Active Directory join gets lost when restarting Samba after 30 days - Samba 3.4.9

Rene Weber web_rene at
Wed Jan 18 07:40:53 MST 2012

Hi there,

I hope someone of you can help me. I have already spent several days on  
google and in different forums without any results.

I have several machines beeing joined to Win2003 or Win2008 Active  
directories ( test environments ) using Samba Version 3.4.9 with Winbind.

After having joined by setting up my Config, using 'kinit' and 'net ads  
join', it is possible to list AD Users and Groups using 'wbinfo -u' and  
'wbinfo -g' without any problems.
These Users can now be defined as as 'valid users' in our samba share  
config, which is actually the only purpose we need it for.

After these steps, everthings looks fine but after a serveral amount of  
time we run into a Problem:

When restarting Samba after it was joined and has worked for about 1 Month  
( 1 Week is not enough ), we do not receive AD users nor groups by  
executing 'wbinfo'.
I checked the Logs and found message 'Pre-Authentication failed' in my  
Samba Logfiles.
On our Domaincontrollers eventlog, I get
  - Event ID 5722: Permission denied
  - Event ID 4625: Logon Failure - Username is correct but Password is not  

Actually, I thought, this machine would authenticate using the Machine  
password once it has joined? Furthermore I thought Samba tries to change  
the machine password once a week by default ( machine password timeout =  
604800 ).

For making the machine list all users again, I need to do a full 'net ads  
join' using an administrator account and password...

Any Ideas or suggestions?? Am I missing something in my Config?


	bind interfaces only = false
	client schannel = no
	create mask = 0644
	directory mask = 0777
	disable spoolss = yes
	display charset = UTF-8
	dns proxy = no
	domain master = no
	dos charset = 437
	encrypt passwords = yes
	kernel change notify = no
	load printers = no
	local master = no
	log file = /var/log/samba/%m
	map to guest = Bad User
	max log size = 1000
	os level = 20
	password server = dc1.mydomain.intra
	preferred master = no
	printcap name = /dev/null
	printing = bsd
	realm = mydomain.intra	
	security = ADS
	server string = server1
	show add printer wizard = no
	syslog = 0
	syslog only = no
	template shell = /bin/bash
	unix charset = UTF-8
	winbind cache time = 1
	winbind separator = /
	wins server =
	workgroup = mydomain
	idmap uid = 10000-10000000
	idmap gid = 10000-10000000
	directory mask = 0777
	allow trusted domains = no
	passdb backend = tdbsam
	winbind offline logon = false


     default_realm = MYDOMAIN.INTRA
     renew_lifetime = 6d
     kdc_timesync = 1
     forwardable = yes
     dns_lookup_kdc = no
     dns_lookup_realm = yes
                            kdc = dc1.mydomain.intra
                            default_domain = mydomain

     .mydomain.intra = MYDOMAIN.INTRA
     mydomain.intra  = MYDOMAIN.INTRA

More information about the samba-technical mailing list