Upgrading rc2 to rc3: (Samba AD) "Account provider error: invalid credentials (49)"

From man sssd-ad:

   ad_maximum_machine_account_password_age (integer)
       SSSD will check once a day if the machine account password is older than the given age in days and try to renew it. A value of 0 will disable
       the renewal attempt.
       Default: 30 days

SSSD changed the default behavior.
We probably should improve our SSSD config:

  • with Samba AD: ad_maximum_machine_account_password_age set to 0
  • with MS AD: ad_maximum_machine_account_password_age set to 30 and pac option in services section
1 Like

We were wrong mate :cry:

The good news are we’ve probably found a solution :pray:

I must confess our smb.conf is not exactly what RHEL/sssd expects.

The “keytab and password” setting is perhaps not compliant with sssd. I can’t investigate further now…

3 Likes

Good news here: I reproduced the error :smile: edit: NOW IN TESTING /cc @quality_team

It seems the upstream upgrade from sssd 1.13 to 1.14 introduces a new feature that changes the machine password each month (to emulate Win clients). This new feature is not compatible with our configuration. We now must see if we can modify our config or disable the new feature.

Thank you again @GG_jr for the detailed report!

6 Likes