Bug 13123 - Reset-ComputerMachinePassword doesn't work
Reset-ComputerMachinePassword doesn't work
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 major
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2017-11-07 15:37 UTC by (mail address dead)
Modified: 2018-01-26 13:24 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description (mail address dead) 2017-11-07 15:37:55 UTC
I tried to update from 4.5 to 4.6, but afterwards our install agent doesn't work anymore and says "The computer account couldn't be created or renewed".

If I delete the computer account via RSAT  installation works. So it's just the renewing account that has troubles. I tried to reproduce this and realized that the PS command Reset-ComputerMachinePassword works in 4.5, but not in 4.6.

The error in 4.6 is
PS C:\Users\Administrator> Reset-ComputerMachinePassword -Credential $cred
Reset-ComputerMachinePassword : Das Kennwort des sicheren Kanals für das Computerkonto konnte in der Domäne nicht
zurückgesetzt werden. Fehler beim Vorgang mit der folgenden Ausnahme: Der Server ist nicht funktionstüchtig.
In Zeile:1 Zeichen:1
+ Reset-ComputerMachinePassword -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (vm01:String) [Reset-ComputerMachinePassword], InvalidOperation
+ FullyQualifiedErrorId : FailToResetPasswordOnDomain,Microsoft.PowerShell.Commands.ResetComputerMachinePasswordCommand

At the same time, log.samba creates the following 4 lines:
[2017/11/07 16:24:32.489649,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.506014,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.522244,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.537621,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!

The behaviour is the same if I update 4.5 to 4.6 or install 4.6 freshly.
Comment 1 (mail address dead) 2017-11-07 15:39:36 UTC
Also, the problem is still present in 4.7.1
Comment 2 Andrew Bartlett 2017-12-02 18:57:52 UTC
If you could do a git bisect between the last working release and the first failing one that would be great, so we can pin down what changed.  That will probably make the fix obvious.

Have you already applied all security patches?  If so, it may have broken with the so-called badlock changes when 'ldap server require strong auth' was introduced, try 'ldap server require strong auth = allow_sasl_over_tls' if so.
Comment 3 (mail address dead) 2018-01-26 13:24:17 UTC
I'm sorry, I don't have the necessary resources to do this. That's why were buying the samba packages.
Afaik, 4.5 is long after badlock, isn't it?