[Samba] Samba AD member lost domain join after reboot
Rowland penny
rpenny at samba.org
Tue Jun 7 10:57:37 UTC 2016
On 07/06/16 10:13, Alexis RIES wrote:
> Yes, the /etc/krb5.keytab file is created when the domain-join.
>
> I just noticed that it's not only after a reboot I have this problem.
> I lost the domain-join on my first SMB server, it has not been restarted.
>
> Note that I use Cluster Mode (CTDB), but the problem is the same when
> I remove the cluster configuration.
>
> Attached is the requested files.
>
>
> Thank you,
> Alexis.
>
>
>
> On 07/06/2016 09:43, Rowland penny wrote:
>> On 07/06/16 07:31, Alexis RIES wrote:
>>> Hi, here it attached my smb.conf and Winbind debug log after reboot.
>>> My OS is Debian Jessie and has a fixed ip.
>>>
>>> Thank you
>>>
>>> On 06/06/2016 22:05, Rowland penny wrote:
>>>> On 06/06/16 14:52, Alexis RIES wrote:
>>>>> Hello,
>>>>>
>>>>> After each reboot, my Samba AD member server lost domain join
>>>>> after reboot, I have to re-enter the server in the domain with the
>>>>> "net ads join -U administrator".
>>>>>
>>>>> I use version 4.4.3 of samba.
>>>>> The domain controller is a Samba AD server.
>>>>>
>>>>> After reboot, when I exectute "net ads testjoin" I have:
>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
>>>>> Preauthentication
>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
>>>>> Preauthentication
>>>>> Join to domain is not valid: Logon failure
>>>>>
>>>>> And when I execute "wbinfo -t":
>>>>> checking the trust secret for domain SAMDOM via RPC calls failed
>>>>> wbcCheckTrustCredentials (SAMDOM): error code Was
>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>>>>> Could not check secret
>>>>>
>>>>> é&a z
>>>>
>>>> Hi, can you post your smb.conf from the domain member.
>>>> What OS ?
>>>> Does the domain member have a fixed ip or does it use DHCP ?
>>>>
>>>> Rowland
>>>>
>>>>
>>>
>>>
>>>
>>
>> OK, it should work, but can I suggest a few changes to your smb.conf:
>>
>> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit'
>> i.e. make it 'vfs objects = fileid acl_xattr full_audit'
>>
>> Remove all the 'valid users' etc and use ACLs instead, you can set
>> these from windows or with setfacl.
>>
>> add 'ldap server require strong auth = No'
>>
>> If you are actually using '.local' and avahi is running, I suggest
>> you turn it off.
>>
>> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf
>>
>> Finally is /etc/krb5.keytab being created by the join ?
>>
>> Rowland
>
>
>
Everything looks ok, do you have all these packages installed:
libpam-winbind libnss-winbind libpam-krb5
What are the permissions on /etc/krb5.keytab
You could try adding this line to smb.conf:
username map = /etc/samba/samba_usermapping
Then create /etc/samba/samba_usermapping with this content:
!root = SAMDOM\Administrator SAMDOM\administrator
Obviously you can put the usermapping file anywhere and replace 'SAMDOM'
with your NetBIOS domain name.
Rowland
More information about the samba
mailing list