Bug 13123 - Reset-ComputerMachinePassword doesn't work
Reset-ComputerMachinePassword doesn't work
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.6.9
All All
: P5 major
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-07 15:37 UTC by tim.dittler
Modified: 2017-12-02 18:57 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tim.dittler 2017-11-07 15:37:55 UTC
I tried to update from 4.5 to 4.6, but afterwards our install agent doesn't work anymore and says "The computer account couldn't be created or renewed".

If I delete the computer account via RSAT  installation works. So it's just the renewing account that has troubles. I tried to reproduce this and realized that the PS command Reset-ComputerMachinePassword works in 4.5, but not in 4.6.

The error in 4.6 is
PS C:\Users\Administrator> Reset-ComputerMachinePassword -Credential $cred
Reset-ComputerMachinePassword : Das Kennwort des sicheren Kanals für das Computerkonto konnte in der Domäne nicht
zurückgesetzt werden. Fehler beim Vorgang mit der folgenden Ausnahme: Der Server ist nicht funktionstüchtig.
.
In Zeile:1 Zeichen:1
+ Reset-ComputerMachinePassword -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (vm01:String) [Reset-ComputerMachinePassword], InvalidOperation
    Exception
+ FullyQualifiedErrorId : FailToResetPasswordOnDomain,Microsoft.PowerShell.Commands.ResetComputerMachinePasswordCommand

At the same time, log.samba creates the following 4 lines:
[2017/11/07 16:24:32.489649,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.506014,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.522244,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.537621,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!

The behaviour is the same if I update 4.5 to 4.6 or install 4.6 freshly.
Comment 1 tim.dittler 2017-11-07 15:39:36 UTC
Also, the problem is still present in 4.7.1
Comment 2 Andrew Bartlett 2017-12-02 18:57:52 UTC
If you could do a git bisect between the last working release and the first failing one that would be great, so we can pin down what changed.  That will probably make the fix obvious.

Have you already applied all security patches?  If so, it may have broken with the so-called badlock changes when 'ldap server require strong auth' was introduced, try 'ldap server require strong auth = allow_sasl_over_tls' if so.