File Server Cluster don't authenticate AD

GiangCoi Mr ltrgiang86 at gmail.com
Fri Jun 16 08:30:31 UTC 2017 

Hi Team

My diagram:

​
File krb5.conf in both File Server
vim /etc/krb5.conf
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = GIANG.LOCAL
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
# default_realm = EXAMPLE.COM
   #
[realms]
  GIANG.LOCAL = {
     default_domain = giang.local
     kdc = ad1.giang.local
     admin_server = ad1.giang.local
  }
                #
[domain_realm]
  .giang.local = GIANG.LOCAL
  giang.local = GIANG.LOCAL
---------------------------------------
File nsswitch.conf
passwd: files winbind shadow: files group: files winbind

----------------------------------------
file smb.conf
[global] clustering = yes private dir = /data/lock log file =
/var/log/samba/log.%m max log size = 50 workgroup = GIANG realm =
GIANG.LOCAL security = ads password server = * #password server =
ad1.giang.local domain master = no local master = no preferred master = no
template homedir = /home/%D/%U template shell = /sbin/nologin winbind use
default domain = yes winbind nested groups = yes winbind enum users = Yes
winbind enum groups = Yes winbind use default domain = Yes winbind refresh
tickets = Yes winbind offline logon = Yes idmap config GIANG:range =
100000-200000 idmap config GIANG:backend = rid idmap config * : range =
100000-200000 idmap config * : backend = tdb
------------------------------------------------------

When I run command to join in File01.giang.local, it's ok

net join -w GIANG -S ad1.giang.local -U administrator

Enter administrator's password:

Using short domain name -- GIANG

Joined 'FILE1' to dns domain 'giang.local'

Not doing automatic DNS update in aclustered setup.

And run command

net ads testjoin

Join is OK


When I run this command to join in File02.giang.local. it's ok as same
file01.giang.local. But I run "net ads testjoin" in file01.giang.local, it
have errors

[root at file01 ~]# net ads testjoin kerberos_kinit_password
FILE01$@GIANG.LOCAL failed: Preauthentication failed
kerberos_kinit_password FILE01$@GIANG.LOCAL failed: Preauthentication
failed Join to domain is not valid: Logon failure


At the same time, only File01 or File02 can join. How do I configure for 2
File01 and File02 can join concurrently to AD1.giang.local.

Please help me to fix this issue. Thanks


Regards,

Giang





​
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Untitled.jpg
Type: image/jpeg
Size: 26914 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170616/6d18f250/Untitled.jpg>

More information about the samba-technical mailing list