[Samba] Samba domain member losing membership
andrew.galdes at agix.com.au
Sat Nov 17 00:42:30 MST 2012
Thanks. I've updated to the latest version and so far so good. But time
will tell in this case.
Thanks alot for your help.
On Fri, Nov 16, 2012 at 8:45 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2012-11-16 at 15:49 +1030, Andrew Galdes wrote:
> > Hello all,
> > I've recently posted here for help with a Samba domain member system
> > seems to lose it's domain membership. I want to discuss it a little
> more. I
> > have more information. I'm after comments and suggestions for
> > troubleshooting. Also, i say "loses membership" but i don't really know
> > it has lost it. Just doesn't work anymore until i re-join the Samba
> > to the domain.
> > I have noticed this behaviour with two sites (installations) now. Both
> > CentOS systems with Samba versions as follows:
> > samba-*-3.5.10-125.el6.x86_64
> > samba-*-3.5.10-115.el6_2.x86_64
> > I successfully join these systems to Active Directory domains (2008 r2
> > DC's) using the following command. The system can then do as i need and
> > "wbinfo" works:
> > net join -U Administrator%MyPass
> > After some time the Samba servers will stop functioning as expected and
> > users will get 'access denied' errors. "wbinfo" stops working.
> > Some error messages:
> > LOG FILE: "/var/log/samba/log.wb-MYDOM"
> > [2012/11/12 13:20:43.338947, 0]
> > libsmb/cliconnect.c:1052(cli_session_setup_spnego)
> > Kinit failed: Preauthentication failed
> > [2012/11/12 13:20:43.459457, 2]
> > winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap)
> > NTLM CRAP authentication for user [MYDOM]\[myuser] returned
> > NT_STATUS_ACCESS_DENIED (PAM: 4)
> > Notice Kinit in the above error. I have not configured Kerberos at this
> > point.
> > I have not identified consistent time intervals for these 'drop-outs'. I
> > have not updated (YUM) these systems between the joining and dropping
> > the domains.
> > What might cause this?
> What causes this is that when we change our domain membership password,
> and the connection to the DC we change against times out. There is a
> patch in later releases for this (gives a longer timeout).
> The issue is, this takes longer than we allow, so we think it failed,
> but it actually succeed, and so we loose our membership.
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
RHCSA, LPI, CCENT
Ph: 08 7324 4429
Mb: 0422 927 598
More information about the samba