Likewise AD Domain Join Breaks Every 7 Days

Posted by: thogan 6 years, 6 months ago

I have been using Likewise Open for awhile to perform user authentication against Active Directory on my Linux servers. For the most part it works great, and is dead simple to set up.

Recently I have been building out a SLES 11 environment and ran into some troubles with authentication with Likewise. I could join servers to the domain and everything would work great. Then some time later I would go to log in to the server only to get an "access denied" error.

Upon logging in as root on the console and running "domainjoin-cli query", I would get this output:

someserver:~ # domainjoin-cli query

Error: Lsass Error [code 0x00080047]

40022 (0x9C56) LW_ERROR_PASSWORD_MISMATCH - The password is incorrect for the given username

When searching for "LW_ERROR_PASSWORD_MISMATCH", there are hardly any results. Most of the results I did get were just links to source code where that string was used as a constant.

After quite a bit of log hunting and deduction, I was finally able to figure it out and correct the error. Read on for the solution.

One part of my new build-out is configuring Samba on every host by default. It turns out that Samba was changing the machine account password every 7 days. Likewise and Samba use different databases for this information, and thus Likewise would have an invalid machine account password after Samba changed it.

The fix was to edit smb.conf on each system and add "machine password timeout = 0" under the "[global]" section. Then I simply restarted the smbd and winbindd daemons and re-joined the server to the domain.

The hard part was determining why the machine account password was changing in the first place. After digging in the Event Viewer on the domain controller for awhile I found the events involving the machine password change in the Windows Security log, under task category "Computer Account Management".

After figuring out what events related to the join breaking I was able to see that they were all 7 days apart. After then searching for "machine account password 7 days" I was able to find a reference to the samba configuration parameter for "machine password timeout". The default value for that parameter is, you guessed it, 7 days!

Posted by: thogan