AD Authentication Failure after Reverting to Previous Snapshot

A successful configuration of Samba and Winbind allowing users to login to a Linux virtual computer using ones Active Directory credentials might stop working after a few weeks. If the virtual computer was reverted to previous snapshot between machine password changes in AD, the AD controllers will not let the computer authenticate again due to machine password mismatch.

Symptoms

When a user attempts to logon using AD credentials, the authentication fails, and the following events are recorded in /var/log/messages:

Jun 30 09:54:05 foocomp winbindd[1198]: [2011/06/30 09:54:05.042008, 0] libsmb/cliconnect.c:1052(cli_session_setup_spnego)
Jun 30 09:54:05 foocomp winbindd[1198]: Kinit failed: Preauthentication failed
Jun 30 09:54:05 foocomp winbindd[1198]: [2011/06/30 09:54:05.156468, 0] libads/kerberos.c:333(ads_kinit_password)
Jun 30 09:54:05 foocomp winbindd[1198]: kerberos_kinit_password FOOCOMP$@DOMAIN.LOCAL failed: Preauthentication failed

Solution

  1. Remove the Linux computer from Active Directory temporarily by running dsa.msc (Active Directory Users and Computers MMC snap-in) on AD controller.
  2. Re-join the Linux computer back to AD by running the following command on the Linux computer:
    net join -U <AD admin username>
  3. Disable periodical machine password changes* by running the following command on the Linux computer:
    pdbedit --account-policy="refuse machine password change" --value=1
  4. Restart the winbind daemon.

* At the time of writing Samba ignores this setting (Bug 4666).

Additional notes

Windows based virtual computers joined to AD exhibit similar behaviour when reverted to previous snapshots. How to disable periodical machine password changes for Windows computers is described in KB175468.

4 thoughts on “AD Authentication Failure after Reverting to Previous Snapshot”

Leave a Reply

Your email address will not be published. Required fields are marked *