Samba 4 Dienst deaktiviert

kilasat · January 9, 2020, 10:04am

Hallo zusammen,

wir hatten in der Nacht einen Ausfall des Samba 4 Services. Der Dienst war einfach gestoppt. Es konnte sich kein Client mehr anmelden. Ein Reboot hat das Problem behoben. Ich frage mich jedoch nach der Ursache für das Ganze.

Im Admin Diary habe noch folgendes gefunden:

Admin Diary: SERVER_PASSWORD_CHANGED

Maschinenpasswort von “username” erfolgreich geändert

*username = angemeldeter admin.

Nur war um diese Uhrzeit niemand angemeldet.

Danke und Gruss

English:
we had a failure of the Samba 4 service during the night. The service was simply stopped. No client could log on anymore. A reboot fixed the problem. But I wonder what caused this.
Any Ideas?

In the Admin Diary i found this:

Admin Diary: SERVER_PASSWORD_CHANGED

It was at night but no one was the at that time.

msi · January 9, 2020, 11:35am

Hi

The server password being changed can be the automatic renewal of the machine password, which is normal and expected.

This doesn’t answer as to why Samba was stopped. It could be that the password renewal went south during the process and Samba couldn’t access critical information from the OpenLDAP (using the S4 connector).

kilasat · January 9, 2020, 1:08pm

Thanks for you reply.

How can I make sure this is not happens anymore.

msi · January 9, 2020, 4:23pm

Hi

IMO you’d have to check the various logs (i.e. in /var/log/univention) as well as the Samba logs. It might have been a one-time hickup, but really digging down into that issues could take some time.

How often machine.secret is updated, is set based on a variable stored in UCR. You can find more about it in the Manual: https://docs.software-univention.de/manual-4.4.html#computers::hostaccounts

You can check if you are on the default of 21 days, either wait those 21 days or lower the value to force an earlier renewal to see if it was only a one-time issue or if it is reproducible then the next time don’t reboot the machine directly if you can afford the downtime if it re-occurs.

kilasat · January 10, 2020, 10:56am

Thanks.

Yes the interval is set to the default value of 21 days.

But there is also a UCR called - samba/machine_password_timeout
If I understood this right with value 0 I could deactivate the rotation on the machine?

msi · January 10, 2020, 1:21pm

Honestly I wouldn’t disable the automatic rotation of those passwords.

I’m more of the opinion that it’s actually good to rotate passwords of machines / service accounts if it can be automated. Even MS has come up with managed service accounts in AD.