Hi Experts, I have Ubuntu 22.04 as a member of Windows AD. I'm using a combination of sssd and samba. Samba manages machine password changes. I can update the password successfully with command "net ads changetrustpw -d 3" and I can see the password was updated in "/var/lib/samba/private/secrets.tdb" successfully, then I can successfully run "net ads keytab create -P -d 3". But once I reset the machine password from AD side, in ADSI Edit, and then store the machine password to secrets.tdb on Ubuntu with command: "tdbtool /var/lib/samba/private/secrets.tdb store SECRETS/MACHINE_PASSWORD/SHU "newpassword\0"", "net ads keytab create -P" can still work as expected and keytab was updated. But if I want to update the machine password with command "net ads changetrustpw" again, it fails with below error message: Failed kinit for principal shu-u22keytab-1$@SHU.LOCAL (Preauthentication failed) ads_change_trust_account_password: kerberos_set_password(10.158.210.93, shu-u22keytab-1$@SHU.LOCAL) failed for new_password of SHU - NT_STATUS_LOGON_FAILURE failed_change: struct secrets_domain_infoB Password change failed: Preauthentication failed I checked the secrets.tdb and found password has been updated while it is still the old one on AD side, in this case, "net ads keytab create -P" always failed with preauthentication error. They only way I found to make command "net ads changetrustpw" works again is to rejoin the domain. But "net ads changetrustpw" might not work hours later and I have to rejoin the domain again. I am wondering if I missed any step after running "net ads changetrustpw"? Or it can be a limitation? Is there a workaround to make "net ads changetrustpw" works every time without rejoin the domain?
(In reply to shu.zhang from comment #0) At first glance, this doesn't look like a bug report, it looks like a request for help. Can you please go here: https://lists.samba.org/mailman/listinfo/samba Register for the samba mailing list and then post there.
SECRETS/MACHINE_PASSWORD/ is no longer the primary record... There's now a binary blob stored under SECRETS/MACHINE_DOMAIN_INFO/ It can be dumped using 'net primarytrust dumpinfo'. But why are you reset the password in ADSI Edit at all???
(In reply to Stefan Metzmacher from comment #2) Hi Stefan, I met a keytab create issue before, when I used "net ads changetrustpw" to update the machine password on Ubuntu 22.04, it works as expected but then running "net ads keytab create -P" failed with a pre-authentication error. The issue cannot be reproduced consistently, it occurs about every 5 times when running "net ads changetrustpw" and "net ads keytab create -P". Do you have any idea on this? I was wondering if the machine password was updated from AD side before I running "net ads changetrustpw". So I reset the machine password in ADSI Edit and then save it in Ubuntu and tried to reproduce the issue. I am not sure is this supported? Thank you so much for your effort.
(In reply to shu.zhang from comment #3) I guess "net ads changetrustpw" and "net ads keytab create -P" both use kerberos and may talk to different domain controllers. With kerberos we don't do any fallback trying the old password, as a DC may not have the new password replicated. There are some pending changes in https://gitlab.com/samba-team/samba/-/merge_requests/1999 hopefully they will be ready for 4.21 scheduled for September. With these changes 'kerberos method' is no longer needed and winbindd will automatically change the password in a more reliable way and also update keytabs as configured.