[Samba] 'Scripted' machine account renewal?!
Kees van Vloten
keesvanvloten at gmail.com
Thu Jun 6 09:13:45 UTC 2024
Op 24-03-2024 om 17:42 schreef Marco Gaiarin via samba:
> Mandi! Kees van Vloten via samba
> In chel di` si favelave...
>
>> Solution is easy: upgrading winbind from Debian backports solves the issue !
> I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does
> not work for me...
>
> Now display:
>
> root at vfwacpn1:~# net ads changetrustpw
> get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
> Changing password for principal:vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
> Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.
>
> if i force the target server:
>
> root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it
> ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
> Changing password for principal:vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
> Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.
>
I think I finally figured out, what the issue is:
When you do: 'net ads -P changetrustpw', it will change the password on
the DC and update the local secret store to use the new password.
However with each new machine password, a new version (kvno) of the
keytabs in /etc/krb5.keytab is required. The above command does not
update your keytab file and as a result subsequent calls to change the
machine password will fail. Other things that make use of a keytab for
authentication (such as kerberized NFS) will also fail, but on most
machines you will probably not notice that you have outdated keytabs in
the keytab file.
The simple solution is to update the keytabs with:
for kt in $(net ads keytab list | awk 'NR> 1 {sub(/@.+/, "") ;print
$3}' | sort -u); do
net ads keytab add $kt
done
Now everything is back in sync and works as expected.
I heard work was being done to have winbind updating the machine
password regularly. I don't know if it is already in 4.20 or still
waiting to go into mainline and land in one of the next versions of
Samba. That would make the above obsolete :-)
- Kees.
> In /etc/krb5.conf i've set:
>
> [libdefaults]
> default_realm = AD.AC.CONCORDIA-PORDENONE.IT
> dns_lookup_realm = false
> dns_lookup_kdc = false
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> [realms]
> AD.AC.CONCORDIA-PORDENONE.IT = {
> kdc = kdc.ad.ac.concordia-pordenone.it
> master_kdc = kdc.ad.ac.concordia-pordenone.it
> admin_server = kdc.ad.ac.concordia-pordenone.it
> default_domain = ad.ac.concordia-pordenone.it
> }
>
> clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts:
>
> root at vfwacpn1:~# grep kdc /etc/hosts
> 10.172.1.8 vdcacpn1.ac.concordia-pordenone.it kdc.ad.ac.concordia-pordenone.it ad.ac.concordia-pordenone.it vdcacpn1
>
> Join still seems valid:
>
> root at vfwacpn1:~# net ads testjoin
> get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
> get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
> Join is OK
> root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it
> get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
> ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
> Join is OK
>
> and i can get data i need:
>
> root at vfwacpn1:~# samba-tool group listmembers group1 -Hldap://ad.ac.concordia-pordenone.it -P
> user1
> user2
> user3
>
More information about the samba
mailing list