I’ve got a Samba member of a Windows AD. I’m using a combination of
winbind. Samba manages machine password changes, and it’s configured also to update the passwords used by
sssd. (The machine password update that is usually handled by
sssd is disabled.)
The problem manifests on the Samba fileserver
banas with this error:
net ads changetrustpw Changing password for principal: banas$@CONTOSO.COM Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.
I can’t find any useful matches to this error message via Google (everything I’ve seen seems to relate either to Windows XP or other Windows desktop systems trying to offer a network share to too many clients).
The trust is fine, inasmuch as I can browse to the shares offered by Samba,
wbinfo -i returns sane and expected information for non-local AD accounts, and
net ads testjoin returns the expected
Join is OK.
I’ve enabled debugging on the
changetrustpw command but nothing jumps out at me. The connection to the DC is made successfully, and negotiations follow, but with the final error once again.
AD is managed with DCs originally running Windows 2012 R2 but gradually being upgraded to Windows 2016.
Relevant snippet from
[global] server string Fileserver server role = member server server services = -dns workgroup = CONTOSO realm = CONTOSO.COM security = ADS encrypt passwords = yes kerberos method = secrets and keytab client ldap sasl wrapping = sign passdb backend = tdbsam idmap config CONTOSO : backend = sss idmap config CONTOSO : range = 800000000-899999999 idmap config * : backend = tdb idmap config * : range = 100000000-199999999
Relevant snippet from
[domain/contoso.com] ad_domain = contoso.com ad_hostname = banas.contoso.com krb5_realm = CONTOSO.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True ad_domain = contoso.com krb5_realm = CONTOSO.COM use_fully_qualified_names = False fallback_homedir = /home/DOMAIN=CONTOSO/%u access_provider = permit ldap_group_nesting_level = 5 ldap_use_tokengroups = false ad_maximum_machine_account_password_age = 0
I have obfuscated, but consistently. For the purposes of this question, my domain is
Nothing gets written to Samba or sssd log files during the
changetrustpw attempt. The same configuration works as expected on other Samba members. Debian “Stretch” in all three cases if that’s relevant.
I can add additional details on request – I simply don’t know at this stage what else would be useful.
If anyone can either suggest a remedy to me (or failing that point me towards other resources that may help me diagnose and fix this), I’d be really grateful.