Univention Bugzilla – Bug 33151
server-password-change doesn't change RODC Samba4 credentials
Last modified: 2017-04-20 18:03:21 CEST
server-password-change doesn't change Samba4 credentials on an RODC. This causes intermittent problems for GPO evaluation on windows clients, which are difficult to debug for the Administrator. As a workaround the IP-Address of the RODC can be removed from the DNS forward zone of the Samba4 domain, e.g. via UDM.
Details: The error message is ============================================================================= run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba4 postchange Modified 1 records successfully ERROR: Failed to set password for user 'slaveo$': (1, 'Invalid LDB reply type 1') Stopping Samba AD DC daemon: samba. nmbd. Starting Samba AD DC daemon: samba nmbd. done (Di 5. Nov 15:13:58 CET 2013) ============================================================================= The error message comes from the command samba-tool user setpassword "$hostname\$" --newpassword=foo Looks like this administrative password reset goes against the local sam.ldb, which is flagged read-only. It's not quite clear how to fix this: * Running "samba-tool user setpassword -H ldap://master" does not seem to work, as Administrative credentials are required for this. * Running "samba-tool user password", i.e. the user initiated password change works, but after that the replication seems to be broken: "samba-tool drs showrepl" showed an error message indicating that the RODC had insufficient rights to access DS replication services (log.samba: Administrator access required for DsReplicaGetInfo). This might be a transient issue, but maybe it's not, as a samba4 restart didn't fix this. Running "samba-tool drs showrepl -UAdministrator" works in this situation, but no DRS-connections where listed. More research is required here.
Found this again during UCS 4.0 product tests. After the server-password-change the RODC samba isn't joined any longer: root@rodc54:~# univention-s4search WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. Aquiring initiator credentials failed: kinit for rodc54$@AR40PT2.QA failed (Looping detected inside krb5_get_in_tkt) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <> Failed to connect to 'ldaps://rodc54.ar40pt2.qa' with backend 'ldaps': (null) Failed to connect to ldaps://rodc54.ar40pt2.qa - (null) root@rodc54:~# univention-check-join-status Joined successfully root@rodc54:~# net rpc testjoin connect_to_domain_password_server: unable to open the domain client session to machine rodc54.ar40pt2.qa. Flags[0x00000000] Error was : NT_STATUS_ACCESS_DENIED. Join to domain 'AR40PT2' is not valid: NT_STATUS_ACCESS_DENIED
*** This bug has been marked as a duplicate of bug 44115 ***