keytab for verifying secrets?  As far as I can see 
>> machine password updates (as controlled by "machine password timeout") 
>> are disabled when a keytab is in use (in particular, when "kerberos 
>> method = secrets and keytab"), but without an up-to-date keytab e.g. 
>> single sign-on with SSH won't work.
> I wonder where you found that ?

With smb.conf as per below, I'd expect a machine password update every 
two hours, but nothing happens.  Commenting out "kerberos method" does 
update the machine password right away (as per "net ads info"), and then 
refreshes every two hours after that.

Also, source3/winbindd_dual.c has this in it:

   if (child->domain && child->domain->primary &&
       lp_server_role() == ROLE_DOMAIN_MEMBER) {

       // For brevity:
       // Omitted real code to call machine_password_handler()
       // on password expiration


I'm thinking the USE_KERBEROS_KEYTAB is preventing the handler from 
being installed, but there is probably a good reason it's there.

> As far as I am aware, your machine passwords will be updated by winbind 
> and setting 'machine password timeout' just decides when. Setting 
> 'winbind refresh tickets = yes' should refresh any tickets as required. 
> This all depends on you running winbind.

I didn't have "winbind refresh tickets = yes", but I see the same 
behaviour now that I've added it.

>> Is there any way around this, short of running a cron job to refresh 
>> machine passwords and then update the keytab?  I find that the 
>> cron-solution suffers from race conditions in a CTDB setup.
>> // Best wishes; Johan
> No idea about CTDB, I do not use use it, but it should work in the same 
> way. It might help if you post your smb.conf, there may be something 
> there (or not there) that could be causing this.

I'll get back to CTDB once this has been sorted.  And here's the full 

         client signing = required
         kerberos method = secrets and keytab
         load printers = No
         local master = No
         log file = /var/log/samba/log.%m
         machine password timeout = 7200
         max log size = 1000
         mdns name = mdns
         realm = AD.EXAMPLE.COM
         security = ADS
         server min protocol = SMB2
         server signing = required
         server string = Samba %v (%h)
         template homedir = /home/%U
         template shell = /bin/bash
         winbind refresh tickets = Yes
         winbind use default domain = Yes
         workgroup = AD
         fruit:copyfile = yes
         idmap config * : rangesize = 1000000
         idmap config * : range = 1734200000 - 1999999999
         idmap config * : backend = autorid
         use sendfile = Yes
         vfs objects = catia fruit streams_xattr

         comment = Time Machine (%h)
         path = /var/time_machine/%U
         read only = No
         valid users = "@AD.EXAMPLE.COM\mygroup"
         fruit:model = RackMac
         fruit:encoding = native
         fruit:time machine max size = 1024G
         fruit:time machine = yes

// Best wishes; Johan

More information about the samba mailing list