Another AccountProvider_Error_82

robb (Rob Bosch) 2018-04-01 16:12:09 UTC #1

NethServer Version: 7.4
Module: Samba 4 Account provider

I just noticed I wasn’t able to reach my Samba shares on NS7 anymore. After a short investigation I saw in NS7 Dashboard a red line with AccountProvider_Error_82

When i look at Domain Accounts I get the following:

NetBIOS domain name: INTERLIN
LDAP server: 192.168.10.6
LDAP server name: nsdc-ns7.ad.interlin.nl
Realm: AD.INTERLIN.NL
Bind Path: dc=AD,dc=INTERLIN,dc=NL
LDAP port: 389
Server time: Sun, 01 Apr 2018 18:10:38 CEST
KDC server: 192.168.10.6
Server time offset: 0
Last machine account password change: Fri, 04 Aug 2017 19:53:04 CEST

kerberos_kinit_password NS7$@AD.INTERLIN.NL failed: Preauthentication failed
kerberos_kinit_password NS7$@AD.INTERLIN.NL failed: Preauthentication failed
Join to domain is not valid: Logon failure
kerberos_kinit_password NS7$@AD.INTERLIN.NL failed: Preauthentication failed
kerberos_kinit_password NS7$@AD.INTERLIN.NL failed: Preauthentication failed
kerberos_kinit_password NS7$@AD.INTERLIN.NL failed: Preauthentication failed
kerberos_kinit_password NS7$@AD.INTERLIN.NL failed: Preauthentication failed

This is the server where NSDC is installed with. Any hints?
AFAIK there was no password change for the computer account NS7…

mrmarkuz (Markus Neuberger) 2018-04-01 18:42:39 UTC #2

Does the problem persist after a reboot?

Do these commands work?

account-provider-test dump
/usr/libexec/nethserver/list-users

To test kerberos:

[root@server2 ~]# kinit -V admin
Using existing cache: persistent:0:0
Using principal: admin@AD.CMB.LOCAL
Password for admin@AD.CMB.LOCAL:
Authenticated to Kerberos v5

Found a thread here:

Unbind and reinstall AD may solve it as a last instance.

robb (Rob Bosch) 2018-04-02 09:10:53 UTC #3

The first command works.
The second command fails:

[root@ns7 ~]# /usr/libexec/nethserver/list-users
kinit: Preauthentication failed while getting initial credentials
(82) GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
Ticket expired

No idea how comes the ticket has expired? shouldn’t that be an automatic process for renewal? Frankly, I have no idea how the background process works…

This is the server where the AD container is attached to. Would I have a lot of trouble if I leave the domain and rejoin? Help?

mrmarkuz (Markus Neuberger) 2018-04-02 11:47:34 UTC #4

I just tried it. I had to redo users/groups (could be exported/imported), passwords and domain member machines. I didn’t have ACLs and shares. I did it via web UI (uninstall and then install local AD again).

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-sssd.html#account-import-scripts

I recommend to have a backup.

robb (Rob Bosch) 2018-04-02 12:07:18 UTC #5

weird… cos users/groups are on the nsdc container right? So why the need for recreating users and groups?
I do have shares and can’t affort to lose those.

mrmarkuz (Markus Neuberger) 2018-04-02 13:33:40 UTC #6

Because I uninstalled the AD as a last instance hammer method. You may export/import them too.
There are softer ways to try first:

Reboot
manual join: http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-dc.html#manual-join

You won’t lose data AFAIK but maybe shares/ACLs info.
What about restoring VM backup or restore nethserver config?

davidep (Davide Principi) 2018-04-02 13:43:44 UTC #7

Look at

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-sssd.html#leave-and-re-join-active-directory

robb (Rob Bosch) 2018-04-02 15:08:46 UTC #8

Leaving and re-joining didn’t work I had to reinstall the account provider and re-create all users and groups. The shares were still available. But that is not samba4 related I guess?

Still weird that the computer account for the server was corrupted in some way…

AccountProvider_Error_82 stopping everything!