AD Authentication Failure after Reverting to Previous Snapshot

A successful configuration of Samba and Winbind allowing users to login to a Linux virtual computer using one’s Active Directory credentials might stop working after a few weeks. If the virtual computer was reverted to previous snapshot between machine password changes in AD, the AD controllers will not let the computer authenticate again due to machine password mismatch.

Symptoms

When a user attempts to log on using AD credentials, the authentication fails, and the following events are recorded in /var/log/messages:

Jun 30 09:54:05 foocomp winbindd[1198]: [2011/06/30 09:54:05.042008, 0] libsmb/cliconnect.c:1052(cli_session_setup_spnego)
Jun 30 09:54:05 foocomp winbindd[1198]: Kinit failed: Preauthentication failed
Jun 30 09:54:05 foocomp winbindd[1198]: [2011/06/30 09:54:05.156468, 0] libads/kerberos.c:333(ads_kinit_password)
Jun 30 09:54:05 foocomp winbindd[1198]: kerberos_kinit_password FOOCOMP$@DOMAIN.LOCAL failed: Preauthentication failed

Solution

  1. Remove the Linux computer from Active Directory temporarily by running dsa.msc (Active Directory Users and Computers MMC snap-in) on AD controller.
  2. Re-join the Linux computer back to AD by running the following command on the Linux computer:
    net join -U <AD admin username>
  3. Disable periodical machine password changes* by running the following command on the Linux computer:
    pdbedit --account-policy="refuse machine password change" --value=1
  4. Restart the winbind daemon.

* At the time of writing Samba ignores this setting (Bug 4666).

Additional notes

Windows based virtual computers joined to AD exhibit similar behaviour when reverted to previous snapshots. How to disable periodical machine password changes for Windows computers is described in KB175468.

6 thoughts on “AD Authentication Failure after Reverting to Previous Snapshot”

  1. Thanks a lot

    It’s resolve our issue that looking for 3 days 🙂

  2. 2 Points:
    Refusing machine password changes is a security regression. You should at least switch that back after deleting the snapshot.
    *UNTESTED* Winbind probably stores it’s data in /var/lib/samba (depends on your distro) . If you preserve the contents of this directory, the domain membership should survive the snapshot revert. When doing snapshots with a snapshot-capable filesystem (i.e. btrfs), you could even exclude this directory from snapshots. *UNTESTED*
    Maybe someone can run a test ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.