samba - Sep 2023 - Machine passwords refresh (sometimes not happening)

Hi,

since a couple of days I'm having problems with machine passwords 
apparently not being refreshed on some domain members (which then blocks 
SSH login). I'm seeing this in logs:

Sep 20 16:09:06 s0-l00 winbindd[4003715]: [2023/09/20 16:09:06.962774, 
0] ../../source3/libads/kerberos_util.c:73(ads_kinit_password)
Sep 20 16:09:06 s0-l00 winbindd[4003715]:   kerberos_kinit_password 
S0-L00$@MY.DOMAIN failed: Preauthentication failed

I searched this list for this topic and read about these config options

winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

These config options are NOT mentioned on 
https://wiki.samba.org/index.php/Joining_a_Linux_or_Unix_Host_to_a_Domain, 
so I do NOT use them and didn't have a problem in the past.
These config options ARE mentioned on 
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting.

So what should I do here?
Why am I suddenly having problems?

Time synchronization with domain controllers is OK.
Samba is 4.17.10

thx
Matthias

/etc/samba/smb.conf

[global]
         realm = MY.DOMAIN
         security = ADS
         template homedir = /msc/home/%U
         template shell = /bin/bash
         winbind expand groups = 2
         winbind use default domain = Yes
         workgroup = SMB
         idmap config smb : range = 10000-999999
         idmap config smb : backend = rid
         idmap config * : range = 3000-7999
         idmap config * : backend = tdb


/etc/krb5.conf

[libdefaults]
         default_realm = MY.DOMAIN
         dns_lookup_realm = false
         dns_lookup_kdc = true

Hi,

can anyone help me here? This problem keeps occuring, it seems to have 
appeared after I upgraded vom 4.16 to 4.17. Full sequence of error in 
winbind logs is

[2023/09/27 16:11:47.081424,  0] 
../../source3/libads/kerberos_util.c:73(ads_kinit_password)
   kerberos_kinit_password S0-L01$@MY.DOMAIN failed: Preauthentication 
failed
[2023/09/27 16:11:47.087539,  0] 
../../source3/winbindd/winbindd_ads.c:1199(lookup_groupmem)
   ads_ranged_search failed with: Invalid credentials

Winbind restart solves the problem.

I admit I didn't try to use this "dedicated keytab
file"/"kerberos
method"/"winbind refresh tickets" stanzas yet, but
leaving/rejoining
domain is not a simple task. Also I'm confused by docs when to use them 
(as described).

Thanks a lot
Matthias

Am 20.09.23 um 17:12 schrieb Matthias Leopold via samba:
> Hi,
> 
> since a couple of days I'm having problems with machine passwords 
> apparently not being refreshed on some domain members (which then blocks 
> SSH login). I'm seeing this in logs:
> 
> Sep 20 16:09:06 s0-l00 winbindd[4003715]: [2023/09/20 16:09:06.962774, 
> 0] ../../source3/libads/kerberos_util.c:73(ads_kinit_password)
> Sep 20 16:09:06 s0-l00 winbindd[4003715]:?? kerberos_kinit_password 
> S0-L00$@MY.DOMAIN failed: Preauthentication failed
> 
> I searched this list for this topic and read about these config options
> 
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> These config options are NOT mentioned on 
> https://wiki.samba.org/index.php/Joining_a_Linux_or_Unix_Host_to_a_Domain,
so I do NOT use them and didn't have a problem in the past.
> These config options ARE mentioned on 
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting.
> 
> So what should I do here?
> Why am I suddenly having problems?
> 
> Time synchronization with domain controllers is OK.
> Samba is 4.17.10
> 
> thx
> Matthias
> 
> /etc/samba/smb.conf
> 
> [global]
>  ??????? realm = MY.DOMAIN
>  ??????? security = ADS
>  ??????? template homedir = /msc/home/%U
>  ??????? template shell = /bin/bash
>  ??????? winbind expand groups = 2
>  ??????? winbind use default domain = Yes
>  ??????? workgroup = SMB
>  ??????? idmap config smb : range = 10000-999999
>  ??????? idmap config smb : backend = rid
>  ??????? idmap config * : range = 3000-7999
>  ??????? idmap config * : backend = tdb
> 
> 
> /etc/krb5.conf
> 
> [libdefaults]
>  ??????? default_realm = MY.DOMAIN
>  ??????? dns_lookup_realm = false
>  ??????? dns_lookup_kdc = true
> 
> 
> 
> 
> 
> 
> 
> 
> 
-- 
Matthias Leopold
IT Systems & Communications
Medizinische Universit?t Wien
Spitalgasse 23 / BT 88 / Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200