Active Directory join gets lost when restarting Samba after 30 days - Samba 3.4.9
Rene Weber
web_rene at gmx.de
Wed Jan 18 07:40:53 MST 2012
Hi there,
I hope someone of you can help me. I have already spent several days on
google and in different forums without any results.
I have several machines beeing joined to Win2003 or Win2008 Active
directories ( test environments ) using Samba Version 3.4.9 with Winbind.
After having joined by setting up my Config, using 'kinit' and 'net ads
join', it is possible to list AD Users and Groups using 'wbinfo -u' and
'wbinfo -g' without any problems.
These Users can now be defined as as 'valid users' in our samba share
config, which is actually the only purpose we need it for.
After these steps, everthings looks fine but after a serveral amount of
time we run into a Problem:
When restarting Samba after it was joined and has worked for about 1 Month
( 1 Week is not enough ), we do not receive AD users nor groups by
executing 'wbinfo'.
I checked the Logs and found message 'Pre-Authentication failed' in my
Samba Logfiles.
On our Domaincontrollers eventlog, I get
- Event ID 5722: Permission denied
- Event ID 4625: Logon Failure - Username is correct but Password is not
valid
Actually, I thought, this machine would authenticate using the Machine
password once it has joined? Furthermore I thought Samba tries to change
the machine password once a week by default ( machine password timeout =
604800 ).
For making the machine list all users again, I need to do a full 'net ads
join' using an administrator account and password...
Any Ideas or suggestions?? Am I missing something in my Config?
smb.conf
---------
bind interfaces only = false
client schannel = no
create mask = 0644
directory mask = 0777
disable spoolss = yes
display charset = UTF-8
dns proxy = no
domain master = no
dos charset = 437
encrypt passwords = yes
kernel change notify = no
load printers = no
local master = no
log file = /var/log/samba/%m
map to guest = Bad User
max log size = 1000
os level = 20
password server = dc1.mydomain.intra
preferred master = no
printcap name = /dev/null
printing = bsd
realm = mydomain.intra
security = ADS
server string = server1
show add printer wizard = no
syslog = 0
syslog only = no
template shell = /bin/bash
unix charset = UTF-8
winbind cache time = 1
winbind separator = /
wins server =
workgroup = mydomain
idmap uid = 10000-10000000
idmap gid = 10000-10000000
directory mask = 0777
allow trusted domains = no
passdb backend = tdbsam
winbind offline logon = false
krb5.conf
----------
[libdefaults]
default_realm = MYDOMAIN.INTRA
renew_lifetime = 6d
kdc_timesync = 1
forwardable = yes
dns_lookup_kdc = no
dns_lookup_realm = yes
[realms]
MYDOMAIN.INTRA = {
kdc = dc1.mydomain.intra
default_domain = mydomain
}
[domain_realm]
.mydomain.intra = MYDOMAIN.INTRA
mydomain.intra = MYDOMAIN.INTRA
More information about the samba-technical
mailing list