Problem:After configuring stock Samba with Centrify Adbindproxy, the CentrifyDC agent goes into a disconnected state every seven days. When looking at the
adinfo_support.txt that was collected from running adinfo -t, it appears that the machine password is out of sync.
Computer Account Diagnostics
Joined as: filesvr01.acme.net
Cannot bind to the domain controller for a domain.
Computer account password has been changed.
Please correct the cause of this problem, then reset the Computer account in Active Directory.
Cause:In the Centrify debug logs (
/var/log/centrifydc.log), it appears that winbindd changed the machine password.
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.054615, 0] ../source3/libsmb/trusts_util.c:380(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Verifying passwords remotely netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME].
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.056693, 0] ../source3/libsmb/trusts_util.c:452(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Verified old password remotely using netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME]
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.056791, 0] ../source3/libsmb/trusts_util.c:491(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Changed password locally
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.145768, 0] ../source3/libsmb/trusts_util.c:545(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Changed password remotely using netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME]
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.151860, 0] ../source3/libsmb/trusts_util.c:564(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Finished password change.
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.153331, 0] ../source3/libsmb/trusts_util.c:617(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Verified new password remotely using netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME]
Right after this, the machine will no longer be able to communicate with Active Directory because the machine password is now out of sync between the CentrifyDC agent and Active Directory, thus putting the CentrifyDC agent into a disconnected state.
When using Adbindproxy with stock Samba, Centrify will add some settings into the
[global] section of the
/etc/samba/smb.conf.
One of those settings is:
machine password timeout = 0
which tells samba to not reset the machine password
If that setting is not in the
smb.conf, then the default is 604,800 seconds (one week or seven days)
And it is the winbindd component that will do that machine password reset.
In this instance, that setting was missing from the
/etc/samba/smb.conf file for an unknown reason.
Resolution:In the
/etc/samba/smb.conf file, add the below setting or if it exists verify, it is set to
'0'.
machine password timeout = 0
After making any changes to the
smb.conf file, the smbd process will need to be restarted.
For example, if using Centrify Abindproxy with stock samba on a RHEL 7.x box, the below command can be used.
systemctl restart centrifydc-samba
Notes:See following link for more information on the machine password timeout setting:
https://www.linuxtopia.org/online_books/network_administration_guides/using_samba_book/ch08_05_02.html(3rd party links are provided as a courtesy and Centrify is not responsible for the availability or content of those links)
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS