[Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable

Brian Campbell lambda at editshare.com
Mon Oct 22 13:01:01 MDT 2012 

I'm not an expert in this, but I do know that one major cause of
Kerberos issues is clock skew. And that would explain the problem
kicking in suddenly when you've never seen it before. If the clocks
recently got out of sync with each other, you'd suddenly start hitting
mysterious problems.

Can you try checking the date and time on all of your machines,
including the Active Directory machines, and make sure that they
match?

-- Brian

On Mon, Oct 22, 2012 at 2:51 PM, Robert M. Martel - CSU
<r.martel at csuohio.edu> wrote:
> Greetings,
>
> More responding to my own thread - but no solution in sight.
>
> Still having the problem with Samba 3.5.18.  New and different error message
> from net ads testjoin:
>
> #webdevel#  net ads testjoin
> [2012/10/22 14:23:07.317109,  0] libads/kerberos.c:333(ads_kinit_password)
>   kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
> credentials have been revoked
> [2012/10/22 14:23:07.353280,  0] libads/kerberos.c:333(ads_kinit_password)
>   kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
> credentials have been revoked
> Join to domain is not valid: Access denied
>
>
> The Active Directory admins are still saying that they have not changed
> anything on their side.
>
>
>
>
> On 10/22/2012 11:48 AM, Robert M. Martel - CSU wrote:
>>
>> Greetings,
>>
>> something to add.
>>
>> Had one of the Solaris 9 machines just stop working.  I stopped samba
>> and restarted it, found the following in smblog.smbd
>>
>> [2012/10/22 11:37:00.299787,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
>>    kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
>> credentials
>>
>> I removed the machine from Active Directory and immediately re-added it
>> - I did NOT run kinit to get new credentials.  started Samba and the
>> machine works fine...for now.
>>
>>
>> On 10/22/2012 11:29 AM, Robert M. Martel - CSU wrote:
>>>
>>> Greetings,
>>>
>>> I have an elderly installation of Samba 3.5.8 running on 10 Sparc
>>> servers (and 3.5.12 on Solaris 9 servers with the same issue)  set up as
>>> Active Directory member servers.  Since we've laid-off everyone else
>>> around here I have not had the opportunity to update the Samba
>>> installation - and have not needed to as it has been very solid.
>>>
>>> Suddenly last Friday the Samba servers started having authentication
>>> problems for the active directory users.  Users were unable to map
>>> drives, looking at files on the server I was seeing UID numbers rather
>>> that the user's login ID for the files.  Stopping and restarting Samba
>>> did not help.
>>>
>>> I took the machines out of Active Directory, and then re-added them -
>>> which they did without a problem.  After restarting Samba all was well,
>>> for awhile.
>>>
>>> This morning some folks that had left themselves looked in over the
>>> weekend were okay, but others could not map their drives.  interactive
>>> logins for AD users did not work.  I again left and rejoined the AD
>>> domain and all was well for a bit, then I had to repeat the cycle.
>>>
>>> I do not maintain or have access to the Active Directory servers or
>>> configuration.  The central IT people claim that they have not made any
>>> changes to the AD servers...but they don't always tell me the whole
>>> truth.
>>>
>>> I am building Samba 3.5.18 right now in the hope that it will make a
>>> difference.
>>>
>>> I've never had a problem like this since first "playing" with Samba and
>>> Active directory more than 5 years ago - and certainly no issue like
>>> this since putting it into production.
>>
>>
>
> --
> ***********************************************************************
> Robert M. Martel                 I met someone who looks a lot like you
> System Administrator             She does the things you do
> Levin College of Urban Affairs   But she is an IBM
> Cleveland State University                           -Jeff Lynne
> (216) 687-2214
> r.martel at csuohio.edu
> ***********************************************************************
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list