[Samba] potential machine account expiry question

Jason Keltz jas at eecs.yorku.ca
Tue Nov 2 13:49:07 UTC 2021 

Hi.

I'm dealing with an interesting problem - potentially a machine account 
expiry issue in Samba AD (Samba 4.14.8).

We have multiple Linux computer labs of machines joined to AD (running 
Winbind).  Two labs of machines have been off for a few months.  When 
turned back on, none of those machines appear to be joined to the 
domain.  They were all working fine before.  Other machines have 
remained on since they were joined to the domain, and they continue to 
function perfectly.

I can report the following:

1) winbind is running on all the hosts, and I don't see any specific 
errors on either the client or the server.

2) wbinfo -u and wbinfo -g still work (does the client have to be joined 
to the domain for this to work?), yet getent passwd <user> returns 
nothing (/etc/nsswitch.conf is the same as on a working machine with 
"passwd: files winbind", and "group: files winbind".

3) wbinfo -t says "checking the trust secret for domain EECSYORKUCA via 
RPC calls succeeded", wbinfo -m reports BUILTIN, the host name, and the 
domain name, and wbinfo --online-status reports active connection for 
BUILTIN, the hostname, and the domain name.

4)  if I rejoin one of these AD clients to the domain, then it works 
fine without changing any configuration files at all, and continues to 
work after a reboot.

5) Although information online is very sporadic about this particular 
issue, the general consensus seems to be (at least for WIndows clients) 
that an AD client which is off will never be automatically "expired"  by 
the server after any amount of time. For Windows, there is a default 
timeout of 30 days, then the *client* should change the workstation 
account password itself when it comes online next whether that's in a 
month or a year.

6) I see samba has the "machine password timeout" option.  I don't set 
it in my smb.conf, so I assume that the the default of 1 week will be in 
effect.  It's not clear what happens if this value is far exceeded.  
This may be the WIndows equivalent of the 30 day password change.  
However, I imagine that when the client comes online and winbind sees 
that it is far longer than 1 week, it probably should change the account 
password in coordination with the AD server.  I don't think the account 
would be disabled.

7) I reviewed pwdLastSet available via "samba-tool show HOST".  I 
compared the result of pwdLastSet on two hosts that were joined to the 
domain at approximately same time (same day, a few minutes apart) - one 
that has remained on, and the other that has remained off.  pwdLastSet 
on both of them is the time they were joined to the domain. Why would 
the one that remained on not have pwdLastSet updated if winbind is 
changing the account password weekly?

8) The clocks on the AD server and clients are in sync.

Any suggestions on what I might run to debug this issue would be 
appreciated.  I have many hosts that I can try on, though eventually I 
will have to rejoin them to the domain.

Jason.

More information about the samba mailing list