Winbind loses trust connection between IPA and AD.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Issue

Over the lifetime of a trust between Red Hat Enterprise Linux IPA and Windows Active Directory (AD), many things can happen in the background which can cause winbind to lose trust with with the AD realm.

Resolution

To overcome this issue, leave and re-join the realm to receive a new Kerberos ticket and re-establish trust with AD.

  1. Perform kinit as the administrator

    # kinit administrator

  2. Leave the AD realm by running net ads leave.

    # net ads leave -k

  3. Rejoin the realm by running net ads join

    # net ads join -k

  4. Now restart the winbind and smb service as shown below.

    # service winbind restart
# service smb restart

Root Cause

There are many factors that can contribute for the loss of trust between Red Hat Enterprise Linux IPA and MS AD.

For example, there can be a post installation configuration changes or updates that cause mismatches and failures. Unfortunately, these cannot be avoided.

Diagnostic Steps

  • Error Messages in /var/log/samba/log.smbd look something like this:

    [2019/06/11 11:15:24.030893, 10, pid=20430] libads/kerberos_verify.c:435(ads_secrets_verify_ticket)libads/kerberos_verify.c:435: enc type [3] failed to decrypt with error Bad encryption type
[2019/06/11 11:15:24.030926,  3, pid=20430] libads/kerberos_verify.c:638(ads_verify_ticket)libads/kerberos_verify.c:638: krb5_rd_req with auth failed (Bad encryption type)
[2019/06/11 11:15:24.030951, 10, pid=20430] libads/kerberos_verify.c:648(ads_verify_ticket)libads/kerberos_verify.c:648: returning error NT_STATUS_LOGON_FAILURE
[2019/06/11 11:15:24.030987,  1, pid=20430] smbd/smb2_sesssetup.c:203(smbd_smb2_session_setup_krb5)smb2: Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2019/06/11 11:15:24.031595,  2, pid=20430] smbd/smb2_server.c:2631(smbd_smb2_request_incoming)smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2019/06/11 11:15:24.031626, 10, pid=20430] smbd/smb2_server.c:697(smbd_server_connection_terminate_ex)smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at smbd/smb2_server.c:2632

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments