[Samba] potential machine account expiry question
jas at eecs.yorku.ca
Tue Nov 2 13:49:07 UTC 2021
I'm dealing with an interesting problem - potentially a machine account
expiry issue in Samba AD (Samba 4.14.8).
We have multiple Linux computer labs of machines joined to AD (running
Winbind). Two labs of machines have been off for a few months. When
turned back on, none of those machines appear to be joined to the
domain. They were all working fine before. Other machines have
remained on since they were joined to the domain, and they continue to
I can report the following:
1) winbind is running on all the hosts, and I don't see any specific
errors on either the client or the server.
2) wbinfo -u and wbinfo -g still work (does the client have to be joined
to the domain for this to work?), yet getent passwd <user> returns
nothing (/etc/nsswitch.conf is the same as on a working machine with
"passwd: files winbind", and "group: files winbind".
3) wbinfo -t says "checking the trust secret for domain EECSYORKUCA via
RPC calls succeeded", wbinfo -m reports BUILTIN, the host name, and the
domain name, and wbinfo --online-status reports active connection for
BUILTIN, the hostname, and the domain name.
4) if I rejoin one of these AD clients to the domain, then it works
fine without changing any configuration files at all, and continues to
work after a reboot.
5) Although information online is very sporadic about this particular
issue, the general consensus seems to be (at least for WIndows clients)
that an AD client which is off will never be automatically "expired" by
the server after any amount of time. For Windows, there is a default
timeout of 30 days, then the *client* should change the workstation
account password itself when it comes online next whether that's in a
month or a year.
6) I see samba has the "machine password timeout" option. I don't set
it in my smb.conf, so I assume that the the default of 1 week will be in
effect. It's not clear what happens if this value is far exceeded.
This may be the WIndows equivalent of the 30 day password change.
However, I imagine that when the client comes online and winbind sees
that it is far longer than 1 week, it probably should change the account
password in coordination with the AD server. I don't think the account
would be disabled.
7) I reviewed pwdLastSet available via "samba-tool show HOST". I
compared the result of pwdLastSet on two hosts that were joined to the
domain at approximately same time (same day, a few minutes apart) - one
that has remained on, and the other that has remained off. pwdLastSet
on both of them is the time they were joined to the domain. Why would
the one that remained on not have pwdLastSet updated if winbind is
changing the account password weekly?
8) The clocks on the AD server and clients are in sync.
Any suggestions on what I might run to debug this issue would be
appreciated. I have many hosts that I can try on, though eventually I
will have to rejoin them to the domain.
More information about the samba