#StackBounty: #linux #active-directory #samba4 Samba and AD – "net ads changetrustpw" fails

Bounty: 200

I’ve got a Samba member of a Windows AD. I’m using a combination of sssd and winbind. Samba manages machine password changes, and it’s configured also to update the passwords used by sssd. (The machine password update that is usually handled by sssd is disabled.)

The problem manifests on the Samba fileserver banas with this error:

net ads changetrustpw
Changing password for principal: banas$@CONTOSO.COM
Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.

I can’t find any useful matches to this error message via Google (everything I’ve seen seems to relate either to Windows XP or other Windows desktop systems trying to offer a network share to too many clients).

The trust is fine, inasmuch as I can browse to the shares offered by Samba, wbinfo -i returns sane and expected information for non-local AD accounts, and net ads testjoin returns the expected Join is OK.

I’ve enabled debugging on the changetrustpw command but nothing jumps out at me. The connection to the DC is made successfully, and negotiations follow, but with the final error once again.

AD is managed with DCs originally running Windows 2012 R2 but gradually being upgraded to Windows 2016.

Relevant snippet from smb.conf

[global]
server string Fileserver
server role = member server
server services = -dns
workgroup = CONTOSO
realm = CONTOSO.COM
security = ADS
encrypt passwords = yes
kerberos method = secrets and keytab
client ldap sasl wrapping = sign
passdb backend = tdbsam
idmap config CONTOSO : backend = sss
idmap config CONTOSO : range = 800000000-899999999
idmap config * : backend = tdb
idmap config * : range = 100000000-199999999

Relevant snippet from sssd.conf

[domain/contoso.com]
ad_domain = contoso.com
ad_hostname = banas.contoso.com
krb5_realm = CONTOSO.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ad_domain = contoso.com
krb5_realm = CONTOSO.COM
use_fully_qualified_names = False
fallback_homedir = /home/DOMAIN=CONTOSO/%u
access_provider = permit
ldap_group_nesting_level = 5
ldap_use_tokengroups = false
ad_maximum_machine_account_password_age = 0

I have obfuscated, but consistently. For the purposes of this question, my domain is CONTOSO, contoso.com.

Nothing gets written to Samba or sssd log files during the changetrustpw attempt. The same configuration works as expected on other Samba members. Debian “Stretch” in all three cases if that’s relevant.

I can add additional details on request – I simply don’t know at this stage what else would be useful.

If anyone can either suggest a remedy to me (or failing that point me towards other resources that may help me diagnose and fix this), I’d be really grateful.


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.