The Samba-Bugzilla – Bug 12262
net ads testjoin and smb access fails after winbindd changed the trust password
Last modified: 2016-09-30 14:52:38 UTC
On ubuntu trusty x86_64 (with Version 4.4.5-SerNet-Ubuntu-16.trusty)
The domain join is partly broken by the weekly machine password
I guess 'net rpc testjoin' would also work, but I didn't check that.
The problem is that any kerberos related authentication is broken
by the long random password.
net ads testjoin, "net ads search -P '(name=administrator)'
and other commands fails.
ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit
kerberos_kinit_password: as FS$@EXAMPLE.COM using [MEMORY:net_ads] as ccache and config [/var/cache/samba/smb_krb5/krb5.conf.EXAMPLE]
kerberos_kinit_password FS$@EXAMPLE.COM failed: Preauthentication failed
Join to domain is not valid: Logon failure
return code = -1
And SMB clients can't connect anymore:
[2016/09/13 12:44:44.357493, 1, pid=1234] ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/fs.example.com@EXAMPLE.COM(kvno 10) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
[2016/09/13 12:44:44.357592, 1, pid=1234] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
A server in the same domain using debian jessie works fine.
Both servers have msDs-SupportedEncryptionTypes: 31
A 'net ads join', which sets a shorter and less random password
fixes the situation again.