Bug 12262 - net ads testjoin and smb access fails after winbindd changed the trust password
net ads testjoin and smb access fails after winbindd changed the trust password
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
x64 Linux
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-09-14 11:38 UTC by Stefan Metzmacher
Modified: 2016-09-30 14:52 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-09-14 11:38:47 UTC
On ubuntu trusty x86_64 (with Version 4.4.5-SerNet-Ubuntu-16.trusty)

The domain join is partly broken by the weekly machine password

wbinfo --check-secret
wbinfo --ping-dc

work fine.

I guess 'net rpc testjoin' would also work, but I didn't check that.

The problem is that any kerberos related authentication is broken
by the long random password.

net ads testjoin, "net ads search -P  '(name=administrator)'
and other commands fails.

ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit

kerberos_kinit_password: as FS$@EXAMPLE.COM using [MEMORY:net_ads] as ccache and config [/var/cache/samba/smb_krb5/krb5.conf.EXAMPLE]
kerberos_kinit_password FS$@EXAMPLE.COM failed: Preauthentication failed
Join to domain is not valid: Logon failure
return code = -1

And SMB clients can't connect anymore:

[2016/09/13 12:44:44.357493,  1, pid=1234] ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token)
  gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/fs.example.com@EXAMPLE.COM(kvno 10) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
[2016/09/13 12:44:44.357592,  1, pid=1234] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)

A server in the same domain using debian jessie works fine.

Both servers have msDs-SupportedEncryptionTypes: 31

A 'net ads join', which sets a shorter and less random password
fixes the situation again.