[Samba] Windows Clients (10-1909 + 2012R2) not purging Machine Account tickets after auto-renew?
Kris Lou
klou at themusiclink.net
Fri Dec 17 19:27:25 UTC 2021
Happy Friday --
I recently (last week) pushed my DC's up to 4.14.10, and since then, I've
had a handful of machines with broken secure channels to the DC's.
Basically, they present as no longer joined to the domain (can't
authenticate, no domain-access, etc.), but that doesn't seem to be the
case.
It seems that this only occurs AFTER the client automatically renewed their
machine account password -- so I've got to get this figured out before the
next batch hits.
smbclient -L <client> -U <user> results in:
gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous
> failure (see text): Message stream modified](2529638953)
> gensec_spnego_client_negTokenTarg_step: SPNEGO(gse_krb5) login failed:
> NT_STATUS_LOGON_FAILURE
> session setup failed: NT_STATUS_LOGON_FAILURE
Windows logs - Security-Kerberos
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> <client>$. The target name used was <CLIENT>$. This indicates that the
> target server failed to decrypt the ticket provided by the client. This can
> occur when the target server principal name (SPN) is registered on an
> account other than the account the target service is using. Ensure that the
> target SPN is only registered on the account used by the server. This error
> can also happen if the target service account password is different than
> what is configured on the Kerberos Key Distribution Center for that target
> service. Ensure that the service on the server and the KDC are both
> configured to use the same password. If the server name is not fully
> qualified, and the target domain (SAMDOM.TLD) is different from the client
> domain (SAMDOM.TLD), check if there are identically named server accounts
> in these two domains, or use the fully-qualified name to identify the
> server.
However, a manual domain-leave/rejoin or "powershell
Reset-ComputerMachinePassword" + reboot seems to fix this.
So, from above I'm guessing that the machine account tickets are not
getting automatically purged or renewed after it refreshes? But manually
triggering it seems to work -- after purging the cache with a reboot.
Any suggestions regarding this? Thanks.
Barebones smb.conf, omitting stuff I have commented out:
# Global parameters
[global]
workgroup = SAMDOM
realm = samdom.tld
netbios name = <DC>
server role = active directory domain controller
server services = -dns
ntp signd socket directory = /var/lib/samba/ntp_signd
ntlm auth = mschapv2-and-ntlmv2-only
# Logging
log level = 2
log file = /var/log/samba/samba4.log.%m
hostname lookups = yes
# This needs to be addressed soon
ldap server require strong auth = no
# Certificates
tls keyfile = /var/lib/samba/private/tls/privkey.pem
tls certfile = /var/lib/samba/private/tls/fullchain.pem
tls cafile = /var/lib/samba/private/tls/chain.pem
# Disable Printing
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
# Enable Extended ACL Support
map acl inherit = yes
store dos attributes = yes
# Winbindd parameters
template shell = /bin/bash
template homedir = /home/%U
Kris Lou
klou at themusiclink.net
More information about the samba
mailing list