[Samba] potential machine account expiry question
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 2 15:24:49 UTC 2021
kinit Administrator and run this script.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Its missing to much info in this mail below.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jason Keltz via samba
> Verzonden: dinsdag 2 november 2021 14:49
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] potential machine account expiry question
>
> Hi.
>
> I'm dealing with an interesting problem - potentially a
> machine account
> expiry issue in Samba AD (Samba 4.14.8).
>
> We have multiple Linux computer labs of machines joined to AD
> (running
> Winbind). Two labs of machines have been off for a few months. When
> turned back on, none of those machines appear to be joined to the
> domain. They were all working fine before. Other machines have
> remained on since they were joined to the domain, and they
> continue to
> function perfectly.
>
> I can report the following:
>
> 1) winbind is running on all the hosts, and I don't see any specific
> errors on either the client or the server.
>
> 2) wbinfo -u and wbinfo -g still work (does the client have
> to be joined
> to the domain for this to work?), yet getent passwd <user> returns
> nothing (/etc/nsswitch.conf is the same as on a working machine with
> "passwd: files winbind", and "group: files winbind".
>
> 3) wbinfo -t says "checking the trust secret for domain
> EECSYORKUCA via
> RPC calls succeeded", wbinfo -m reports BUILTIN, the host
> name, and the
> domain name, and wbinfo --online-status reports active connection for
> BUILTIN, the hostname, and the domain name.
>
> 4) if I rejoin one of these AD clients to the domain, then it works
> fine without changing any configuration files at all, and
> continues to
> work after a reboot.
>
> 5) Although information online is very sporadic about this particular
> issue, the general consensus seems to be (at least for
> WIndows clients)
> that an AD client which is off will never be automatically
> "expired" by
> the server after any amount of time. For Windows, there is a default
> timeout of 30 days, then the *client* should change the workstation
> account password itself when it comes online next whether that's in a
> month or a year.
>
> 6) I see samba has the "machine password timeout" option. I
> don't set
> it in my smb.conf, so I assume that the the default of 1 week
> will be in
> effect. It's not clear what happens if this value is far exceeded.
> This may be the WIndows equivalent of the 30 day password change.
> However, I imagine that when the client comes online and winbind sees
> that it is far longer than 1 week, it probably should change
> the account
> password in coordination with the AD server. I don't think
> the account
> would be disabled.
>
> 7) I reviewed pwdLastSet available via "samba-tool show HOST". I
> compared the result of pwdLastSet on two hosts that were
> joined to the
> domain at approximately same time (same day, a few minutes
> apart) - one
> that has remained on, and the other that has remained off.
> pwdLastSet
> on both of them is the time they were joined to the domain. Why would
> the one that remained on not have pwdLastSet updated if winbind is
> changing the account password weekly?
>
> 8) The clocks on the AD server and clients are in sync.
>
> Any suggestions on what I might run to debug this issue would be
> appreciated. I have many hosts that I can try on, though
> eventually I
> will have to rejoin them to the domain.
>
> Jason.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list