Bug 6579 - Winbind failing after a week
Summary: Winbind failing after a week
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.3.2
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
: 6580 6581 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-07-28 13:25 UTC by Kevin Blackwell
Modified: 2009-09-01 19:36 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Blackwell 2009-07-28 13:25:27 UTC
I don't enter bug tickets regularly, but after a week, I cannot locate fix/answer.

I'm running samba 3.3.2. WE're mostly using it to authenticate NT users through the squid proxy. Squid 3.0.STABLE13.

On a daily basis, everything runs fine. But like clockwork on a weekly basis, (7 days exactly). On the 7th day, my log.wb.$DOMAIN file grows out of hand and kills the server. It fills up with these messages.

[2009/07/09 07:11:24,  0]
rpc_client/cli_netlogon.c:rpccli_netlogon_set_trust_password(597)
 rpccli_netr_ServerPasswordSet2 failed: NT_STATUS_WRONG_PASSWORD

If I shutdown winbind, issue a 

net ads join -U Administrator%password

restart winbind

Everything returns to normal for 7 days. Then again on the 7th day past the issuing of the net ads command, it happens again.

I've took a look at the code that generated the message. Not sure what the issue is. Hopefully someone that is more familiar with the code can point me in the correct position to correct this issue.

             if (!NT_STATUS_IS_OK(result)) {
+                       DEBUG(0,("rpccli_netr_ServerPasswordSet2 failed: %s\n",
+                               nt_errstr(result)));
+                       return result;

Again, I have no idea why after a week it falls over.

Thanks
Comment 1 Jeremy Allison 2009-07-28 13:38:38 UTC
Ok, every week winbindd is trying to change it's own machine account password (good security practice). It's failing and I'd need a debug level 10 log of this to know why.
In the meantime you can stop winbindd changing its password by setting the parameter :

machine password timeout = 0

in the [global] section of your smb.conf and restarting winbindd.

Jeremy.
Comment 2 Kai Blin 2009-07-30 00:46:09 UTC
*** Bug 6580 has been marked as a duplicate of this bug. ***
Comment 3 Kai Blin 2009-07-30 00:46:35 UTC
*** Bug 6581 has been marked as a duplicate of this bug. ***
Comment 4 Guenther Deschner 2009-08-04 15:47:19 UTC
Not with 3.3.x yet but tested with master and used a timeout of 10 seconds and all worked fine (changed password was fine after every 10 second change).
Comment 5 Guenther Deschner 2009-08-04 15:52:28 UTC
(In reply to comment #4)
> Not with 3.3.x yet but tested with master and used a timeout of 10 seconds and
> all worked fine (changed password was fine after every 10 second change).

now tested with the 10 second interval and 3.3.5 and it worked fine.
Comment 6 Volker Lendecke 2009-08-21 08:04:28 UTC
What are your domain controllers running?

Volker
Comment 7 Guenther Deschner 2009-08-27 11:45:22 UTC
The reporter probably runs either a Win2k, 2k3 or 2k8 DC. In that case - we just found out - Samba is using an encryption routine for the new password that does not deal with the 128bit based session key it has negotiated with the DC.
Comment 8 Guenther Deschner 2009-08-27 12:11:06 UTC
Could you please try the patch from here: 
https://bugzilla.samba.org/attachment.cgi?id=4602 ?
Comment 9 Guenther Deschner 2009-09-01 19:36:15 UTC
I am pretty sure this bug is resolved with the patch mentioned in comment #8, that fix went into 3-3-test and 3-4-test and will be part of the next releases.

Please reopen if still an issue.