When I try to configure an IPA client as samba file server, the ipa-client-samba commands fails in a step calling "net changesecretpw -f". The failure did not happen with samba-4.20.4-1.fc42.x86_64 but is seen with 4.21.0-0.6.rc4.fc42. Reproducible: Always Steps to Reproduce: 1. Install ipa server on server.ipa.test: dnf install -y freeipa-server-dns ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U 2. install ipa client on client.ipa.test: dnf install -y freeipa-client-samba ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U 3. try to configure the client as samba file server: echo Secret123 | kinit admin ipa-client-samba -U Actual Results: # ipa-client-samba -U Searching for IPA server... IPA server: ['server.ipa.test'] Chosen IPA master: ['server.ipa.test'] SMB principal to be created: cifs/client.ipa.test NetBIOS name to be used: CLIENT Discovered domains to use: Domain name: ipa.test NetBIOS name: IPA SID: S-1-5-21-559329419-496287489-4055619056 ID range: 1990800000 - 1990999999 Cannot set machine account creds in Samba. Error: CalledProcessError(Command ['/usr/bin/net', 'changesecretpw', '-f'] returned non-zero exit status 1: 'pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned No logon servers are currently available to service the logon request.\nsecrets_prepare_password_change: Sync of machine password failed.\nUnable to write the machine account password in the secrets database') Traceback (most recent call last): File "/usr/sbin/ipa-client-samba", line 15, in <module> sys.exit(ipa_client_samba.run()) ~~~~~~~~~~~~~~~~~~~~^^ File "/usr/lib/python3.13/site-packages/ipaclient/install/ipa_client_samba.py", line 735, in run populate_samba_databases( ~~~~~~~~~~~~~~~~~~~~~~~~^ fstore, statestore, options, domains[0], password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ) ^ File "/usr/lib/python3.13/site-packages/ipaclient/install/ipa_client_samba.py", line 366, in populate_samba_databases ipautil.run(args, stdin=password, encoding="utf-8") ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.13/site-packages/ipapython/ipautil.py", line 594, in run raise CalledProcessError( p.returncode, arg_string, output_log, error_log ) ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/net', 'changesecretpw', '-f'] returned non-zero exit status 1: 'pw2kt_get_dc_info: Failed to refresh keytab, ads_connect() returned No logon servers are currently available to service the logon request.\nsecrets_prepare_password_change: Sync of machine password failed.\nUnable to write the machine account password in the secrets database') Expected Results: # ipa-client-samba -U Searching for IPA server... IPA server: ['server.ipa.test'] Chosen IPA master: ['server.ipa.test'] SMB principal to be created: cifs/client.ipa.test NetBIOS name to be used: CLIENT Discovered domains to use: Domain name: ipa.test NetBIOS name: IPA SID: S-1-5-21-3799508206-3266988578-3110657925 ID range: 867400000 - 867599999 Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind services
This is due to refactoring done by Pavel in commit 683f6eec40f2efbb122329800ebb2f5d2f518746 Author: Pavel Filipenský <pfilipensky> Date: Thu Dec 21 13:57:38 2023 +0100 s3: Sync machine account password in secrets_{prepare,finish}_password_change BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750 and commit e08b2963d98ea82cb5989f5e7c80e808859e98dd Author: Pavel Filipenský <pfilipensky> Date: Wed Feb 28 13:30:30 2024 +0100 s3:libads: Call 'sync machine password script' when machine password is updated BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750 We use 'kerberos method = dedicated keytab' in FreeIPA domain member configuration. What we don't do, we don't have 'sync machine password to keytab' which was introduced as a part of that patchset. As a result, Samba attempts to synchronize machine account we set with 'net changesecretpw -f` to the keytab and fails to not find a domain controller to figure out what encryption types/KVNO/SPNs must be set in the keytab. Thing is, IPA domain controller is Samba DC in a special mode, not AD DC, so it might not respond as you expect. Second, the current logic of 'sync machine password to keytab' does not allow to handle any use case where we do not want to sync keytabs (because they already in sync). I think there are two actions here: - Samba can add 'sync machine password to keytab = false' to disable syncing - FreeIPA can add sync machine password to keytab = false to ipaclient/install/ipa_client_samba.py:smb_conf_template
This is how FreeIPA configures Samba on its domain member: https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html
We also should add a test to OpenQA that uses 'ipa-client-samba' to configure Samba on IPA client, so that we have this test running in Fedora updates testing.
I created https://gitlab.com/samba-team/samba/-/merge_requests/3786 to handle this. Pavel, please review.
FEDORA-2024-e1742d092c (samba-4.21.0-9.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2024-e1742d092c
FEDORA-2024-e1742d092c (samba-4.21.0-9.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.