I have a Samba 4.6.2 samba ActiveDirectory member server. Every month or so, all clients lose the ability to connect to all the shares. I can work around the issue by leaving the domain, deleting the machine account, and re-joining the domain, but it is obviously wrong that I have to do this every few weeks. I thought that it was a machine account password expiration issue, but running adcli update does not help. I tried changing the Group Policy for machine password expiration, but that did not help either.
- Centos 7.4.1708
- Samba 4.6.2
- sssd-krb5-1.15.2
- SSSD 1.15.2-50
- realmd-0.16.1-9
The error message on the client side is
"\\cheetoes is not accessible. You might not have permissions to use this network resource. Contact the administrator of this server to find out if you have access permissions.
Login Failure: The target account name is incorrect"
On the server side, at startup, log.smbd contains:
[2018/05/09 12:03:41.622878, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
kerberos_kinit_password [email protected] failed: Preauthentication failed
[2018/05/09 12:03:41.622923, 1] ../source3/libads/sasl.c:821(ads_sasl_spnego_bind)
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/true-companion.hymesruzicka.org with user[CHEETOES$] realm=[HYMESRUZICKA.ORG]: Preauthentication failed
And the per-client log shows:
[2018/05/09 12:06:58.259646, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/[email protected] not found in keytab (ticket kvno 3)]
[2018/05/09 12:06:59.099902, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/[email protected] not found in keytab (ticket kvno 3)]
Immediately after I rejoin, I do not get the client failures, nor the "Preauthentication failed" error in the log.smbd. I'm particularly puzzled why rejoining works, but only for a while.
CentOS 7 builds of Samba are very broken in an Active Directory context. The CentOS build of Samba 4.8.3 results in
adcli
dumping core when the 'update' subcommand is attempted.adcli
also fails to join or leave the domain correctly, and wrecks /etc/samba/smb.conf, as well as thesssd
andpam
configs.And it's not just
adcli
.realmd
,winbind
, andsmbd
itself do not work correctly with Windows Active Directory servers, leaving some clients (such as iOS devices) unable to connect. The only workaround I found is to build a "stock" samba stack, and adcli+reamld from the latest release sources, and use that over the CentOS samba stack. You must also disable updates for all samba components in /etc/yum.conf, otherwise your local samba installation will be broken by the CentOS one. Your yum.conf file needs at least:Note that it's not practical to uninstall CentOS's samba, because many other packages depend upon it.