[Samba] Samba AD member lost domain join after reboot

[Rowland penny]

On 07/06/16 07:31, Alexis RIES wrote:
> Hi, here it attached my smb.conf and Winbind debug log after reboot.
> My OS is Debian Jessie and has a fixed ip.
>
> Thank you
>
> On 06/06/2016 22:05, Rowland penny wrote:
>> On 06/06/16 14:52, Alexis RIES wrote:
>>> Hello,
>>>
>>> After each reboot, my Samba AD member server lost domain join after 
>>> reboot, I have to re-enter the server in the domain with the "net 
>>> ads join -U administrator".
>>>
>>> I use version 4.4.3 of samba.
>>> The domain controller is a Samba AD server.
>>>
>>> After reboot, when I exectute "net ads testjoin" I have:
>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed 
>>> Preauthentication
>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed 
>>> Preauthentication
>>> Join to domain is not valid: Logon failure
>>>
>>> And when I execute "wbinfo -t":
>>> checking the trust secret for domain SAMDOM via RPC calls failed
>>> wbcCheckTrustCredentials (SAMDOM): error code Was 
>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>>> Could not check secret
>>>
>>> Anyone know this problem?
>>> How can I make the domain-join to persist reboots?
>>>
>>
>> Hi, can you post your smb.conf from the domain member.
>> What OS ?
>> Does the domain member have a fixed ip or does it use DHCP ?
>>
>> Rowland
>>
>>
>
>
>

OK, it should work, but can I suggest a few changes to your smb.conf:

cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' i.e. 
make it 'vfs objects = fileid acl_xattr full_audit'

Remove all the 'valid users' etc and use ACLs instead, you can set these 
from windows or with setfacl.

add 'ldap server require strong auth = No'

If you are actually using '.local' and avahi is running, I suggest you 
turn it off.

Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf

Finally is /etc/krb5.keytab being created by the join ?

Rowland