[Samba] New options "sync machine password to keytab"/ "client ldap sasl wrapping"
Christian Naumer
christian.naumer at greyfish.net
Wed Feb 19 11:42:07 UTC 2025
Hi Pavel.
Could it be that the server changes the password on one DC and then
tries to read the relevant entries for the keytab via ldap on another DC
where the password change has not been replicated?
It looks like it tries to do a RESET but is not allowed then it tries a
CHANGE which works.
At the same time it tries to connect via LDAP to a different DC which
does not have the latest password yet.
Because I also see these:
First DC
Feb 19 12:34:17 dc1.domain.com samba[2198]: Password Change [Reset] at
[Wed, 19 Feb 2025 12:34:17.664184 CET] status [insufficient access
rights] remote host [Unknown] SID
[S-1-5-21-773202902-494389186-2375354597-135746] DN
[CN=HOST,CN=Computers,DC=domain,DC=com]
Feb 19 12:34:17 dc1.domain.com samba[2198]: [2025/02/19 12:34:17.664313,
5] ../../lib/audit_logging/audit_logging.c:97(audit_log_human_text)
Feb 19 12:34:17 dc1.domain.com samba[2198]: DSDB Transaction
[rollback] at [Wed, 19 Feb 2025 12:34:17.664305 CET] duration [2192]
Feb 19 12:34:17 dc1.domain.com samba[2198]: [2025/02/19 12:34:17.664384,
0] ../../source4/kdc/kpasswd-service-heimdal.c:234(kpasswd_set_password)
Feb 19 12:34:17 dc1.domain.com samba[2198]: kpasswd_set_password:
kpasswd_samdb_set_password failed - NT_STATUS_ACCESS_DENIED
Feb 19 12:34:17 dc1.domain.com samba[2204]: [2025/02/19 12:34:17.757666,
5] ../../lib/audit_logging/audit_logging.c:97(audit_log_human_text)
Feb 19 12:34:17 dc1.domain.com samba[2204]: Password Change [Change]
at [Wed, 19 Feb 2025 12:34:17.757642 CET] status [Success] remote host
[Unknown] SID [S-1-5-21-773202902-494389186-2375354597-135746] DN
[CN=HOST,CN=Computers,DC=domain,DC=com]
Feb 19 12:34:17 dc1.domain.com samba[2204]: [2025/02/19 12:34:17.911276,
2] ../../auth/auth_log.c:876(log_authentication_event_human_readable)
Second DC:
Feb 19 12:34:17 dc2.domain.com samba[9164]: Auth: [LDAP,NTLMSSP] user
[DOMAIN]\[HOST$] at [Wed, 19 Feb 2025 12:34:17.946238 CET] with [NTLMv2]
status [NT_STATUS_WRONG_PASSWORD] workstation [HOST] remote host
[ipv4:192.168.0.31:57228] mapped to [DOMAIN]\[HOST$]. local host
[ipv4:192.168.0.91:389]
Any thoughts on this?
Regards
Christian
Am 19.02.25 um 12:21 schrieb Christian Naumer via samba:
> Am 19.02.25 um 11:22 schrieb Pavel Fiipenský via samba:
>> Does the issue happens also with samba 4.21.3?
>
>
> I just checked. I actually startet with 4.21.3 and upgraded yesterday to
> see if this is fixed.
>
>
> Regards
>
> Christian
>
>
More information about the samba
mailing list