Mandi! Kees van Vloten via samba In chel di` si favelave...> Solution is easy: upgrading winbind from Debian backports solves the issue !I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does not work for me... Now display: root at vfwacpn1:~# net ads changetrustpw get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. if i force the target server: root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. In /etc/krb5.conf i've set: [libdefaults] default_realm = AD.AC.CONCORDIA-PORDENONE.IT dns_lookup_realm = false dns_lookup_kdc = false kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] AD.AC.CONCORDIA-PORDENONE.IT = { kdc = kdc.ad.ac.concordia-pordenone.it master_kdc = kdc.ad.ac.concordia-pordenone.it admin_server = kdc.ad.ac.concordia-pordenone.it default_domain = ad.ac.concordia-pordenone.it } clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts: root at vfwacpn1:~# grep kdc /etc/hosts 10.172.1.8 vdcacpn1.ac.concordia-pordenone.it kdc.ad.ac.concordia-pordenone.it ad.ac.concordia-pordenone.it vdcacpn1 Join still seems valid: root at vfwacpn1:~# net ads testjoin get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS Join is OK root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. Join is OK and i can get data i need: root at vfwacpn1:~# samba-tool group listmembers group1 -H ldap://ad.ac.concordia-pordenone.it -P user1 user2 user3 -- Le vie del Signore sono infinite. E' la segnaletica che lascia a desiderare...
On 24-03-2024 17:42, Marco Gaiarin via samba wrote:> Mandi! Kees van Vloten via samba > In chel di` si favelave... > >> Solution is easy: upgrading winbind from Debian backports solves the issue ! > I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does > not work for me...As said both my DCs and the domain-members are on 4.19.N and that solved the issue. I came from 4.17 on the clients and 4.19 on the DCs, so I am sure that 4.17 had the issue. I don't know about 4.18, but reading your comment suggests that it was only fixed in 4.19. - Kees.> > Now display: > > root at vfwacpn1:~# net ads changetrustpw > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT > Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. > > if i force the target server: > > root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it > ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. > Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT > Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. > > > In /etc/krb5.conf i've set: > > [libdefaults] > default_realm = AD.AC.CONCORDIA-PORDENONE.IT > dns_lookup_realm = false > dns_lookup_kdc = false > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > AD.AC.CONCORDIA-PORDENONE.IT = { > kdc = kdc.ad.ac.concordia-pordenone.it > master_kdc = kdc.ad.ac.concordia-pordenone.it > admin_server = kdc.ad.ac.concordia-pordenone.it > default_domain = ad.ac.concordia-pordenone.it > } > > clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts: > > root at vfwacpn1:~# grep kdc /etc/hosts > 10.172.1.8 vdcacpn1.ac.concordia-pordenone.it kdc.ad.ac.concordia-pordenone.it ad.ac.concordia-pordenone.it vdcacpn1 > > Join still seems valid: > > root at vfwacpn1:~# net ads testjoin > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > Join is OK > root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. > Join is OK > > and i can get data i need: > > root at vfwacpn1:~# samba-tool group listmembers group1 -H ldap://ad.ac.concordia-pordenone.it -P > user1 > user2 > user3 >
On Sun, 24 Mar 2024 17:42:03 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Kees van Vloten via samba > In chel di` si favelave... > > > Solution is easy: upgrading winbind from Debian backports solves > > the issue ! > > I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but > still does not work for me...There must be a reason why you are still using Debian buster, but it escapes me.> > Now display: > > root at vfwacpn1:~# net ads changetrustpw > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > Changing password for principal: > vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No > more connections can be made to this remote computer at this time > because the computer has already accepted the maximum number of > connections. > > if i force the target server: > > root at vfwacpn1:~# net ads changetrustpw -S > kdc.ad.ac.concordia-pordenone.it ads_sasl_spnego_bind: kinit > succeeded but SPNEGO bind with Kerberos failed for > ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], > realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed > to a service or function. Changing password for principal: > vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No > more connections can be made to this remote computer at this time > because the computer has already accepted the maximum number of > connections.Why do you have a computer with the short hostname 'kdc' ?> > > In /etc/krb5.conf i've set: > > [libdefaults] > default_realm = AD.AC.CONCORDIA-PORDENONE.IT > dns_lookup_realm = false > dns_lookup_kdc = false > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > AD.AC.CONCORDIA-PORDENONE.IT = { > kdc = kdc.ad.ac.concordia-pordenone.it > master_kdc = kdc.ad.ac.concordia-pordenone.it > admin_server = kdc.ad.ac.concordia-pordenone.it > default_domain = ad.ac.concordia-pordenone.it > } >The default Samba kbr5.conf is sufficient: [libdefaults] default_realm = AD.AC.CONCORDIA-PORDENONE.IT dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.AC.CONCORDIA-PORDENONE.IT = { default_domain = ad.ac.concordia.it } [domain_realm] VFWACPN1 = AD.AC.CONCORDIA-PORDENONE.IT> clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts: > > root at vfwacpn1:~# grep kdc /etc/hosts > 10.172.1.8 vdcacpn1.ac.concordia-pordenone.it > kdc.ad.ac.concordia-pordenone.it > ad.ac.concordia-pordenone.it vdcacpn1AAAARRRRGGGGHHHHH Why is 10.172.1.8 pointing to all that, it should be: 10.172.1.8 vdcacpn1.ad.ac.concordia-pordenone.it vdcacpn1 BUT the hostname was 'vfwacpn1' above., not sure what is going on here. Rowland
Op 24-03-2024 om 17:42 schreef Marco Gaiarin via samba:> Mandi! Kees van Vloten via samba > In chel di` si favelave... > >> Solution is easy: upgrading winbind from Debian backports solves the issue ! > I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does > not work for me... > > Now display: > > root at vfwacpn1:~# net ads changetrustpw > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > Changing password for principal:vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT > Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. > > if i force the target server: > > root at vfwacpn1:~# net ads changetrustpw -S kdc.ad.ac.concordia-pordenone.it > ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. > Changing password for principal:vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT > Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. >I think I finally figured out, what the issue is: When you do: 'net ads -P changetrustpw', it will change the password on the DC and update the local secret store to use the new password. However with each new machine password, a new version (kvno) of the keytabs in /etc/krb5.keytab is required. The above command does not update your keytab file and as a result subsequent calls to change the machine password will fail. Other things that make use of a keytab for authentication (such as kerberized NFS) will also fail, but on most machines you will probably not notice that you have outdated keytabs in the keytab file. The simple solution is to update the keytabs with: for kt in $(net ads keytab list | ?awk 'NR> 1 {sub(/@.+/, "") ;print $3}' | sort -u); do ??? net ads keytab add $kt done Now everything is back in sync and works as expected. I heard work was being done to have winbind updating the machine password regularly. I don't know if it is already in 4.20 or still waiting to go into mainline and land in one of the next versions of Samba. That would make the above obsolete :-) - Kees.> In /etc/krb5.conf i've set: > > [libdefaults] > default_realm = AD.AC.CONCORDIA-PORDENONE.IT > dns_lookup_realm = false > dns_lookup_kdc = false > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > AD.AC.CONCORDIA-PORDENONE.IT = { > kdc = kdc.ad.ac.concordia-pordenone.it > master_kdc = kdc.ad.ac.concordia-pordenone.it > admin_server = kdc.ad.ac.concordia-pordenone.it > default_domain = ad.ac.concordia-pordenone.it > } > > clearly, 'kdc.ad.ac.concordia-pordenone.it' is in /etc/hosts: > > root at vfwacpn1:~# grep kdc /etc/hosts > 10.172.1.8 vdcacpn1.ac.concordia-pordenone.it kdc.ad.ac.concordia-pordenone.it ad.ac.concordia-pordenone.it vdcacpn1 > > Join still seems valid: > > root at vfwacpn1:~# net ads testjoin > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > Join is OK > root at vfwacpn1:~# net ads testjoin -S kdc.ad.ac.concordia-pordenone.it > get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS > ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos failed for ldap/kdc.ad.ac.concordia-pordenone.it - user[VFWACPN1$], realm[AD.AC.CONCORDIA-PORDENONE.IT]: An invalid parameter was passed to a service or function. > Join is OK > > and i can get data i need: > > root at vfwacpn1:~# samba-tool group listmembers group1 -Hldap://ad.ac.concordia-pordenone.it -P > user1 > user2 > user3 >