Hi. I'm dealing with an interesting problem - potentially a machine account expiry issue in Samba AD (Samba 4.14.8). We have multiple Linux computer labs of machines joined to AD (running Winbind).? Two labs of machines have been off for a few months.? When turned back on, none of those machines appear to be joined to the domain.? They were all working fine before.? Other machines have remained on since they were joined to the domain, and they continue to function perfectly. I can report the following: 1) winbind is running on all the hosts, and I don't see any specific errors on either the client or the server. 2) wbinfo -u and wbinfo -g still work (does the client have to be joined to the domain for this to work?), yet getent passwd <user> returns nothing (/etc/nsswitch.conf is the same as on a working machine with "passwd: files winbind", and "group: files winbind". 3) wbinfo -t says "checking the trust secret for domain EECSYORKUCA via RPC calls succeeded", wbinfo -m reports BUILTIN, the host name, and the domain name, and wbinfo --online-status reports active connection for BUILTIN, the hostname, and the domain name. 4)? if I rejoin one of these AD clients to the domain, then it works fine without changing any configuration files at all, and continues to work after a reboot. 5) Although information online is very sporadic about this particular issue, the general consensus seems to be (at least for WIndows clients) that an AD client which is off will never be automatically "expired"? by the server after any amount of time. For Windows, there is a default timeout of 30 days, then the *client* should change the workstation account password itself when it comes online next whether that's in a month or a year. 6) I see samba has the "machine password timeout" option.? I don't set it in my smb.conf, so I assume that the the default of 1 week will be in effect.? It's not clear what happens if this value is far exceeded.? This may be the WIndows equivalent of the 30 day password change.? However, I imagine that when the client comes online and winbind sees that it is far longer than 1 week, it probably should change the account password in coordination with the AD server.? I don't think the account would be disabled. 7) I reviewed pwdLastSet available via "samba-tool show HOST".? I compared the result of pwdLastSet on two hosts that were joined to the domain at approximately same time (same day, a few minutes apart) - one that has remained on, and the other that has remained off.? pwdLastSet on both of them is the time they were joined to the domain. Why would the one that remained on not have pwdLastSet updated if winbind is changing the account password weekly? 8) The clocks on the AD server and clients are in sync. Any suggestions on what I might run to debug this issue would be appreciated.? I have many hosts that I can try on, though eventually I will have to rejoin them to the domain. Jason.
Hi - I can't speak to this from the perspective of winbind, but this has been a chronic problem with sssd (for myself, and others), so I've run into a similar issue many times. Once the kerberos ticket for a machine expires, it can't rejoin the domain without manual intervention. Not sure where you read these tickets don't expire, but they do. Try running klist -kt to see ticket timestamps. At least in your case it's obvious why the ticket expired. sssd is supposed to be renewing the kerberos ticket automatically, but it doesn't always work for still unknown reasons. My solution to this for sssd is to run a cron job every night: 00 12 * * 1 root msktutil --update --computer-name cns-cryo-krak7 --verbose --server austin.utexas.edu That appears to have resolved the issue. Again, your situation is more obvious, and since I haven't seen any reports of winbind having a similar problem, I'm hoping to not have to deal with this for my windbind-only installs. <:) On 11/2/21 08:49, Jason Keltz via samba wrote:> Hi. > > I'm dealing with an interesting problem - potentially a machine account > expiry issue in Samba AD (Samba 4.14.8). > > We have multiple Linux computer labs of machines joined to AD (running > Winbind).? Two labs of machines have been off for a few months.? When > turned back on, none of those machines appear to be joined to the > domain.? They were all working fine before.? Other machines have > remained on since they were joined to the domain, and they continue to > function perfectly. > > I can report the following: > > 1) winbind is running on all the hosts, and I don't see any specific > errors on either the client or the server. > > 2) wbinfo -u and wbinfo -g still work (does the client have to be joined > to the domain for this to work?), yet getent passwd <user> returns > nothing (/etc/nsswitch.conf is the same as on a working machine with > "passwd: files winbind", and "group: files winbind". > > 3) wbinfo -t says "checking the trust secret for domain EECSYORKUCA via > RPC calls succeeded", wbinfo -m reports BUILTIN, the host name, and the > domain name, and wbinfo --online-status reports active connection for > BUILTIN, the hostname, and the domain name. > > 4)? if I rejoin one of these AD clients to the domain, then it works > fine without changing any configuration files at all, and continues to > work after a reboot. > > 5) Although information online is very sporadic about this particular > issue, the general consensus seems to be (at least for WIndows clients) > that an AD client which is off will never be automatically "expired"? by > the server after any amount of time. For Windows, there is a default > timeout of 30 days, then the *client* should change the workstation > account password itself when it comes online next whether that's in a > month or a year. > > 6) I see samba has the "machine password timeout" option.? I don't set > it in my smb.conf, so I assume that the the default of 1 week will be in > effect.? It's not clear what happens if this value is far exceeded. This > may be the WIndows equivalent of the 30 day password change. However, I > imagine that when the client comes online and winbind sees that it is > far longer than 1 week, it probably should change the account password > in coordination with the AD server.? I don't think the account would be > disabled. > > 7) I reviewed pwdLastSet available via "samba-tool show HOST".? I > compared the result of pwdLastSet on two hosts that were joined to the > domain at approximately same time (same day, a few minutes apart) - one > that has remained on, and the other that has remained off.? pwdLastSet > on both of them is the time they were joined to the domain. Why would > the one that remained on not have pwdLastSet updated if winbind is > changing the account password weekly? > > 8) The clocks on the AD server and clients are in sync. > > Any suggestions on what I might run to debug this issue would be > appreciated.? I have many hosts that I can try on, though eventually I > will have to rejoin them to the domain. > > Jason. > >
Keep in mind, if you use SSSD with my packages, you MUST recompile SSSD Most quickest way is. (enable the sources lines in /etc/apt/sources.list (* Optional newer SSSD ) echo "deb-src http://ftp.nl.debian.org/debian sid main contrib non-free" > /etc/apt/sources.list.d/sid.list (* buster only as far i know. ) apt-get install -t $(lsb_release -sc)-backports debhelper lintian devscripts build-essential fakeroot dh-systemd libdistro-info-perl quilt -y (buster + bullseye ) apt-get build-dep sssd -y apt-get source sssd -by With winbind, this is all you need. # How you can use kerberos (man smb.conf search : kerberos method ) # This is "MY/Louis" preffered method on Member servers. kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # Renew the kerberos ticket or you member its computer password will expire. winbind refresh tickets = yes Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Patrick Goetz via samba > Verzonden: dinsdag 2 november 2021 15:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] potential machine account expiry question > > Hi - > > I can't speak to this from the perspective of winbind, but > this has been > a chronic problem with sssd (for myself, and others), so I've > run into a > similar issue many times. > > Once the kerberos ticket for a machine expires, it can't rejoin the > domain without manual intervention. Not sure where you read these > tickets don't expire, but they do. Try running > > klist -kt > > to see ticket timestamps. > > At least in your case it's obvious why the ticket expired. sssd is > supposed to be renewing the kerberos ticket automatically, but it > doesn't always work for still unknown reasons. My solution to > this for > sssd is to run a cron job every night: > > 00 12 * * 1 root msktutil --update --computer-name cns-cryo-krak7 > --verbose --server austin.utexas.edu > > That appears to have resolved the issue. > > Again, your situation is more obvious, and since I haven't seen any > reports of winbind having a similar problem, I'm hoping to > not have to > deal with this for my windbind-only installs. <:) > > On 11/2/21 08:49, Jason Keltz via samba wrote: > > Hi. > > > > I'm dealing with an interesting problem - potentially a > machine account > > expiry issue in Samba AD (Samba 4.14.8). > > > > We have multiple Linux computer labs of machines joined to > AD (running > > Winbind).? Two labs of machines have been off for a few > months.? When > > turned back on, none of those machines appear to be joined to the > > domain.? They were all working fine before.? Other machines have > > remained on since they were joined to the domain, and they > continue to > > function perfectly. > > > > I can report the following: > > > > 1) winbind is running on all the hosts, and I don't see any > specific > > errors on either the client or the server. > > > > 2) wbinfo -u and wbinfo -g still work (does the client have > to be joined > > to the domain for this to work?), yet getent passwd <user> returns > > nothing (/etc/nsswitch.conf is the same as on a working > machine with > > "passwd: files winbind", and "group: files winbind". > > > > 3) wbinfo -t says "checking the trust secret for domain > EECSYORKUCA via > > RPC calls succeeded", wbinfo -m reports BUILTIN, the host > name, and the > > domain name, and wbinfo --online-status reports active > connection for > > BUILTIN, the hostname, and the domain name. > > > > 4)? if I rejoin one of these AD clients to the domain, then > it works > > fine without changing any configuration files at all, and > continues to > > work after a reboot. > > > > 5) Although information online is very sporadic about this > particular > > issue, the general consensus seems to be (at least for > WIndows clients) > > that an AD client which is off will never be automatically > "expired"? by > > the server after any amount of time. For Windows, there is > a default > > timeout of 30 days, then the *client* should change the workstation > > account password itself when it comes online next whether > that's in a > > month or a year. > > > > 6) I see samba has the "machine password timeout" option.? > I don't set > > it in my smb.conf, so I assume that the the default of 1 > week will be in > > effect.? It's not clear what happens if this value is far > exceeded. This > > may be the WIndows equivalent of the 30 day password > change. However, I > > imagine that when the client comes online and winbind sees > that it is > > far longer than 1 week, it probably should change the > account password > > in coordination with the AD server.? I don't think the > account would be > > disabled. > > > > 7) I reviewed pwdLastSet available via "samba-tool show HOST".? I > > compared the result of pwdLastSet on two hosts that were > joined to the > > domain at approximately same time (same day, a few minutes > apart) - one > > that has remained on, and the other that has remained off.? > pwdLastSet > > on both of them is the time they were joined to the domain. > Why would > > the one that remained on not have pwdLastSet updated if winbind is > > changing the account password weekly? > > > > 8) The clocks on the AD server and clients are in sync. > > > > Any suggestions on what I might run to debug this issue would be > > appreciated.? I have many hosts that I can try on, though > eventually I > > will have to rejoin them to the domain. > > > > Jason. > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
kinit Administrator and run this script. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Its missing to much info in this mail below. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jason Keltz via samba > Verzonden: dinsdag 2 november 2021 14:49 > Aan: samba at lists.samba.org > Onderwerp: [Samba] potential machine account expiry question > > Hi. > > I'm dealing with an interesting problem - potentially a > machine account > expiry issue in Samba AD (Samba 4.14.8). > > We have multiple Linux computer labs of machines joined to AD > (running > Winbind).? Two labs of machines have been off for a few months.? When > turned back on, none of those machines appear to be joined to the > domain.? They were all working fine before.? Other machines have > remained on since they were joined to the domain, and they > continue to > function perfectly. > > I can report the following: > > 1) winbind is running on all the hosts, and I don't see any specific > errors on either the client or the server. > > 2) wbinfo -u and wbinfo -g still work (does the client have > to be joined > to the domain for this to work?), yet getent passwd <user> returns > nothing (/etc/nsswitch.conf is the same as on a working machine with > "passwd: files winbind", and "group: files winbind". > > 3) wbinfo -t says "checking the trust secret for domain > EECSYORKUCA via > RPC calls succeeded", wbinfo -m reports BUILTIN, the host > name, and the > domain name, and wbinfo --online-status reports active connection for > BUILTIN, the hostname, and the domain name. > > 4)? if I rejoin one of these AD clients to the domain, then it works > fine without changing any configuration files at all, and > continues to > work after a reboot. > > 5) Although information online is very sporadic about this particular > issue, the general consensus seems to be (at least for > WIndows clients) > that an AD client which is off will never be automatically > "expired"? by > the server after any amount of time. For Windows, there is a default > timeout of 30 days, then the *client* should change the workstation > account password itself when it comes online next whether that's in a > month or a year. > > 6) I see samba has the "machine password timeout" option.? I > don't set > it in my smb.conf, so I assume that the the default of 1 week > will be in > effect.? It's not clear what happens if this value is far exceeded.? > This may be the WIndows equivalent of the 30 day password change.? > However, I imagine that when the client comes online and winbind sees > that it is far longer than 1 week, it probably should change > the account > password in coordination with the AD server.? I don't think > the account > would be disabled. > > 7) I reviewed pwdLastSet available via "samba-tool show HOST".? I > compared the result of pwdLastSet on two hosts that were > joined to the > domain at approximately same time (same day, a few minutes > apart) - one > that has remained on, and the other that has remained off.? > pwdLastSet > on both of them is the time they were joined to the domain. Why would > the one that remained on not have pwdLastSet updated if winbind is > changing the account password weekly? > > 8) The clocks on the AD server and clients are in sync. > > Any suggestions on what I might run to debug this issue would be > appreciated.? I have many hosts that I can try on, though > eventually I > will have to rejoin them to the domain. > > Jason. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >