Sean McGrath
2018-Apr-26 09:13 UTC
[Samba] Failures to renegotiate machine password & domain participation check fails
Hello everyone,
Can I ask for some assistance please. Apologies if there is an easy solution to
this tail of wow that I haven't been able to find online.
We've been having persistent problems with a Scientific Linux release 7.4
machine that is joined to an Active Directory domain. Ever 30 days or so it
trust relationship between the server and the domain would fail, apparently
because the machine password was not renewed. It worked for several months then
at the end of last year started to have this issue very 30 days or so.
I had originally configured the server using SSSD as the identity provider but
switched to winbind after the series of failures. Winbind has failed to update
its machine password successfully now though.
Samba version:
$ smbd --version
Version 4.6.2
Installed packages, (most recent from the repositories):
$ rpm -qa | grep samba
samba-client-libs-4.6.2-12.el7_4.x86_64
samba-common-tools-4.6.2-12.el7_4.x86_64
samba-4.6.2-12.el7_4.x86_64
samba-common-libs-4.6.2-12.el7_4.x86_64
samba-winbind-clients-4.6.2-12.el7_4.x86_64
samba-libs-4.6.2-12.el7_4.x86_64
samba-winbind-4.6.2-12.el7_4.x86_64
samba-client-4.6.2-12.el7_4.x86_64
samba-winbind-modules-4.6.2-12.el7_4.x86_64
samba-common-4.6.2-12.el7_4.noarch
Some of the details of the most recent failure are as follows.
Checking the bind to the domain gave this message:
$ net ads testjoin
kerberos_kinit_password DEPARTMENT-S01$@FQ.DN failed: Preauthentication failed
kerberos_kinit_password DEPARTMENT-S01$@FQ.DN failed: Preauthentication failed
Join to domain is not valid: Logon failure
The samba logs where showing 'domain_client_validate: Domain password server
not
available' errors.
To restore the service I did the following:
$ systemctl stop smb
$ realm leave domain.fqdn
$ realm -v join --client-software=winbind --user=username at domain.fqdn
domain.fqdn
$ systemctl start smb
I'll attach the current sanitised smb.conf here. (I know there are at least
a
few problems with it I need to correct at some stage).
SELINUX had been running up until the most recent outage but I have now disabled
it fully in the unlikely event that that is causing this issue.
The server currently seems to be authenticating fine against the domain but I am
concerned that it fail to re-negotiate it's trust relationship again.
Can anyone point out the errors I have made in the configuration and setup
please. If you need more information please don't hesitate to ask.
Additionally, now when I do a 'net ads testjoin' I get prompted for a
password:
$ net ads testjoin
Enter DEPARTMENT-S01$@FQ.DN's password:
$ echo $?
130
A sanitised output from 'net ads testjoin -d 9' is attached.
The following come back OK though.
$ wbinfo --online-status
$ wbinfo --check-secret
$ net ads info
'net ads testjoin' had been working fine for about 24 hours after the
machine
was most recently re-joined to the domain. Can anyone shed any light on what I
have done wrong in that instance please?
Many thanks for any help you can offer.
Regards
Sean
--
Sean McGrath M.Sc
Systems Administrator
Trinity Centre for High Performance and Research Computing
Trinity College Dublin
sean.mcgrath at tchpc.tcd.ie
https://www.tcd.ie/
https://www.tchpc.tcd.ie/
-------------- next part --------------
[global]
# following are the default winbind settings
kerberos method = system keytab
template homedir = /home/%U@%D
workgroup = DOMAIN.FQDN
template shell = /bin/bash
security = ads
realm = DOMAIN.FQDN
idmap backend = tdb
idmap gid = 10000-2000000
idmap uid = 10000-2000000
#idmap uid = 16777216-33554431
#idmap gid = 16777216-33554431
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
log level = 3 auth:10
log file = /var/log/samba/log.%m
[Releases]
comment = DEPARTMENT Releases
path = /home/Releases
browseable = yes
writable = yes
create mode = 0775
valid users =@"department-staff at
domain.fqdn",@"department-staff-restricted at domain.fqdn"
write list =@"department-staff at domain.fqdn"
nt acl support = yes
inherit permissions = yes
[Department]
comment = DEPARTMENT share
path = /home/Department
browseable = yes
writable = yes
valid users =@"department-staff at domain.fqdn"
create mode = 0770
force directory mode = 0770
nt acl support = yes
[Finance]
comment = DEPARTMENT share
path = /home/Finance
browseable = yes
writable = yes
valid users =@"department-staff at domain.fqdn"
create mode = 0770
force directory mode = 0770
nt acl support = yes
[Staff]
comment = DEPARTMENT staff folders
path = /home/DOMAIN/%U
browseable = yes
writable = yes
valid users =@"department-staff at
domain.fqdn",@"department-staff-restricted at
domain.fqdn","doylep6 at domain.fqdn"
root preexec = /var/lib/samba/scripts/mkhomedir.sh %U
nt acl support = yes
[department-secure]
comment = DEPARTMENT secure share
path = /home/department-secure
browseable = yes
writable = yes
valid users =@"department-staff-secure at domain.fqdn"
create mode = 0770
directory mask = 0770
force directory mode = 0770
nt acl support = yes
-------------- next part --------------
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
tevent: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
tevent: 9
Processing section "[global]"
doing parameter kerberos method = system keytab
doing parameter template homedir = /home/%U@%D
doing parameter workgroup = domain.fqdn
doing parameter template shell = /bin/bash
doing parameter security = ads
doing parameter realm = domain.fqdn
doing parameter idmap backend = tdb
WARNING: The "idmap backend" option is deprecated
doing parameter idmap gid = 10000-2000000
WARNING: The "idmap gid" option is deprecated
doing parameter idmap uid = 10000-2000000
WARNING: The "idmap uid" option is deprecated
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter winbind offline logon = yes
doing parameter winbind enum groups = no
doing parameter winbind enum users = no
doing parameter log level = 3 auth:10
doing parameter log file = /var/log/samba/log.%m
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
tevent: 9
Processing section "[global]"
doing parameter kerberos method = system keytab
doing parameter template homedir = /home/%U@%D
doing parameter workgroup = domain.fqdn
doing parameter template shell = /bin/bash
doing parameter security = ads
doing parameter realm = domain.fqdn
doing parameter idmap backend = tdb
WARNING: The "idmap backend" option is deprecated
doing parameter idmap gid = 10000-2000000
WARNING: The "idmap gid" option is deprecated
doing parameter idmap uid = 10000-2000000
WARNING: The "idmap uid" option is deprecated
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter winbind offline logon = yes
doing parameter winbind enum groups = no
doing parameter winbind enum users = no
doing parameter log level = 3 auth:10
doing parameter log file = /var/log/samba/log.%m
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="department-S01"
added interface em1 ip=2001:770:10:500:1298:36ff:feae:b0b7 bcast=
netmask=ffff:ffff:ffff:ffff::
added interface em1 ip=192.168.112.67 bcast=192.168.115.255
netmask=255.255.252.0
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
ads_dc_name: domain=domain.fqdn
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
resolve_and_ping_dns: (cldap) looking for realm 'domain.fqdn'
get_sorted_dc_list: attempting lookup for name domain.fqdn (sitename CAMPUS)
saf_fetch: Returning "windc04.domain.fqdn" for "domain.fqdn"
domain
get_dc_list: preferred server list: "windc04.domain.fqdn, *"
name domain.fqdn#1C found.
Adding 3 DC's from auto lookup
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
name windc04.domain.fqdn#20 found.
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.44
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.40
get_dc_list: returning 3 ip addresses in an ordered list
get_dc_list: 192.168.16.41:389 192.168.16.44:389 192.168.16.40:389
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
ads_try_connect: sending CLDAP request to 192.168.16.41 (realm: domain.fqdn)
Successfully contacted LDAP server 192.168.16.41
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
saf_fetch: Returning "windc04.domain.fqdn" for "domain.fqdn"
domain
get_dc_list: preferred server list: "windc04.domain.fqdn, *"
resolve_ads: Attempting to resolve KDCs for domain.fqdn using DNS
ads_dns_lookup_srv: 3 records returned in the answer section.
Adding 3 DC's from auto lookup
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
name windc04.domain.fqdn#20 found.
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.44
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.40
get_dc_list: returning 3 ip addresses in an ordered list
get_dc_list: 192.168.16.41:88 192.168.16.44:88 192.168.16.40:88
saf_fetch: Returning "windc04.domain.fqdn" for "domain.fqdn"
domain
get_dc_list: preferred server list: "windc04.domain.fqdn, *"
resolve_ads: Attempting to resolve KDCs for domain.fqdn using DNS
ads_dns_lookup_srv: 8 records returned in the answer section.
Adding 8 DC's from auto lookup
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
name windc04.domain.fqdn#20 found.
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.24
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.40
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.44
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.13
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.14
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.177.117
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.47
get_dc_list: returning 8 ip addresses in an ordered list
get_dc_list: 192.168.16.41:88 192.168.251.24:88 192.168.16.40:88
192.168.16.44:88 192.168.251.13:88 192.168.251.14:88 192.168.177.117:88
192.168.251.47:88
create_local_private_krb5_conf_for_domain: wrote file
/var/lib/samba/lock/smb_krb5/krb5.conf.domain.fqdn with realm domain.fqdn KDC
list = kdc = 192.168.16.41
kdc = 192.168.16.44
kdc = 192.168.16.40
kdc = 192.168.251.24
ads_dc_name: using server='WINDC04.domain.fqdn' IP=192.168.16.41
ads_find_dc: (ldap) looking for realm 'domain.fqdn' and falling back to
domain 'domain.fqdn'
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
ads_dc_name: domain=domain.fqdn
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
resolve_and_ping_dns: (cldap) looking for realm 'domain.fqdn'
get_sorted_dc_list: attempting lookup for name domain.fqdn (sitename CAMPUS)
saf_fetch: Returning "windc04.domain.fqdn" for "domain.fqdn"
domain
get_dc_list: preferred server list: "windc04.domain.fqdn, *"
name domain.fqdn#1C found.
Adding 3 DC's from auto lookup
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
name windc04.domain.fqdn#20 found.
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.44
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.40
get_dc_list: returning 3 ip addresses in an ordered list
get_dc_list: 192.168.16.41:389 192.168.16.44:389 192.168.16.40:389
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
ads_try_connect: sending CLDAP request to 192.168.16.41 (realm: domain.fqdn)
Successfully contacted LDAP server 192.168.16.41
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
saf_fetch: Returning "windc04.domain.fqdn" for "domain.fqdn"
domain
get_dc_list: preferred server list: "windc04.domain.fqdn, *"
resolve_ads: Attempting to resolve KDCs for domain.fqdn using DNS
ads_dns_lookup_srv: 3 records returned in the answer section.
Adding 3 DC's from auto lookup
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
name windc04.domain.fqdn#20 found.
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.40
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.44
get_dc_list: returning 3 ip addresses in an ordered list
get_dc_list: 192.168.16.41:88 192.168.16.40:88 192.168.16.44:88
saf_fetch: Returning "windc04.domain.fqdn" for "domain.fqdn"
domain
get_dc_list: preferred server list: "windc04.domain.fqdn, *"
resolve_ads: Attempting to resolve KDCs for domain.fqdn using DNS
ads_dns_lookup_srv: 8 records returned in the answer section.
Adding 8 DC's from auto lookup
sitename_fetch: Returning sitename for realm 'domain.fqdn':
"CAMPUS"
name windc04.domain.fqdn#20 found.
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.41
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.40
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.14
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.16.44
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.177.117
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.24
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.13
check_negative_conn_cache returning result 0 for domain domain.fqdn server
192.168.251.47
get_dc_list: returning 8 ip addresses in an ordered list
get_dc_list: 192.168.16.41:88 192.168.16.40:88 192.168.251.14:88
192.168.16.44:88 192.168.177.117:88 192.168.251.24:88 192.168.251.13:88
192.168.251.47:88
create_local_private_krb5_conf_for_domain: wrote file
/var/lib/samba/lock/smb_krb5/krb5.conf.domain.fqdn with realm domain.fqdn KDC
list = kdc = 192.168.16.41
kdc = 192.168.16.40
kdc = 192.168.16.44
kdc = 192.168.251.14
ads_dc_name: using server='WINDC04.domain.fqdn' IP=192.168.16.41
ads_try_connect: sending CLDAP request to 192.168.16.41 (realm: domain.fqdn)
Successfully contacted LDAP server 192.168.16.41
Connected to LDAP server windc04.domain.fqdn
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[MEMORY:net_ads] failed with [Unspecified GSS
failure. Minor code may provide more information: No credentials cache found]
-the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/windc04.domain.fqdn with
user[department-S01$] realm=[domain.fqdn]: Cannot read password
Rowland Penny
2018-Apr-26 09:32 UTC
[Samba] Failures to renegotiate machine password & domain participation check fails
On Thu, 26 Apr 2018 10:13:29 +0100 Sean McGrath via samba <samba at lists.samba.org> wrote:> Hello everyone, > > Can I ask for some assistance please. Apologies if there is an easy > solution to this tail of wow that I haven't been able to find online. > > We've been having persistent problems with a Scientific Linux release > 7.4 machine that is joined to an Active Directory domain. Ever 30 > days or so it trust relationship between the server and the domain > would fail, apparently because the machine password was not renewed. > It worked for several months then at the end of last year started to > have this issue very 30 days or so. > > I had originally configured the server using SSSD as the identity > provider but switched to winbind after the series of failures. > Winbind has failed to update its machine password successfully now > though. >Can you try this smb.conf: [global] # This should be 'DOMAIN' not 'DOMAIN.FQDN' workgroup = DOMAIN security = ads # This should be the dns domain in UPPERCASE realm = DNS.DOMAIN idmap config * : backend = tdb idmap config * : range = 3000-9999 # This uses the winbind 'rid' backend # If there are uidNumber & gidNumber attributes in AD # you could use the 'ad' backend instead but it will be set up differently idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-2000000 template shell = /bin/bash winbind refresh tickets = yes winbind offline logon = yes log level = 3 auth:10 log file = /var/log/samba/log.%m [Releases] comment = DEPARTMENT Releases path = /home/Releases read only = no create mode = 0775 valid users =@"department-staff at domain.fqdn",@"department-staff-restricted at domain.fqdn" write list =@"department-staff at domain.fqdn" inherit permissions = yes [Department] comment = DEPARTMENT share path = /home/Department read only = no valid users =@"department-staff at domain.fqdn" create mode = 0770 force directory mode = 0770 [Finance] comment = DEPARTMENT share path = /home/Finance read only = no valid users =@"department-staff at domain.fqdn" create mode = 0770 force directory mode = 0770 [Staff] comment = DEPARTMENT staff folders path = /home/DOMAIN/%U read only = no valid users =@"department-staff at domain.fqdn",@"department-staff-restricted at domain.fqdn","doylep6 at domain.fqdn" root preexec = /var/lib/samba/scripts/mkhomedir.sh %U [department-secure] comment = DEPARTMENT secure share path = /home/department-secure read only = no valid users =@"department-staff-secure at domain.fqdn" create mode = 0770 directory mask = 0770 force directory mode = 0770 You will need to replace 'DOMAIN' with your workroup name, this is not your dns domain name and really shouldn't contain any dots. You will also have to replace 'DNS.DOMAIN' with your dns domain name. Also, please read the comments around the 'idmap config' lines Rowland