13123 – Reset-ComputerMachinePassword doesn't work

Bug 13123 - Reset-ComputerMachinePassword doesn't work

Summary: Reset-ComputerMachinePassword doesn't work

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.6.9
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-11-07 15:37 UTC by (mail address dead)
Modified:	2018-01-26 13:24 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description (mail address dead) 2017-11-07 15:37:55 UTC

I tried to update from 4.5 to 4.6, but afterwards our install agent doesn't work anymore and says "The computer account couldn't be created or renewed".

If I delete the computer account via RSAT  installation works. So it's just the renewing account that has troubles. I tried to reproduce this and realized that the PS command Reset-ComputerMachinePassword works in 4.5, but not in 4.6.

The error in 4.6 is
PS C:\Users\Administrator> Reset-ComputerMachinePassword -Credential $cred
Reset-ComputerMachinePassword : Das Kennwort des sicheren Kanals für das Computerkonto konnte in der Domäne nicht
zurückgesetzt werden. Fehler beim Vorgang mit der folgenden Ausnahme: Der Server ist nicht funktionstüchtig.
.
In Zeile:1 Zeichen:1
+ Reset-ComputerMachinePassword -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (vm01:String) [Reset-ComputerMachinePassword], InvalidOperation
    Exception
+ FullyQualifiedErrorId : FailToResetPasswordOnDomain,Microsoft.PowerShell.Commands.ResetComputerMachinePasswordCommand

At the same time, log.samba creates the following 4 lines:
[2017/11/07 16:24:32.489649,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.506014,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.522244,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2017/11/07 16:24:32.537621,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!

The behaviour is the same if I update 4.5 to 4.6 or install 4.6 freshly.

Comment 1 (mail address dead) 2017-11-07 15:39:36 UTC

Also, the problem is still present in 4.7.1

Comment 2 Andrew Bartlett 2017-12-02 18:57:52 UTC

If you could do a git bisect between the last working release and the first failing one that would be great, so we can pin down what changed.  That will probably make the fix obvious.

Have you already applied all security patches?  If so, it may have broken with the so-called badlock changes when 'ldap server require strong auth' was introduced, try 'ldap server require strong auth = allow_sasl_over_tls' if so.

Comment 3 (mail address dead) 2018-01-26 13:24:17 UTC

I'm sorry, I don't have the necessary resources to do this. That's why were buying the samba packages.
Afaik, 4.5 is long after badlock, isn't it?