[Samba] 'Scripted' machine account renewal?!
Marco Gaiarin
gaio at lilliput.linux.it
Sun Mar 24 16:42:03 UTC 2024
Mandi! Kees van Vloten via samba
In chel di` si favelave...
> Solution is easy: upgrading winbind from Debian backports solves the issue !
I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does
not work for me...
Now display:
root at vfwacpn1:~# net ads changetrustpw
get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.
if i force the target server:
root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it
ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT
Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.
In /etc/krb5.conf i've set:
[libdefaults]
default_realm = AD.AC.CONCORDIA-PORDENONE.IT
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
AD.AC.CONCORDIA-PORDENONE.IT = {
kdc = kdc.ad.ac.concordia-pordenone.it
master_kdc = kdc.ad.ac.concordia-pordenone.it
admin_server = kdc.ad.ac.concordia-pordenone.it
default_domain = ad.ac.concordia-pordenone.it
}
clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts:
root at vfwacpn1:~# grep kdc /etc/hosts
10.172.1.8 vdcacpn1.ac.concordia-pordenone.it kdc.ad.ac.concordia-pordenone.it ad.ac.concordia-pordenone.it vdcacpn1
Join still seems valid:
root at vfwacpn1:~# net ads testjoin
get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
Join is OK
root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it
get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function.
Join is OK
and i can get data i need:
root at vfwacpn1:~# samba-tool group listmembers group1 -H ldap://ad.ac.concordia-pordenone.it -P
user1
user2
user3
--
Le vie del Signore sono infinite.
E' la segnaletica che lascia a desiderare...
More information about the samba
mailing list