[Samba] Samba domain member losing membership

Andrew Galdes andrew.galdes at agix.com.au
Sat Nov 17 00:42:30 MST 2012


Thanks. I've updated to the latest version and so far so good. But time
will tell in this case.

Thanks alot for your help.

-Andrew Galdes


On Fri, Nov 16, 2012 at 8:45 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2012-11-16 at 15:49 +1030, Andrew Galdes wrote:
> > Hello all,
> >
> > I've recently posted here for help with a Samba domain member system
> which
> > seems to lose it's domain membership. I want to discuss it a little
> more. I
> > have more information. I'm after comments and suggestions for
> > troubleshooting. Also, i say "loses membership" but i don't really know
> if
> > it has lost it. Just doesn't work anymore until i re-join the Samba
> system
> > to the domain.
> >
> > I have noticed this behaviour with two sites (installations) now. Both
> are
> > CentOS systems with Samba versions as follows:
> >
> > samba-*-3.5.10-125.el6.x86_64
> > samba-*-3.5.10-115.el6_2.x86_64
> >
> > I successfully join these systems to Active Directory domains (2008 r2
> > DC's) using the following command. The system can then do as i need and
> > "wbinfo" works:
> >
> > net join -U Administrator%MyPass
> >
> > After some time the Samba servers will stop functioning as expected and
> > users will get 'access denied' errors. "wbinfo" stops working.
> >
> > Some error messages:
> >
> > LOG FILE: "/var/log/samba/log.wb-MYDOM"
> >
> > [2012/11/12 13:20:43.338947,  0]
> > libsmb/cliconnect.c:1052(cli_session_setup_spnego)
> >   Kinit failed: Preauthentication failed
> > [2012/11/12 13:20:43.459457,  2]
> > winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap)
> >   NTLM CRAP authentication for user [MYDOM]\[myuser] returned
> > NT_STATUS_ACCESS_DENIED (PAM: 4)
> >
> > Notice Kinit in the above error. I have not configured Kerberos at this
> > point.
> >
> > I have not identified consistent time intervals for these 'drop-outs'. I
> > have not updated (YUM) these systems between the joining and dropping
> from
> > the domains.
> >
> > What might cause this?
>
> What causes this is that when we change our domain membership password,
> and the connection to the DC we change against times out.  There is a
> patch in later releases for this (gives a longer timeout).
>
> The issue is, this takes longer than we allow, so we think it failed,
> but it actually succeed, and so we loose our membership.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>


-- 
-Andrew Galdes
Managing Director

RHCSA, LPI, CCENT

AGIX Linux

Ph: 08 7324 4429
Mb: 0422 927 598

Site: http://www.agix.com.au
Twitter: http://twitter.com/agixlinux
LinkedIn: http://au.linkedin.com/in/andrewgaldes


More information about the samba mailing list