Computer Account Reset each 7 days. Why ?
We have a problem that each 7 days. (on the second) a computer account is reset in the AD of a Linux Server. (Running Samba).
What we see in the logfiles is this : (Event-ID 646)
--------
27-4-2010 12:49:56 Security Success Audit Account Management 646 NT AUTHORITY\ANONYMOUS LOGON SRVxxx "Computer
Account Changed:
-
Target Account Name: linuxserver$
Target Domain: DOMAIN
Target Account ID: DOMAIN\linuxserver$
Caller User Name: SRVxxx$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 4/27/2010 12:49:56 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
"
27-4-2010 12:49:56 Security Success Audit Account Management 646 NT AUTHORITY\ANONYMOUS LOGON SRVxxx "Computer
Account Changed:
-
Target Account Name: linuxserver$
Target Domain: DOMAIN
Target Account ID: DOMAIN\linuxserver$
Caller User Name: SRVxxx$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 4/27/2010 12:49:56 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
---------------------
The problem that we are having is that the linux server is using a krb5 keytab file. When the Computer Account is reset, the ticket version number is changed, and we need to recreate the keytab file.
The KVNO (Key Version Number) msDS-KeyVersionNumber in the AD and is getting higher and higher. We are at 16 now and counting.
But why is this happening once a weak ? Is this initiated from the Linux server, or from the AD (Policy) ?
Does someone maybe has some hints in which direction I need to be looking ?
Thank you .. Greetings .. Richard
May 4th, 2010 4:19pm
Well, I just want to say that this problem has been solved. It took a long time, but this is the solution :
The new samba versions has a different syntax in the smb.conf file.
In the old versions of samba, there was a line that said :
use kerberos keytab = yes
But in the newer versions, they changed the syntax of this line to :
kerberos method = secrets and keytab
This line says that the AD communication will use the keytab file, AND the sessions.tdb file.
If you do not have this line, it only uses the session.tdb, and your keytab will be out of sync in a couple of days.
Greetings .. Richard
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2010 5:14pm