Bug 14007 - Regression: Samba-4.10.4 breaks net ads join
Summary: Regression: Samba-4.10.4 breaks net ads join
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.10.4
Hardware: All All
: P5 regression (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 14114 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-06-24 19:54 UTC by Evgeny Sinelnikov
Modified: 2019-09-12 10:06 UTC (History)
3 users (show)

See Also:


Attachments
Fix join with don't exists machine account (1.28 KB, patch)
2019-07-31 22:12 UTC, Evgeny Sinelnikov
no flags Details
patch from master for v4.9, v4.10 and v4.11 (1.63 KB, patch)
2019-09-04 17:11 UTC, Guenther Deschner
no flags Details
patch from master for v4.9, v4.10 and v4.11 (1.70 KB, patch)
2019-09-04 17:13 UTC, Guenther Deschner
metze: review+
ab: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeny Sinelnikov 2019-06-24 19:54:20 UTC
Since 4.10.4 (and in 4.10.5 also) don't work net ads join:

[root@clw0 ~]# net ads join -UAdministrator
Enter Administrator's password:
Failed to join domain: failed to join domain 'DOMAIN.ALT' over rpc: None of the information to be translated has been translated.

Client on samba-4.10.3 with same build options on same environment work properly.
Comment 1 Louis 2019-06-26 09:21:37 UTC
can you try : 

net ads join -U "ADDOM\Administrator"

and it handy for us to have a bug report with some extra info like.
smb.conf
resolv.conf
hosts
krb5.conf
Comment 2 Evgeny Sinelnikov 2019-06-26 18:47:58 UTC
I have next configuration:

[root@clw0 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 86:64:95:78:6f:26 brd ff:ff:ff:ff:ff:ff
    inet 10.64.170.100/24 brd 10.64.170.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 7a:db:fb:9f:a3:8f brd ff:ff:ff:ff:ff:ff
    inet 10.64.180.100/24 brd 10.64.180.255 scope global eth1
       valid_lft forever preferred_lft forever

[root@clw0 ~]# cat /etc/resolv.conf
# Generated by resolvconf
# Do not edit manually, use
# /etc/net/ifaces/<interface>/resolv.conf instead.
domain domain.alt
nameserver 10.64.180.10
nameserver 8.8.8.8

[root@clw0 ~]# cat /etc/krb5.conf
#includedir /etc/krb5.conf.d/

[logging]
# default = FILE:/var/log/krb5libs.log
# kdc = FILE:/var/log/krb5kdc.log
# admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
 dns_lookup_kdc = true
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = DOMAIN.ALT
# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  default_domain = example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

[root@clw0 ~]# cat /etc/samba/smb.conf
[global]
        security = ads
        realm = DOMAIN.ALT
        workgroup = DOMAIN
        netbios name = CLW0
        template shell = /bin/bash
        kerberos method = system keytab
        wins support = no

        idmap config * : range = 10000-20000000
        idmap config * : backend = tdb
;       encrypt passwords = true
;       dns proxy = no
;       socket options = TCP_NODELAY
;       domain master = no
;       local master = no
;       preferred master = no
;       os level = 0
;       domain logons = no
;       load printers = no
;       show add printer wizard = no
;       printcap name = /dev/null
;       disable spoolss = yes
[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[root@clw0 ~]# host domain.alt
domain.alt has address 10.64.180.10
domain.alt has address 10.64.180.11
domain.alt has address 10.64.180.12

[root@clw0 ~]# host dc0.domain.alt
dc0.domain.alt has address 10.64.180.10

[root@clw0 ~]# cat /etc/hosts
127.0.0.1       localhost.localdomain localhost
#10.64.170.222 dc2
#10.64.170.100 clw0
#10.64.170.101 clw1
#10.64.170.102 clw2
#10.64.170.225 dc1
#10.64.170.223 dc0

[root@clw0 ~]# net ads join -U"DOMAIN\Administrator"
Enter DOMAIN\Administrator's password:
kerberos_kinit_password Administrator@DOMAIN failed: Cannot find KDC for requested realm
Failed to join domain: failed to join domain 'DOMAIN.ALT' over rpc: None of the information to be translated has been translated.

[root@clw0 ~]# rpm -qf /usr/bin/net
samba-common-tools-4.10.5-alt1.x86_64

[root@clw0 ~]# klist 
klist: Credentials cache keyring 'persistent:0:0' not found

[root@clw0 ~]# kinit administrator
Password for administrator@DOMAIN.ALT: 
Warning: Your password will expire in 39 days on Пн 05 авг 2019 12:06:21

[root@clw0 ~]# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@DOMAIN.ALT

Valid starting       Expires              Service principal
26.06.2019 18:45:22  27.06.2019 04:45:22  krbtgt/DOMAIN.ALT@DOMAIN.ALT
        renew until 03.07.2019 18:45:09

[root@clw0 ~]# smbclient -k -L //dc0

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service (Samba 4.10.5)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[root@clw0 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@DOMAIN.ALT

Valid starting       Expires              Service principal
26.06.2019 18:45:33  27.06.2019 04:45:22  cifs/dc0@DOMAIN.ALT
        renew until 03.07.2019 18:45:09
26.06.2019 18:45:22  27.06.2019 04:45:22  krbtgt/DOMAIN.ALT@DOMAIN.ALT
        renew until 03.07.2019 18:45:09
Comment 3 Louis 2019-06-27 09:55:48 UTC
ok, start with this. 

note, not into RH, do normaly only Debian/related


/etc/net/ifaces/<interface>/resolv.conf 
domain domain.alt
nameserver 10.64.180.10  << is this your DC, then its ok. 
nameserver 8.8.8.8  < should not be needed, use the forward in the AD-DC or if you use bind9_dlz, then in bind. 

krb5.conf 
[libdefaults]
 default_realm = DOMAIN.ALT
 dns_lookup_realm = false
 dns_lookup_kdc = true

All you need, if you resolving is correct. 
The rest are defaults, make if work first, then add things you need. 

/etc/samba/smb.conf

your missing the member parts... 
read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
for example where is : 
 idmap config DOMAIN : range = 10000-20000000
 idmap config DOMAIN : backend = AD or RID

This : host domain.alt
so you have 3 DC's correct? 
then why are there not 3 DC's in the resolv.conf. ( its possible, but that depends on you network, which can not see from here ) 
i suggest, add the 3 DC's in resolv.conf

/etc/hosts
127.0.0.1       localhost.localdomain localhost
$(hostname -i)  $(hostname -f)  $(hostname -s) 

( run these and add as shown. ) 


then, this, after you fixed above, this should work now. 
net ads join -U"DOMAIN\Administrator"
Enter DOMAIN\Administrator's password:
kerberos_kinit_password Administrator@DOMAIN failed: Cannot find KDC for requested realm

i hope you change this. 
list
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@DOMAIN.ALT

Valid starting       Expires              Service principal
26.06.2019 18:45:33  27.06.2019 04:45:22  cifs/dc0@DOMAIN.ALT

this is plain wrong: cifs/dc0@DOMAIN.ALT 
Should be minimal cifs/dc0.domain.alt@DOMAIN.ALT
Comment 4 Evgeny Sinelnikov 2019-07-19 21:23:07 UTC
This is defaults. On 4.10.3 all works:

[root@clw2 ~]# kinit administrator
Password for administrator@DEMO.ALT: 
Warning: Your password will expire in 41 days on Fri Aug 30 21:05:36 2019
[root@clw2 ~]# smbclient -k -L //dc0.demo.alt

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service (Samba 4.10.2)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
[root@clw2 ~]# id administrator
uid=441600500(administrator) gid=441600513(domain users) groups=441600513(domain users),441600512(domain admins),441600518(schema admins),441600520(group policy creator owners),441600572(denied rodc password replication group),441600519(enterprise admins),100(users),80(cdwriter),22(cdrom),81(audio),470(video),19(proc),83(radio),460(camera),71(floppy),498(xgrp),499(scanner),14(uucp),489(vboxusers),465(fuse),455(localadmins),10(wheel)
[root@clw2 ~]# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@DEMO.ALT

Valid starting     Expires            Service principal
07/19/19 21:05:56  07/20/19 07:05:45  cifs/dc0.demo.alt@DEMO.ALT
        renew until 07/26/19 21:05:43
07/19/19 21:05:45  07/20/19 07:05:45  krbtgt/DEMO.ALT@DEMO.ALT
        renew until 07/26/19 21:05:43
[root@clw2 ~]# net ads testjoin
Join is OK
[root@clw2 ~]# rpm -q samba-client
samba-client-4.10.3-alt4.x86_64
____________________________________

[root@clw2 ~]# cat /etc/samba/smb.conf
[global]
        security = ads
        realm = DEMO.ALT
        workgroup = DEMO
        netbios name = CLW2
        template shell = /bin/bash
        kerberos method = system keytab
        wins support = no

        idmap config * : range = 10000-20000000
        idmap config * : backend = tdb
;       encrypt passwords = true
;       dns proxy = no
;       socket options = TCP_NODELAY
;       domain master = no
;       local master = no
;       preferred master = no
;       os level = 0
;       domain logons = no
;       load printers = no
;       show add printer wizard = no
;       printcap name = /dev/null
;       disable spoolss = yes
[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes
____________________________________

Try to rejoin:
[root@clw2 ~]# net ads join -UAdministrator
Enter Administrator's password:
Using short domain name -- DEMO
Joined 'CLW2' to dns domain 'demo.alt'
kerberos_kinit_password CLW2$@DEMO.ALT failed: Preauthentication failed
DNS update failed: kinit failed: Preauthentication failed

So, how to reproduce problem:

[root@clw2 ~]# apt-get install samba-client
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  libldb-modules-dc libnetapi libsmbclient libwbclient python3-module-samba samba-common samba-common-libs samba-common-tools samba-dc-libs samba-libs
The following packages will be upgraded
  libldb-modules-dc libnetapi libsmbclient libwbclient python3-module-samba samba-client samba-common samba-common-libs samba-common-tools samba-dc-libs samba-libs
11 upgraded, 0 newly installed, 0 removed and 629 not upgraded.
Need to get 9947kB of archives.
After unpacking 6054B of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://git.altlinux.org repo/232723/x86_64/task samba-client 4.10.5-alt1@1561045371 [514kB]
Get:2 http://git.altlinux.org repo/232723/x86_64/task samba-common-tools 4.10.5-alt1@1561045371 [442kB]
Get:3 http://git.altlinux.org repo/232723/x86_64/task samba-common 4.10.5-alt1@1561045371 [207kB]
Get:4 http://git.altlinux.org repo/232723/x86_64/task python3-module-samba 4.10.5-alt1@1561045371 [2864kB]
Get:5 http://git.altlinux.org repo/232723/x86_64/task libldb-modules-dc 4.10.5-alt1@1561045371 [309kB]
Get:6 http://git.altlinux.org repo/232723/x86_64/task samba-dc-libs 4.10.5-alt1@1561045371 [525kB]
Get:7 http://git.altlinux.org repo/232723/x86_64/task libsmbclient 4.10.5-alt1@1561045371 [78.5kB]
Get:8 http://git.altlinux.org repo/232723/x86_64/task samba-common-libs 4.10.5-alt1@1561045371 [1617kB]
Get:9 http://git.altlinux.org repo/232723/x86_64/task samba-libs 4.10.5-alt1@1561045371 [3210kB]
Get:10 http://git.altlinux.org repo/232723/x86_64/task libnetapi 4.10.5-alt1@1561045371 [127kB]
Get:11 http://git.altlinux.org repo/232723/x86_64/task libwbclient 4.10.5-alt1@1561045371 [54.3kB]
Fetched 9947kB in 2s (4829kB/s) 
Committing changes...
Preparing...                                                     #### [100%]
Updating / installing...
 1: libwbclient-4.10.5-alt1                                      #### [  5%]
 2: samba-common-libs-4.10.5-alt1                                #### [  9%]
 3: libnetapi-4.10.5-alt1                                        #### [ 14%]
 4: samba-libs-4.10.5-alt1                                       #### [ 18%]
 5: libsmbclient-4.10.5-alt1                                     #### [ 23%]
 6: samba-common-4.10.5-alt1                                     #### [ 27%]
 7: samba-common-tools-4.10.5-alt1                               #### [ 32%]
 8: libldb-modules-dc-4.10.5-alt1                                #### [ 36%]
 9: samba-dc-libs-4.10.5-alt1                                    #### [ 41%]
10: python3-module-samba-4.10.5-alt1                             #### [ 45%]
11: samba-client-4.10.5-alt1                                     #### [ 50%]
Cleaning up / removing...
12: libldb-modules-dc-4.10.3-alt4                                #### [ 55%]
13: samba-dc-libs-4.10.3-alt4                                    #### [ 59%]
14: python3-module-samba-4.10.3-alt4                             #### [ 64%]
15: samba-client-4.10.3-alt4                                     #### [ 68%]
16: samba-common-tools-4.10.3-alt4                               #### [ 73%]
17: samba-common-4.10.3-alt4                                     #### [ 77%]
18: libnetapi-4.10.3-alt4                                        #### [ 82%]
19: samba-libs-4.10.3-alt4                                       #### [ 86%]
20: libsmbclient-4.10.3-alt4                                     #### [ 91%]
21: samba-common-libs-4.10.3-alt4                                #### [ 95%]
22: libwbclient-4.10.3-alt4                                      #### [100%]
Done.

[root@clw2 ~]# net ads join -UAdministrator
Enter Administrator's password:
Using short domain name -- DEMO
Joined 'CLW2' to dns domain 'demo.alt'
kerberos_kinit_password CLW2$@DEMO.ALT failed: Preauthentication failed
DNS update failed: kinit failed: Preauthentication failed

[root@clw2 ~]# hostnamectl 
   Static hostname: clw2.demo.alt
         Icon name: computer-vm
           Chassis: vm
        Machine ID: c5b6832f0506d76f0e08a6305ce911f0
           Boot ID: c520cbed557d4b829105a6ea84de5b48
    Virtualization: kvm
  Operating System: ALT Workstation K 8.3  (Centaurea Ruthenica)
       CPE OS Name: cpe:/o:alt:kworkstation:8.3
            Kernel: Linux 4.9.50-un-def-alt0.M80P.1
      Architecture: x86-64
[root@clw2 ~]# hostnamectl set-hostname clw2x.demo.alt
[root@clw2 ~]# hostname
clw2x.demo.alt

[root@clw2 ~]# net ads join -UAdministrator
Enter Administrator's password:
Using short domain name -- DEMO
Joined 'CLW2' to dns domain 'demo.alt'
kerberos_kinit_password CLW2$@DEMO.ALT failed: Preauthentication failed
DNS update failed: kinit failed: Preauthentication failed

_________________________________________


Looks like works, really?
But if we change hostname in smb.conf to new CLW2X

[root@clw2 ~]# grep netbios /etc/samba/smb.conf
        netbios name = CLW2X

[root@clw2 ~]# net ads join -UAdministrator
Enter Administrator's password:
Failed to join domain: failed to join domain 'DEMO.ALT' over rpc: None of the information to be translated has been translated.

_________________________________________


Same problem we got with clear installation on 4.10.4, 4.10.5 and 4.9.10 now.
Comment 5 Evgeny Sinelnikov 2019-07-31 18:45:19 UTC
Ok, I found it via git bisect. Bad patch is (from 4.10.4):

commit 2b203fae26d79a792c867d66fdc738d4ce269442 (HEAD)
Author: Guenther Deschner <gd@samba.org>
Date:   Mon Apr 1 17:40:03 2019 +0200

    s3:ldap: Leave add machine code early for pre-existing accounts

    This avoids numerous LDAP constraint violation errors when we try to
    re-precreate an already existing machine account.

    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

    Pair-Programmed-With: Andreas Schneider <asn@samba.org>
    Signed-off-by: Guenther Deschner <gd@samba.org>
    Signed-off-by: Andreas Schneider <asn@samba.org>
    Reviewed-by: Ralph Boehme <slow@samba.org>
    Reviewed-by: Andrew Bartlett <abartlet@samba.org>
    (cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)

From this commit on samba-4.10 we got this regression.

Test looks like this:

[test@clw2y hasher]$ ldapsearch -h dc0.demo.alt -b dc=DEMO,dc=ALT '(samAccountName=CLW2X5$)'
SASL/GSSAPI authentication started
SASL username: administrator@DEMO.ALT
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=DEMO,dc=ALT> with scope subtree
# filter: (samAccountName=CLW2X5$)
# requesting: ALL
#

# search reference
ref: ldap://demo.alt/CN=Configuration,DC=demo,DC=alt

# search reference
ref: ldap://demo.alt/DC=DomainDnsZones,DC=demo,DC=alt

# search reference
ref: ldap://demo.alt/DC=ForestDnsZones,DC=demo,DC=alt

# search result
search: 5
result: 0 Success

# numResponses: 4
# numReferences: 3

[test@clw2y hasher]$ echo -n peebieY4 | sudo su -c "net ads join -v -U Administrator"
Enter Administrator's password:
Failed to join domain: failed to join domain 'DEMO.ALT' over rpc: None of the information to be translated has been translated.

[test@clw2y hasher]$ echo -n peebieY4 | sudo su -c "net ads join -v -d10 -U Administrator" 2>&1 | grep -C2 "Host account for "
gensec_update_done: spnego[0x55a5f5d23150]: NT_STATUS_OK tevent_req[0x55a5f5d2c140/../../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_upd
ate_state (0x55a5f5d2c2f0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2070]
ads_domain_func_level: 4
ads_create_machine_acct: Host account for CLW2X5 already exists.
signed SMB2 message
Bind RPC Pipe: host dc0.demo.alt auth_type 0, auth_level 1

[test@clw2y hasher]$ rpm -q --lastchange samba-client
* Пт июл 26 2019 Evgeny Sinelikov <sin@altlinux.org> 4.10.4-alt1.11
- Build for 2b203fae26d

[test@clw2y hasher]$ grep CLW2 /etc/samba/smb.conf
        netbios name = CLW2X5
[test@clw2y hasher]$ hostname
clw2x5.demo.alt
Comment 6 Evgeny Sinelnikov 2019-07-31 22:12:06 UTC
Created attachment 15361 [details]
Fix join with don't exists machine account

Found and test solution:

[test@clw2y samba.git.test]$ ldapsearch -Q -LLL -h dc0.demo.alt -b dc=DEMO,dc=ALT '(samAccountName=CLW2X5$)' sAMAccountName                                                 
dn: CN=CLW2X5,CN=Computers,DC=demo,DC=alt
sAMAccountName: CLW2X5$

# refldap://demo.alt/CN=Configuration,DC=demo,DC=alt

# refldap://demo.alt/DC=DomainDnsZones,DC=demo,DC=alt

# refldap://demo.alt/DC=ForestDnsZones,DC=demo,DC=alt

[test@clw2y samba.git.test]$ ldapsearch -Q -LLL -h dc0.demo.alt -b dc=DEMO,dc=ALT '(samAccountName=CLW2X6$)' sAMAccountName                                                 
# refldap://demo.alt/CN=Configuration,DC=demo,DC=alt

# refldap://demo.alt/DC=DomainDnsZones,DC=demo,DC=alt

# refldap://demo.alt/DC=ForestDnsZones,DC=demo,DC=alt

[test@clw2x samba.git.test]$ grep CLW2 /etc/samba/smb.conf
        netbios name = CLW2X6
[test@clw2x samba.git.test]$ hostname
clw2x6.demo.alt

[test@clw2x samba.git.test]$ rpm -q --lastchange samba-client
* Пт июл 26 2019 Evgeny Sinelikov <sin@altlinux.org> 4.10.4-alt1.112
- Build for 95ace7e3078

[test@clw2x samba.git.test]$ sudo su -c "net ads join -v -U Administrator"
Enter Administrator's password:
Using short domain name -- DEMO
Joined 'CLW2X6' to dns domain 'demo.alt'
No DNS domain configured for clw2x6. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
Comment 7 Louis 2019-08-28 08:33:13 UTC
I really suggest you fix you smb.conf first. 

First, id administrator
uid=441600500(administrator) gid=441600513(domain users) 
Administrator = root = uid 0 and should have have any other ID. 

You did not configure the backends correctly, see : 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd 


your missing the member settings : 
    # For ACL support on member servers
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping
ADD : !root = NTDOM\Administrator

the idmap part should look like: 
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM: backend = ad
    idmap config NTDOM: schema_mode = rfc2307
    idmap config NTDOM: range = 10000-3999999
Comment 8 Hubert Hoffmann 2019-08-29 11:49:58 UTC
Hello,

I have a similiar Problem joining a new Machine with "net ads join" to AD

My Error Message while "net ads join" was:
'Failed to join domain: failed to precreate account in ou xxx: Invalid DN syntax'
Using Debug Mode, I got the Message: "Host account for xxxx already exists." 

With the Patch from Evgeny, "net ads join" is working again for me.

The change causing the problem was introduced by patch:
https://bugzilla.samba.org/show_bug.cgi?id=13861 (Version 4.9.7) 

I joined the Linux Machine without Fileservices and a very reduced smb.conf
[global]
        workgroup = NTDOM
        security = ADS
        realm = AD.DOMAIN.AT
        password server = server1 server2 server3
        kerberos method = system keytab
Comment 9 Stefan Metzmacher 2019-08-29 12:12:01 UTC
(In reply to Hubert Hoffmann from comment #8)

It seems this commit is the problem:

2044ca0e20bd3180720a82506b3af041d14b5c68 s3:ldap: Leave add machine code early for pre-existing accounts


A possible fix could be this:
https://gitlab.com/samba-team/devel/samba/commit/e33162659ff9cff2e4aea7b385e85ad94315aeec
from
https://gitlab.com/samba-team/samba/merge_requests/716
Comment 10 Hubert Hoffmann 2019-08-29 13:37:58 UTC
(In reply to Stefan Metzmacher from comment #9)

The Patch is working for me.

Thank you Stefan.
Comment 11 Stefan Metzmacher 2019-09-04 12:52:07 UTC
*** Bug 14114 has been marked as a duplicate of this bug. ***
Comment 12 Guenther Deschner 2019-09-04 17:11:44 UTC
Created attachment 15460 [details]
patch from master for v4.9, v4.10 and v4.11
Comment 13 Guenther Deschner 2019-09-04 17:13:49 UTC
Created attachment 15461 [details]
patch from master for v4.9, v4.10 and v4.11
Comment 14 Alexander Bokovoy 2019-09-04 17:25:08 UTC
Comment on attachment 15461 [details]
patch from master for v4.9, v4.10 and v4.11

LGTM.
Comment 15 Karolin Seeger 2019-09-10 07:50:24 UTC
Pushed to autobuild-v4-{11,10,9}-test.
Comment 16 Karolin Seeger 2019-09-12 10:06:40 UTC
(In reply to Karolin Seeger from comment #15)
Pushed to all branches.
Closing out bug report.
Thanks!