From Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199: When trying to configure an IPA client as samba file server, the ipa-client-samba commands fails in a step calling "net changesecretpw -f". The failure did not happen with samba-4.20.4-1.fc42.x86_64 but is seen with 4.21.0-0.6.rc4.fc42. Reproducible: Always Steps to Reproduce: 1. Install ipa server on server.ipa.test: dnf install -y freeipa-server-dns ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U 2. install ipa client on client.ipa.test: dnf install -y freeipa-client-samba ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U 3. try to configure the client as samba file server: echo Secret123 | kinit admin ipa-client-samba -U Actual Results: # ipa-client-samba -U Searching for IPA server... IPA server: ['server.ipa.test'] Chosen IPA master: ['server.ipa.test'] SMB principal to be created: cifs/client.ipa.test@IPA.TEST NetBIOS name to be used: CLIENT Discovered domains to use: Domain name: ipa.test NetBIOS name: IPA SID: S-1-5-21-559329419-496287489-4055619056 ID range: 1990800000 - 1990999999 Cannot set machine account creds in Samba. Error: CalledProcessError(Command ['/usr/bin/net', 'changesecretpw', '-f'] returned non-zero exit status 1: 'pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned No logon servers are currently available to service the logon request.\nsecrets_prepare_password_change: Sync of machine password failed.\nUnable to write the machine account password in the secrets database') Traceback (most recent call last): File "/usr/sbin/ipa-client-samba", line 15, in <module> sys.exit(ipa_client_samba.run()) ~~~~~~~~~~~~~~~~~~~~^^ File "/usr/lib/python3.13/site-packages/ipaclient/install/ipa_client_samba.py", line 735, in run populate_samba_databases( ~~~~~~~~~~~~~~~~~~~~~~~~^ fstore, statestore, options, domains[0], password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ) ^ File "/usr/lib/python3.13/site-packages/ipaclient/install/ipa_client_samba.py", line 366, in populate_samba_databases ipautil.run(args, stdin=password, encoding="utf-8") ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.13/site-packages/ipapython/ipautil.py", line 594, in run raise CalledProcessError( p.returncode, arg_string, output_log, error_log ) ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/net', 'changesecretpw', '-f'] returned non-zero exit status 1: 'pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned No logon servers are currently available to service the logon request.\nsecrets_prepare_password_change: Sync of machine password failed.\nUnable to write the machine account password in the secrets database') Expected Results: # ipa-client-samba -U Searching for IPA server... IPA server: ['server.ipa.test'] Chosen IPA master: ['server.ipa.test'] SMB principal to be created: cifs/client.ipa.test@IPA.TEST NetBIOS name to be used: CLIENT Discovered domains to use: Domain name: ipa.test NetBIOS name: IPA SID: S-1-5-21-3799508206-3266988578-3110657925 ID range: 867400000 - 867599999 Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind services This is due to refactoring done by Pavel in commit 683f6eec40f2efbb122329800ebb2f5d2f518746 Author: Pavel Filipenský <pfilipensky@samba.org> Date: Thu Dec 21 13:57:38 2023 +0100 s3: Sync machine account password in secrets_{prepare,finish}_password_change BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750 and commit e08b2963d98ea82cb5989f5e7c80e808859e98dd Author: Pavel Filipenský <pfilipensky@samba.org> Date: Wed Feb 28 13:30:30 2024 +0100 s3:libads: Call 'sync machine password script' when machine password is updated BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750 We use 'kerberos method = dedicated keytab' in FreeIPA domain member configuration. What we don't do, we don't have 'sync machine password to keytab' which was introduced as a part of that patchset. As a result, Samba attempts to synchronize machine account we set with 'net changesecretpw -f` to the keytab and fails to not find a domain controller to figure out what encryption types/KVNO/SPNs must be set in the keytab. Thing is, IPA domain controller is Samba DC in a special mode, not AD DC, so it might not respond as you expect. Second, the current logic of 'sync machine password to keytab' does not allow to handle any use case where we do not want to sync keytabs (because they already in sync). I think there are two actions here: - Samba can add 'sync machine password to keytab = false' to disable syncing ----------------------------------------------------------------------------------- Solved by MR https://gitlab.com/samba-team/samba/-/merge_requests/3786, commit 4f577c7b6894132be4842944f2f950b087312b16 (HEAD -> master, origin/master, origin/HEAD) Author: Alexander Bokovoy <ab@samba.org> Date: Tue Sep 3 08:48:24 2024 +0300 sync machine password to keytab: handle FreeIPA use case
Created attachment 18441 [details] backport to 4.21 branch
Comment on attachment 18441 [details] backport to 4.21 branch Applies cleanly
Created attachment 18442 [details] backport to 4.21 branch updated BUG reference
Pushed to autobuild-v4-21-test.
This bug was referenced in samba v4-21-test: 0ed55bfe0820819c7653110c5650bb02084a67a1
Closing out bug report. Thanks!