Univention Bugzilla – Bug 41367
sambaPwdLastSet not updated after machine password rotation
Last modified: 2016-09-29 17:31:14 CEST
Running a Samba/NT environment with Samba version 2:4.3.7-1.827.201604141315, we experienced some strange behaviours after some time. Running a DC Slave as Server role: ROLE_DOMAIN_PDC and memberservers as Server role: ROLE_DOMAIN_MEMBER, when the memberserver has its password rotation every 21 days, it seems to do everything as intended: run-parts: executing /usr/lib/univention-server/server_password_change.d/univention-samba postchange machine password stored successfully in secrets.tdb Setting stored password for "<memberserver dn>" in secrets.tdb setting idmap secret for '*' from /etc/machine.secret Secret stored Stopping Samba daemons: nmbd smbd. Starting Samba daemons: nmbd smbd. Stopping the Winbind daemon: winbind. Starting the Winbind daemon: winbind. Looking at the LDAP attributes userPassword and sambaNTPassword, they changed, but sambaPwdLastSet is set not to the time the password was changed! What now happes is that after the Samba password expiry time in sambaDomainName, attribute sambaMaxPwdAge, the memberservers cannot connect to the PDC again, getting the following possible error messages: Nagios CRITICAL: wbinfo failed: wbcCheckTrustCredentials(<NT DOMAIN NAME>): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233):failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR:Could not check secret:checking the trust secret for domain <NT DOMAIN NAME> via RPC calls failed When logging in to a Samba share on the memberserver using smbclient, the following error message comes up: NT_STATUS_NO_LOGON_SERVERS Looking at the log.smbd on the PDC, the following error message comes up: [2016/05/26 15:40:08.687318, 0] ../source3/rpc_server/srv_pipe.c:1197(api_pipe_alter_context) Auth step returned an error (NT_STATUS_PASSWORD_EXPIRED) Long story short: when the server password is changed, the Samba password "last set" value for servers providing Samba shares is not updated. As soon as "sambaPwdLastSet" from the memberserver) plus "sambaMaxPwdAge" are in the past, winbind refuses to work. Prior to the update to Samba 4.3 due to the badlock-update, everything worked fine.
To clarify > When logging in to a Samba share on the memberserver using smbclient The access is made with the machine account.
Thanks for reporting this. The regression fixes of Bug 41196 might change the behaviour but I haven't checked that yet.
Stefan just reproduced it with UCS 3.2-8 latest errata (Samba 2:4.3.7) Take UCS 3.2 with Samba 2:4.1.0 (i.e. without latest errata) and set a very restrictive sambaMaxPwdAge in the sambaComain object. After that you directly get this for a memberserver: root@member392:~# smbclient "//$ldap_master/netlogon" -U"$hostname$"%"$(</etc/machine.secret)" - session setup failed: NT_STATUS_PASSWORD_EXPIRED but wbinfo still works in this situation: root@master391:~# wbinfo -t checking the trust secret for domain DEADLOCK39 via RPC calls succeeded But if you update (master AND member) to latest errata (e.g. 433) you get this: root@member392:~# wbinfo -t checking the trust secret for domain DEADLOCK39 via RPC calls failed wbcCheckTrustCredentials(DEADLOCK39): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0 failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret I tested in UCS 4.0-0-e4 (Samba 4.2.3) and it was a bit different: the smbclient still worked but the wbinfo -t gave the same error after shortening the sambaMaxPwdAge. It might be part of these winbind changes: * https://www.samba.org/samba/history/samba-4.2.0.html
I think we should change the UDM modules for the computer objects so that the attribute sambaPwdLastSet is set to the current date.
(In reply to Stefan Gohmann from comment #4) > I think we should change the UDM modules for the computer objects so that > the attribute sambaPwdLastSet is set to the current date. done: r70053 YAML: r70054 Manual tests were successful, waiting for Jenkins: http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/AutotestJoin/44/
(In reply to Stefan Gohmann from comment #5) > Manual tests were successful, waiting for Jenkins: > http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/ > AutotestJoin/44/ Tests were successful.
* Code review: Ok * Update via /usr/lib/univention-server/server_password_change - Ok * Initial join of Memberserver: Ok * Advisory: Ok
<http://errata.software-univention.de/ucs/4.1/199.html>