[Samba] potential machine account expiry question

Patrick Goetz pgoetz at math.utexas.edu
Tue Nov 2 14:20:40 UTC 2021

Hi -

I can't speak to this from the perspective of winbind, but this has been 
a chronic problem with sssd (for myself, and others), so I've run into a 
similar issue many times.

Once the kerberos ticket for a machine expires, it can't rejoin the 
domain without manual intervention. Not sure where you read these 
tickets don't expire, but they do.  Try running

   klist -kt

to see ticket timestamps.

At least in your case it's obvious why the ticket expired. sssd is 
supposed to be renewing the kerberos ticket automatically, but it 
doesn't always work for still unknown reasons. My solution to this for 
sssd is to run a cron job every night:

   00 12 * * 1 root  msktutil --update --computer-name cns-cryo-krak7 
--verbose --server austin.utexas.edu

That appears to have resolved the issue.

Again, your situation is more obvious, and since I haven't seen any 
reports of winbind having a similar problem, I'm hoping to not have to 
deal with this for my windbind-only installs.  <:)

On 11/2/21 08:49, Jason Keltz via samba wrote:
> Hi.
> I'm dealing with an interesting problem - potentially a machine account 
> expiry issue in Samba AD (Samba 4.14.8).
> We have multiple Linux computer labs of machines joined to AD (running 
> Winbind).  Two labs of machines have been off for a few months.  When 
> turned back on, none of those machines appear to be joined to the 
> domain.  They were all working fine before.  Other machines have 
> remained on since they were joined to the domain, and they continue to 
> function perfectly.
> I can report the following:
> 1) winbind is running on all the hosts, and I don't see any specific 
> errors on either the client or the server.
> 2) wbinfo -u and wbinfo -g still work (does the client have to be joined 
> to the domain for this to work?), yet getent passwd <user> returns 
> nothing (/etc/nsswitch.conf is the same as on a working machine with 
> "passwd: files winbind", and "group: files winbind".
> 3) wbinfo -t says "checking the trust secret for domain EECSYORKUCA via 
> RPC calls succeeded", wbinfo -m reports BUILTIN, the host name, and the 
> domain name, and wbinfo --online-status reports active connection for 
> BUILTIN, the hostname, and the domain name.
> 4)  if I rejoin one of these AD clients to the domain, then it works 
> fine without changing any configuration files at all, and continues to 
> work after a reboot.
> 5) Although information online is very sporadic about this particular 
> issue, the general consensus seems to be (at least for WIndows clients) 
> that an AD client which is off will never be automatically "expired"  by 
> the server after any amount of time. For Windows, there is a default 
> timeout of 30 days, then the *client* should change the workstation 
> account password itself when it comes online next whether that's in a 
> month or a year.
> 6) I see samba has the "machine password timeout" option.  I don't set 
> it in my smb.conf, so I assume that the the default of 1 week will be in 
> effect.  It's not clear what happens if this value is far exceeded. This 
> may be the WIndows equivalent of the 30 day password change. However, I 
> imagine that when the client comes online and winbind sees that it is 
> far longer than 1 week, it probably should change the account password 
> in coordination with the AD server.  I don't think the account would be 
> disabled.
> 7) I reviewed pwdLastSet available via "samba-tool show HOST".  I 
> compared the result of pwdLastSet on two hosts that were joined to the 
> domain at approximately same time (same day, a few minutes apart) - one 
> that has remained on, and the other that has remained off.  pwdLastSet 
> on both of them is the time they were joined to the domain. Why would 
> the one that remained on not have pwdLastSet updated if winbind is 
> changing the account password weekly?
> 8) The clocks on the AD server and clients are in sync.
> Any suggestions on what I might run to debug this issue would be 
> appreciated.  I have many hosts that I can try on, though eventually I 
> will have to rejoin them to the domain.
> Jason.

More information about the samba mailing list