Rob Faulkner
2010-Feb-02 11:18 UTC
[Samba] AD Computer Account Becoming Disabled on Re-Join
Dear All, Environment is: - Squid proxy on linux - Samba (have tried 3.2.8 and 3.4.3) as a domain client (ADS) - Heimdal Kerberos - Active Directory on multiple local Windows Server 2003 domain controllers (single domain) Squid is joining the AD domain with ADS via Samba in order to authenticate users with NTLM etc and perform LDAP queries. As part of the Squid configuration, on startup the system performs a net ads join to join the domain and on restart of the squid services it leaves the domain then re-joins. Somewhere in the region of 2 out of 3 times that this leave/re-join process occurs the computer account in AD becomes disabled and the box is unable to complete the join. In most cases going through the leave/re-join resolves this issue and the account becomes re-enabled. This is somewhat frustrating, as the "usual" things that can go wrong (bind account credentials/logon names, DNS forward/reverse resolution, server hostname, clock skew, AD permissions, etc) all seem to be fine - and indeed some of the time the joins occur without a problem. Investigating what happens when the account becomes disabled doesn't yield anything interesting to me: smb.conf [global] workgroup = DOMAIN netbios name = SQUID-1 realm = DOMAIN.LOCAL security = ads password server = DC2.DOMAIN.LOCAL winbind separator = / winbind enum users = yes winbind enum groups = yes krb5.conf [libdefaults] default_realm = DOMAIN.LOCAL clockskew = 300 [realms] DOMAIN.LOCAL = { admin_server = tcp/DC2.domain.local:749 kdc = tcp/DC2.domain.local:88 admin_server = tcp/DC5.domain.local:749 kdc = tcp/DC5.domain.local:88 default_domain = domain.local } [domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL AD Event Logs: Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5723 Computer: DC5 Description: The session setup from computer 'SQUID-1' failed because the security database does not contain a trust account 'SQUID-1$' referenced by the specified computer. Data: 0000: 8b 01 00 c0 ?..? Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5805 Computer: DC5 Description: The session setup from the computer SQUID-1 failed to authenticate. The following error occurred: Access is denied. Data: 0000: 22 00 00 c0 "..? Winbind Logs: [Object becomes disabled: ] libsmb/cliconnect.c:996(cli_session_setup_spnego) Kinit failed: Preauthentication failed [Object becomes re-enabled: ] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [Object becomes disabled: ] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) libsmb/cliconnect.c:996(cli_session_setup_spnego) Kinit failed: Clients credentials have been revoked I do have a number of packet traces of these exchanges, but briefly does anyone know what the best things to look for are? I can see the KRB5KDC_ERR_CLIENT_REVOKED NT Status: STATUS_ACCOUNT_DISABLED that seems to go along with what winbind reports. Is there any significance in this being a multi-DC environment in that I can see the kerberos exchange occuring with one DC and the SMB exchange (Session Setup, Tree Connect, etc) with a different DC? There are fundamental gaps in my understanding of the end-to-end process involved here, however I would appreciate if anyone can see anything glaringly wrong, has seen this before, or can give me any more avenues of investigation. Many thanks in advance, Rob.