How to re-join an AD2003 domain with Samba after deleting the machine account?

Question

During some troubleshooting I deleted the machine account for a Linux server running samba from our AD 2003 domain. We are using Kerberos for authentication, and after I deleted the machine account I tried to join the domain again using

net ads join -U Administrator

But I keep getting Kerberos errors like these:

[2009/08/18 16:14:36, 0] libads/kerberos.c:ads_kinit_password(228)
     kerberos_kinit_password MACHINE$@MY.DOMAIN.COM failed: Client not found in Kerberos database
 Failed to join domain: Improperly formed account name

It appears as if samba remembers that it once had an account with the AD and keeps trying to reconnect to it, but I want to create a new account from scratch. I tried to delete all the .tdb files I could find as well as everything under /var/cache/samba but to no avail - it still behaves the same.

I also tried to create the machine account on the AD side, but then I get a similar error when I try to join, about failure to authenticate with the machine account - it looks like samba tries the previous machine account password and I don't know how to reset it, or even if I could figure out what samba uses - how to set it in the AD.

Any help would be greatly appreciated, as at this point the only thing I can think about is to reformat and reinstall the machine, and I would really REALLY love to not do that.

Thanks in advance.

Are you using "." as a winbind separator? If not, have you changed the winbind separator? — jneves, May 05 '10 at 17:34

score 5 · Accepted Answer · answered Nov 16 '10 at 05:14

First run a kdestory to remove any reference to the machine account in the local kerberos cache, then manually run kinit administrator@MY.DOMAIN.LOCAL and enter the password.

Then run the net ads join command.

This should give you the kerberos trust to create the machine account without having to try and use the old machine account credentials.

score 0 · Answer 2 · answered Oct 07 '10 at 11:25

0

Do a quick experiment, change samba name in smb.conf to something else and try.

answered Oct 07 '10 at 11:25

Konrads

860
2
20
38

score 0 · Answer 3 · answered Aug 26 '09 at 18:16

0

Have you recreating your .tdb file with the smbpasswd command?

answered Aug 26 '09 at 18:16

kmarsh

3,103
15
22

No - they don't have any interesting passwords that I need to keep so I just delete them and samba recreates them. – Guss Aug 26 '09 at 18:35
I'm not sure you don't need them. :) – kmarsh Aug 26 '09 at 19:38
Sorry I do not understand your english... – MUY Belgium Dec 31 '18 at 13:32

score 0 · Answer 4 · answered Sep 07 '09 at 18:21

0

Have you tried running the "net ads leave" command prior to re-joining? It will probably fail on the AD part of it, since the computer account was already deleted on the AD side.

answered Sep 07 '09 at 18:21

katriel

4,407
22
20

I did - it reported an error but did not provide any other information nor affected the situation in anyway. – Guss Sep 08 '09 at 16:11

How to re-join an AD2003 domain with Samba after deleting the machine account?

4 Answers4