When a trust is established with AD, the AD server periodically calls NETR_SERVERPASSWORDSET2 and the operation fails with NT_STATUS_NOT_IMPLEMENTED (log in /var/log/samba/smbd.lsasd.xx):
[2017/03/24 10:30:18.736045, 1, pid=70262, effective(99, 99), real(99, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) netr_ServerPasswordSet2: struct netr_ServerPasswordSet2 out: struct netr_ServerPasswordSet2 return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : ced899cf781997ca timestamp : (time_t)0 result : NT_STATUS_NOT_IMPLEMENTED
pdb_update_sam_account() is called but ipasam doesn't provide this function, meaning that the default samba implementation is used and returns NT_STATUS_NOT_IMPLEMENTED.
We need to implement ipasam_update_sam_account().
Note: setting NT hash only is a bit complicated because we should be expecting to synchronize both Kerberos and NT hash passwords for the same entry. Since this is trusted domain object entry, having them not in sync would cause broken trust operations for SSSD.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436625
Issue linked to bug 1436625
Closing as duplicate of 6660, this ticket is mentioned there as comment: https://pagure.io/freeipa/issue/6660#comment-433860
Metadata Update from @pvoborni: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Reopening. This is another part of the bigger issues. Ticket #6660 is a prerequisite to reach netr_ServerPassword2 but we still need to implement pdb_update_sam_account() in ipasam backend and also switch to use info level 26 from info level 18 in netr_set_machine_account_password(). I'll open a related Samba bug too.
Metadata Update from @abbra: - Issue status updated to: Open (was: Closed)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1411817 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1436625)
Issue linked to bug 1411817
Metadata Update from @pvoborni: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: bug
Metadata Update from @abbra: - Issue assigned to abbra
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
Login to comment on this ticket.