A successful configuration of Samba and Winbind allowing users to login to a Linux virtual computer using one’s Active Directory credentials might stop working after a few weeks. If the virtual computer was reverted to previous snapshot between machine password changes in AD, the AD controllers will not let the computer authenticate again due to machine password mismatch.
When a user attempts to log on using AD credentials, the authentication fails, and the following events are recorded in /var/log/messages:
Jun 30 09:54:05 foocomp winbindd: [2011/06/30 09:54:05.042008, 0] libsmb/cliconnect.c:1052(cli_session_setup_spnego)
Jun 30 09:54:05 foocomp winbindd: Kinit failed: Preauthentication failed
Jun 30 09:54:05 foocomp winbindd: [2011/06/30 09:54:05.156468, 0] libads/kerberos.c:333(ads_kinit_password)
Jun 30 09:54:05 foocomp winbindd: kerberos_kinit_password FOOCOMP$@DOMAIN.LOCAL failed: Preauthentication failed
- Remove the Linux computer from Active Directory temporarily by running dsa.msc (Active Directory Users and Computers MMC snap-in) on AD controller.
- Re-join the Linux computer back to AD by running the following command on the Linux computer:
net join -U <AD admin username>
- Disable periodical machine password changes* by running the following command on the Linux computer:
pdbedit --account-policy="refuse machine password change" --value=1
- Restart the winbind daemon.
* At the time of writing Samba ignores this setting (Bug 4666).
Windows based virtual computers joined to AD exhibit similar behaviour when reverted to previous snapshots. How to disable periodical machine password changes for Windows computers is described in KB175468.