Bug 15684 - Samba failed to update machine password - "net ads changetrustpw" fails
Summary: Samba failed to update machine password - "net ads changetrustpw" fails
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.15.13
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-24 03:17 UTC by shu.zhang
Modified: 2024-07-25 07:50 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description shu.zhang 2024-07-24 03:17:22 UTC
Hi Experts,

I have Ubuntu 22.04 as a member of Windows AD. I'm using a combination of sssd and samba. Samba manages machine password changes.
I can update the password successfully with command "net ads changetrustpw -d 3" and I can see the password was updated in "/var/lib/samba/private/secrets.tdb" successfully, then I can successfully run "net ads keytab create -P -d 3".

But once I reset the machine password from AD side, in ADSI Edit, and then store the machine password to secrets.tdb on Ubuntu with command: "tdbtool /var/lib/samba/private/secrets.tdb store SECRETS/MACHINE_PASSWORD/SHU "newpassword\0"", "net ads keytab create -P" can still work as expected and keytab was updated. But if I want to update the machine password with command "net ads changetrustpw" again, it fails with below error message:
Failed kinit for principal shu-u22keytab-1$@SHU.LOCAL (Preauthentication failed)                                                                                                                                                                                                                                                                                                                                                         
ads_change_trust_account_password: kerberos_set_password(10.158.210.93, shu-u22keytab-1$@SHU.LOCAL) failed for new_password of SHU - NT_STATUS_LOGON_FAILURE                                                                                                                                                                                                                                                                             
     failed_change: struct secrets_domain_infoB                                    
Password change failed: Preauthentication failed

I checked the secrets.tdb and found password has been updated while it is still the old one on AD side, in this case, "net ads keytab create -P" always failed with preauthentication error.
They only way I found to make command "net ads changetrustpw" works again is to rejoin the domain.
But "net ads changetrustpw" might not work hours later and I have to rejoin the domain again.

I am wondering if I missed any step after running "net ads changetrustpw"? Or it can be a limitation? 
Is there a workaround to make "net ads changetrustpw" works every time without rejoin the domain?
Comment 1 Rowland Penny 2024-07-24 09:00:29 UTC
(In reply to shu.zhang from comment #0)
At first glance, this doesn't look like a bug report, it looks like a request for help.

Can you please go here:

https://lists.samba.org/mailman/listinfo/samba

Register for the samba mailing list and then post there.
Comment 2 Stefan Metzmacher 2024-07-24 11:09:49 UTC
SECRETS/MACHINE_PASSWORD/ is no longer the primary record...
There's now a binary blob stored under SECRETS/MACHINE_DOMAIN_INFO/
It can be dumped using 'net primarytrust dumpinfo'.

But why are you reset the password in ADSI Edit at all???
Comment 3 shu.zhang 2024-07-25 02:09:26 UTC
(In reply to Stefan Metzmacher from comment #2)
Hi Stefan,

I met a keytab create issue before, when I used "net ads changetrustpw" to update the machine password on Ubuntu 22.04, it works as expected but then running "net ads keytab create -P" failed with a pre-authentication error. 
The issue cannot be reproduced consistently, it occurs about every 5 times when running "net ads changetrustpw" and "net ads keytab create -P". Do you have any idea on this?

I was wondering if the machine password was updated from AD side before I running "net ads changetrustpw". So I reset the machine password in ADSI Edit and then save it in Ubuntu and tried to reproduce the issue. I am not sure is this supported?

Thank you so much for your effort.
Comment 4 Stefan Metzmacher 2024-07-25 07:50:56 UTC
(In reply to shu.zhang from comment #3)

I guess "net ads changetrustpw" and "net ads keytab create -P" both use kerberos
and may talk to different domain controllers. With kerberos we don't do
any fallback trying the old password, as a DC may not have the new password replicated.

There are some pending changes in
https://gitlab.com/samba-team/samba/-/merge_requests/1999
hopefully they will be ready for 4.21 scheduled for September.

With these changes 'kerberos method' is no longer needed
and winbindd will automatically change the password in a more reliable
way and also update keytabs as configured.