Problem: Shares and AD-Connector are not working anymore

Knowledge Base Community
, , ,
#1

Problem:

Shares access and AD-Connector are not working anymore.
AD-Membermode. ( Member in Microsoft AD)

Investigation:

After more than one failed server-password-changes, the machine.secret could not be rotated in AD.

root@ucs:~# wbinfo -t
checking the trust secret for domain SCHEIN via RPC calls failed
wbcCheckTrustCredentials(SCHEIN): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

Solution:

Try to find the still working password in
/etc/machine.secret.old
and test it with
kinit <hostname>$ (please replace <hostname> with the hostname of the system)

If you find the working password, then you can reset the password with the actual machine.secret.
kpasswd <hostname>$ (please replace <hostname> with the hostname of the system)
type the olf working machine.secret and than set the new machine.secret (cat /etc/machine.secret;echo)

Maybe this is not enough, so it is also possible to set the machine.secret in AD with a powershell command like this:
Make sure to use the right dn of the ucs-primary-dc located in AD and the new machine.secret

Set-ADAccountPassword 'CN=ucs-primary,OU=Computers,OU=MyBusiness,DC=schein,DC=ig' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “gRF66Qrp52ZevRVdUz92” -Force)

There is a Patch available: You can after applying the patch simply redo a manually server password change (Manually trigger server password change)

--- /usr/lib/univention-server/server_password_change.d//univention-samba.orig      2022-10-12 16:38:08.204940850 +0200
+++ /usr/lib/univention-server/server_password_change.d/univention-samba        2022-10-12 16:41:07.767023180 +0200
@@ -95,9 +95,13 @@
 
        # change password on ad in member mode
        if samba_role == 'memberserver' and univention.lib.admember.is_localhost_in_admember_mode(ucr=ucr):
-               cmd = ['/usr/bin/net', 'ads', 'password', '-P']
-               cmd.append('%s$' % ucr.get('hostname', '').upper())
-               cmd.append(machine_password)
+               #cmd = ['/usr/bin/net', 'ads', 'password', '-P']
+               #cmd.append('%s$' % ucr.get('hostname', '').upper())
+               #cmd.append(machine_password)
+               cmd = ['/usr/bin/samba-tool', 'user', 'password']
+               cmd.append('--newpassword=%s' % (machine_password))
+               cmd.append('-U=%s$' % ucr.get('hostname', '').upper())
+               cmd.append('-P')
                process = subprocess.Popen(cmd)
                process.wait()

You may want to deactivate the server-password-change til Bug 54390 is fixed:

univention.connector.ad.kerberosAuthenticationFailed
Administrator Konto "verschwunden"
AD Connector not syncing new users
#2
Mastodon