[Samba] 'Scripted' machine account renewal?!
Rowland Penny
rpenny at samba.org
Sun Mar 24 17:32:31 UTC 2024
On Sun, 24 Mar 2024 17:42:03 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Kees van Vloten via samba
> In chel di` si favelave...
>
> > Solution is easy: upgrading winbind from Debian backports solves
> > the issue !
>
> I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but
> still does not work for me...
There must be a reason why you are still using Debian buster, but it
escapes me.
>
> Now display:
>
> root at vfwacpn1:~# net ads changetrustpw
> get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS
> Changing password for principal:
> vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No
> more connections can be made to this remote computer at this time
> because the computer has already accepted the maximum number of
> connections.
>
> if i force the target server:
>
> root at vfwacpn1:~# net ads changetrustpw -S
> kdc.ad.ac.concordia-pordenone.it ads_sasl_spnego_bind: kinit
> succeeded but SPNEGO bind with Kerberos failed for
> ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$],
> realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed
> to a service or function. Changing password for principal:
> vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No
> more connections can be made to this remote computer at this time
> because the computer has already accepted the maximum number of
> connections.
Why do you have a computer with the short hostname 'kdc' ?
>
>
> In /etc/krb5.conf i've set:
>
> [libdefaults]
> default_realm = AD.AC.CONCORDIA-PORDENONE.IT
> dns_lookup_realm = false
> dns_lookup_kdc = false
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> [realms]
> AD.AC.CONCORDIA-PORDENONE.IT = {
> kdc = kdc.ad.ac.concordia-pordenone.it
> master_kdc = kdc.ad.ac.concordia-pordenone.it
> admin_server = kdc.ad.ac.concordia-pordenone.it
> default_domain = ad.ac.concordia-pordenone.it
> }
>
The default Samba kbr5.conf is sufficient:
[libdefaults]
default_realm = AD.AC.CONCORDIA-PORDENONE.IT
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
AD.AC.CONCORDIA-PORDENONE.IT = {
default_domain = ad.ac.concordia.it
}
[domain_realm]
VFWACPN1 = AD.AC.CONCORDIA-PORDENONE.IT
> clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts:
>
> root at vfwacpn1:~# grep kdc /etc/hosts
> 10.172.1.8 vdcacpn1.ac.concordia-pordenone.it
> kdc.ad.ac.concordia-pordenone.it
> ad.ac.concordia-pordenone.it vdcacpn1
AAAARRRRGGGGHHHHH
Why is 10.172.1.8 pointing to all that, it should be:
10.172.1.8 vdcacpn1.ad.ac.concordia-pordenone.it vdcacpn1
BUT the hostname was 'vfwacpn1' above., not sure what is going on here.
Rowland
More information about the samba
mailing list