File Server Cluster don't authenticate AD
L.P.H. van Belle
belle at bazuin.nl
Fri Jun 16 08:56:09 UTC 2017
Hai,
First, this is more a question for the "normal" samba list not samba-technical.
You have some errors in you setup, did you follow the wiki?
This is wrong :
idmap config GIANG:range = 100000-200000
idmap config GIANG:backend = rid
idmap config * : range = 100000-200000
idmap config * : backend = tdb
These range my not overlap.
You joined with.
> net join -w GIANG -S ad1.giang.local -U administrator
I hope you did mean
net ads join -w GIANG -S ad1.giang.local -U administrator
Based on this i assum you did not read the wiki.
I suggest, you check you server setup based on :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
You may have more errors in you setup.
And i think its also good to re-check you AD DC base on the link.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Tip, after you joined an extra DC or any member, reboot the server.
The helps in avoiding some strang problems, like no dns record was created at domain join.
(a few small bugs, but the devs are working on these.)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens
> GiangCoi Mr via samba-technical
> Verzonden: vrijdag 16 juni 2017 10:31
> Aan: Samba Technical
> Onderwerp: File Server Cluster don't authenticate AD
>
> Hi Team
>
> My diagram:
>
> ???
> File krb5.conf in both File Server
> vim /etc/krb5.conf
> includedir /etc/krb5.conf.d/
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = GIANG.LOCAL
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> # default_realm = EXAMPLE.COM
> #
> [realms]
> GIANG.LOCAL = {
> default_domain = giang.local
> kdc = ad1.giang.local
> admin_server = ad1.giang.local
> }
> #
> [domain_realm]
> .giang.local = GIANG.LOCAL
> giang.local = GIANG.LOCAL
> ---------------------------------------
> File nsswitch.conf
> passwd: files winbind shadow: files group: files winbind
>
> ----------------------------------------
> file smb.conf
> [global] clustering = yes private dir = /data/lock log file =
> /var/log/samba/log.%m max log size = 50 workgroup = GIANG realm =
> GIANG.LOCAL security = ads password server = * #password server =
> ad1.giang.local domain master = no local master = no
> preferred master = no
> template homedir = /home/%D/%U template shell = /sbin/nologin
> winbind use
> default domain = yes winbind nested groups = yes winbind enum
> users = Yes
> winbind enum groups = Yes winbind use default domain = Yes
> winbind refresh
> tickets = Yes winbind offline logon = Yes idmap config GIANG:range =
> 100000-200000 idmap config GIANG:backend = rid idmap config *
> : range =
> 100000-200000 idmap config * : backend = tdb
> ------------------------------------------------------
>
> When I run command to join in File01.giang.local, it's ok
>
> net join -w GIANG -S ad1.giang.local -U administrator
>
> Enter administrator's password:
>
> Using short domain name -- GIANG
>
> Joined 'FILE1' to dns domain 'giang.local'
>
> Not doing automatic DNS update in aclustered setup.
>
> And run command
>
> net ads testjoin
>
> Join is OK
>
>
> When I run this command to join in File02.giang.local. it's ok as same
> file01.giang.local. But I run "net ads testjoin" in
> file01.giang.local, it
> have errors
>
> [root at file01 ~]# net ads testjoin kerberos_kinit_password
> FILE01$@GIANG.LOCAL failed: Preauthentication failed
> kerberos_kinit_password FILE01$@GIANG.LOCAL failed: Preauthentication
> failed Join to domain is not valid: Logon failure
>
>
> At the same time, only File01 or File02 can join. How do I
> configure for 2
> File01 and File02 can join concurrently to AD1.giang.local.
>
> Please help me to fix this issue. Thanks
>
>
> Regards,
>
> Giang
>
>
>
>
>
> ???
>
More information about the samba-technical
mailing list