[Samba] Samba domain member losing membership

Andrew Bartlett abartlet at samba.org
Fri Nov 16 03:15:20 MST 2012

On Fri, 2012-11-16 at 15:49 +1030, Andrew Galdes wrote:
> Hello all,
> I've recently posted here for help with a Samba domain member system which
> seems to lose it's domain membership. I want to discuss it a little more. I
> have more information. I'm after comments and suggestions for
> troubleshooting. Also, i say "loses membership" but i don't really know if
> it has lost it. Just doesn't work anymore until i re-join the Samba system
> to the domain.
> I have noticed this behaviour with two sites (installations) now. Both are
> CentOS systems with Samba versions as follows:
> samba-*-3.5.10-125.el6.x86_64
> samba-*-3.5.10-115.el6_2.x86_64
> I successfully join these systems to Active Directory domains (2008 r2
> DC's) using the following command. The system can then do as i need and
> "wbinfo" works:
> net join -U Administrator%MyPass
> After some time the Samba servers will stop functioning as expected and
> users will get 'access denied' errors. "wbinfo" stops working.
> Some error messages:
> LOG FILE: "/var/log/samba/log.wb-MYDOM"
> [2012/11/12 13:20:43.338947,  0]
> libsmb/cliconnect.c:1052(cli_session_setup_spnego)
>   Kinit failed: Preauthentication failed
> [2012/11/12 13:20:43.459457,  2]
> winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap)
>   NTLM CRAP authentication for user [MYDOM]\[myuser] returned
> Notice Kinit in the above error. I have not configured Kerberos at this
> point.
> I have not identified consistent time intervals for these 'drop-outs'. I
> have not updated (YUM) these systems between the joining and dropping from
> the domains.
> What might cause this?

What causes this is that when we change our domain membership password,
and the connection to the DC we change against times out.  There is a
patch in later releases for this (gives a longer timeout).

The issue is, this takes longer than we allow, so we think it failed,
but it actually succeed, and so we loose our membership.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list