[Samba] How to cope when you changed the DC's own account password

Andrew Bartlett abartlet at samba.org
Wed Jun 5 19:56:44 UTC 2024 

This is the tool to fix it, assuming only the password was changed:
./source4/scripting/devel/chgtdcpass
If run from a source tree that it now how you built Samba, you may need
to specify options to point at the right paths etc. 
A long-desired feature of mine is to have Samba refused to accept a
password change on or deletion of it's own DC account.
If the account was deleted, my only suggestion is to hope enough of the
system is still working to join a new DC.  
I might do that anyway, if I couldn't be totally sure.
Finally, the backup/restore tooling might also work, as we delete the
DC account and rebuild it on the restored DC. But that is much the same
disruption as joining a new DC.

Andrew Bartlett
On Wed, 2024-06-05 at 15:25 +0300, Omnis ludis - games via samba wrote:
> Yes, well, I understand that you can't use sssd, but I already have
> thisproblem and I'm asking for help, what can I do to make samba
> accept thecomputer password back and everything works again, any tip
> in thisdirection maybe I need to fix some keytab or change kvno
> somewhere, anyhint in this the direction would give a chance that
> even such a problem canbe fixed
> ср, 5 июн. 2024 г. в 15:17, Christian Naumer via samba <
> samba at lists.samba.org>:
> > Hi there,NEVER ever use sssd on a DC!!!!!! I did this once and sssd
> > moved the DCfrom OU "Domain Controllers" to "Domain Computers".
> > Even if this did nothappen for you I still repeat "DO NOT DO THIS"
> > Sorry for all the captalletters but this nearly broke my AD. I was
> > lucky at the time that I had3 more DCs.You can enable login to the
> > DC with domain accounts without sssd. See here:
> > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> > 
> > 
> > Regards
> > 
> > Christian
> > Am 05.06.24 um 14:02 schrieb Omnis ludis - games via samba:
> > > Good afternoon, tell me, this error occurs on the domain
> > > controller
> > samba v
> > > 4.19.0, I paired the domain controller with sssd so that
> > > authenticationoccurs under domain accounts on the domain
> > > controller, but as you know,sssd changes the machine password
> > > every 30 days if this option is
> > > notdisabledad_maximum_machine_account_password_age = 0I haven’t
> > > disabled it for 30 days and as I understand it, the password
> > has
> > > changed and when I call samba-tool drs showrepl the following
> > > error
> > occurs
> > > samba-tool drs showrepl -d 5INFO: Current debug
> > > levels:lpcfg_load: refreshing parameters from
> > > /opt/samba/etc/smb.confldb_wrap open of secrets.ldbGENSEC backend
> > > 'gssapi_spnego' registeredGENSEC backend 'gssapi_krb5'
> > > registeredGENSEC backend 'gssapi_krb5_sasl' registeredGENSEC
> > > backend 'spnego' registeredGENSEC backend 'schannel'
> > > registeredGENSEC backend 'ncalrpc_as_system' registeredGENSEC
> > > backend 'sasl-EXTERNAL' registeredGENSEC backend 'ntlmssp'
> > > registeredGENSEC backend 'ntlmssp_resume_ccache' registeredGENSEC
> > > backend 'http_basic' registeredGENSEC backend 'http_ntlm'
> > > registeredGENSEC backend 'http_negotiate' registeredGENSEC
> > > backend 'krb5' registeredGENSEC backend 'fake_gssapi_krb5'
> > > registeredUsing binding ncacn_ip_tcp:dc1.red-
> > > soft.biz[,seal]Mapped to DCERPC endpoint 135added interface ens3
> > > ip=10.81.0.250 bcast=10.81.0.255
> > netmask=255.255.255.0
> > > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255
> > netmask=255.255.255.0
> > > resolve_lmhosts: Attempting lmhosts lookup for name
> > > dc1.test.dom<0x20>startlmhosts: Can't open lmhosts file
> > > /opt/samba/etc/lmhosts. Error was
> > No
> > > such file or directoryMapped to DCERPC endpoint 49153added
> > > interface ens3 ip=10.81.0.250 bcast=10.81.0.255
> > netmask=255.255.255.0
> > > added interface ens3 ip=10.81.0.250 bcast=10.81.0.255
> > netmask=255.255.255.0
> > > resolve_lmhosts: Attempting lmhosts lookup for name dc1.red-
> > > soft.biz
> > <0x20>
> > > startlmhosts: Can't open lmhosts file /opt/samba/etc/lmhosts.
> > > Error was
> > No
> > > such file or directoryStarting GENSEC mechanism spnegoStarting
> > > GENSEC submechanism gssapi_krb5Received smb_krb5 packet of length
> > > 294Received smb_krb5 packet of length 203Failed to get kerberos
> > > credentials: kinit for DC1$@TEST.DOM failed(Preauthentication
> > > failed)Wrong username or password: kinit for DC1$@TEST.DOM
> > > failed(Preauthentication failed)gensec_update_done: gssapi_krb5[0x55d227285240]: NT_STATUS_LOGON_FAILUREgensec_spnego_create_negTokenInit_step: gssapi_krb5: creatingNEG_TOKEN_INIT for ldap/DC1.TEST.DOM failed (next[ntlmssp]):NT_STATUS_LOGON_FAILUREStarting GENSEC submechanism ntlmsspGot challenge flags:Got NTLMSSP neg_flags=0x62898235   NTLMSSP_NEGOTIATE_UNICODE   NTLMSSP_REQUEST_TARGET   NTLMSSP_NEGOTIATE_SIGN   NTLMSSP_NEGOTIATE_SEAL   NTLMSSP_NEGOTIATE_NTLM   NTLMSSP_NEGOTIATE_ALWAYS_SIGN   NTLMSSP_TARGET_TYPE_DOMAIN   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY   NTLMSSP_NEGOTIATE_TARGET_INFO   NTLMSSP_NEGOTIATE_VERSION   NTLMSSP_NEGOTIATE_128   NTLMSSP_NEGOTIATE_KEY_EXCHNTLMSSP: Set final flags:Got NTLMSSP neg_flags=0x62088235   NTLMSSP_NEGOTIATE_UNICODE   NTLMSSP_REQUEST_TARGET   NTLMSSP_NEGOTIATE_SIGN   NTLMSSP_NEGOTIATE_SEAL   NTLMSSP_NEGOTIATE_NTLM   NTLMSSP_NEGOTIATE_ALWAYS_SIGN   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY   NTLMSSP_NEGOTIATE_VERSION   NTLMSSP_NEGOTIATE_128   NTLMSSP_NEGOTIATE_KEY_EXCHNTLMSSP Sign/Seal - Initialising with flags:Got NTLMSSP neg_flags=0x62088235   NTLMSSP_NEGOTIATE_UNICODE   NTLMSSP_REQUEST_TARGET   NTLMSSP_NEGOTIATE_SIGN   NTLMSSP_NEGOTIATE_SEAL   NTLMSSP_NEGOTIATE_NTLM   NTLMSSP_NEGOTIATE_ALWAYS_SIGN   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY   NTLMSSP_NEGOTIATE_VERSION   NTLMSSP_NEGOTIATE_128   NTLMSSP_NEGOTIATE_KEY_EXCHdcerpc: alter_resp - rpc fault: DCERPC_FAULT_SEC_PKG_ERRORFailed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> > ncacn_ip_tcp:10.81.0.250[49153,seal,target_hostname=dc1.test.dom,ab
> > stract_syntax=e3514235-4b06-11d1-ab04-
> > 00c04fc2dcd2/0x00000004,localaddress=10.81.0.250]
> > > NT_STATUS_LOGON_FAILUREERROR(<class
> > > 'samba.drs_utils.drsException'>): DRS connection todc1.test.dom
> > > failed - drsException: DRS connection to dc1.test.dom
> > failed:
> > > (3221225581, 'The attempted logon is invalid. This is either due
> > > to a badusername or authentication information.')   File
> > > "samba/netcmd/drs.py", line 55, in
> > samba.netcmd.drs.drsuapi_connect
> > >    File "samba/drs_utils.py", line 78, in
> > > samba.drs_utils.drsuapi_connect
> > > 
> > > even if you can tell me the direction why this could happen, I
> > > will begrateful, here is my samba config# Global
> > > parameters[global]         netbios name = DC1         realm =
> > > TEST.DOM         server role = active directory domain
> > > controller         server services = s3fs, rpc, nbt, wrepl, ldap,
> > > cldap, kdc,
> > drepl,
> > > winbindd, ntp_signd, kcc, dnsupdate         workgroup =
> > > TEST         idmap_ldb:use rfc2307 = yes         map acl inherit
> > > = yes         allow dns updates = nonsecure         dsdb:schema
> > > update allowed = true         ldap server require strong auth =
> > > no         dedicated keytab file =
> > > /etc/krb5.keytab         kerberos method = dedicated keytab
> > > 
> > > [sysvol]         path = /opt/samba/var/locks/sysvol         read
> > > only = No
> > > [netlogon]         path = /opt/samba/var/locks/sysvol/red-
> > > soft.biz/scripts         read only = No
> > 
> > --To unsubscribe from this list go to the following URL and read
> > theinstructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list