Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-30719: After configuring adbindproxy with stock Samba, CentrifyDC goes into disconnected state every 7 days

Authentication Service ,  

28 March,20 at 07:30 AM

Problem:

After configuring stock Samba with Centrify Adbindproxy, the CentrifyDC agent goes into a disconnected state every seven days.  When looking at the adinfo_support.txt that was collected from running adinfo -t, it appears that the machine password is out of sync.  
 
Computer Account Diagnostics
Joined as: filesvr01.acme.net
Cannot bind to the domain controller for a domain.
Computer account password has been changed.
Please correct the cause of this problem, then reset the Computer account in Active Directory.


Cause:

In the Centrify debug logs (/var/log/centrifydc.log), it appears that winbindd changed the machine password.
 
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.054615, 0] ../source3/libsmb/trusts_util.c:380(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Verifying passwords remotely netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME].
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.056693, 0] ../source3/libsmb/trusts_util.c:452(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Verified old password remotely using netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME]
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.056791, 0] ../source3/libsmb/trusts_util.c:491(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Changed password locally
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.145768, 0] ../source3/libsmb/trusts_util.c:545(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Changed password remotely using netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME]
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.151860, 0] ../source3/libsmb/trusts_util.c:564(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Finished password change.
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: [2019/10/19 21:04:31.153331, 0] ../source3/libsmb/trusts_util.c:617(trust_pw_change)
Oct 19 21:04:31 filesvr01.acme.net winbindd[1822]: 2019/10/19 21:04:31 : trust_pw_change(ACME): Verified new password remotely using netlogon_creds_cli:CLI[FILESVR01/FILESVR01$]/SRV[DC2/ACME]

Right after this, the machine will no longer be able to communicate with Active Directory because the machine password is now out of sync between the CentrifyDC agent and Active Directory, thus putting the CentrifyDC agent into a disconnected state.

When using Adbindproxy with stock Samba, Centrify will add some settings into the [global] section of the /etc/samba/smb.conf.

One of those settings is:
 
machine password timeout = 0

which tells samba to not reset the machine password

If that setting is not in the smb.conf, then the default is 604,800 seconds (one week or seven days)

And it is the winbindd component that will do that machine password reset.

In this instance, that setting was missing from the /etc/samba/smb.conf file for an unknown reason.



Resolution:

In the /etc/samba/smb.conf file, add the below setting or if it exists verify, it is set to '0'.
 
machine password timeout = 0

After making any changes to the smb.conf file, the smbd process will need to be restarted.  

For example, if using Centrify Abindproxy with stock samba on a RHEL 7.x box, the below command can be used.
 
systemctl restart centrifydc-samba


Notes:

See following link for more information on the machine password timeout setting:
https://www.linuxtopia.org/online_books/network_administration_guides/using_samba_book/ch08_05_02.html

(3rd party links are provided as a courtesy and Centrify is not responsible for the availability or content of those links)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.