On Tue, 2012-10-23 at 11:14 -0400, Robert M. Martel - CSU wrote: > > On 10/22/2012 05:10 PM, Andrew Bartlett wrote: > > On Mon, 2012-10-22 at 14:51 -0400, Robert M. Martel - CSU wrote: > > >> [2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password) > >> kerberos_kinit_password [email protected] failed: Clients > >> credentials have been revoked > >> Join to domain is not valid: Access denied > >> > >> > >> The Active Directory admins are still saying that they have not changed > >> anything on their side. > > > > It seems unlikely if you just re-joined, but in case we are talking > > about multiple machines, could the password have been expired? > > The problem existed for multiple machines. > > After Brian Campbell's note I double-checked the clock-sync on the > servers and found it to be okay. > > The Active Directory (AD) admins that "did not change anything" finally > reported having some vague problem with their domain server replication > that only seem to affect *my* Samba servers (I may be the only person on > campus running Samba servers that are members of the university's Active > Directory system.) > > There was some more hand waving, reports of trying to get some support > out of Microsoft, and finally a mention that *someone* had been making > some changes to AD config in preparation of moving from Lotus Notes > Email to MS Exchange. > > The AD admins then "did something else" and now the problem no longer > exists. I am still trying to get some real information as to what happened. > > If I (ever) find out I will note it here. I always hate seeing problem > reports in Email archives that never talk about resolution. > > Thank you! > > At least I got my Samba versions less out of date. Have to see if > building 3.6 is as much of a pain on Solaris as 3.5 has been.
This might be password change replication. We recently (fixed in latest 3.6) introduced a change to the timeout applied when we change our machine account password. In short, when we contacted AD, we would time out after 30 seconds, but it can take longer than that for AD to change a machine account password, because (using replication, the clue from the above) it must forward the change to the PDC emulator before returning. On the then boken connection the password is successfully changed but the 'OK' is lost, so we still use the old pw (considering it a failure). This then breaks the domain trust, quite possibly in the way you describe. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
