[Samba] Samba AD member lost domain join after reboot
Alexis RIES
alexis.ries at kinaxia.fr
Tue Jun 7 09:13:05 UTC 2016
Yes, the /etc/krb5.keytab file is created when the domain-join.
I just noticed that it's not only after a reboot I have this problem.
I lost the domain-join on my first SMB server, it has not been restarted.
Note that I use Cluster Mode (CTDB), but the problem is the same when I
remove the cluster configuration.
Attached is the requested files.
Thank you,
Alexis.
On 07/06/2016 09:43, Rowland penny wrote:
> On 07/06/16 07:31, Alexis RIES wrote:
>> Hi, here it attached my smb.conf and Winbind debug log after reboot.
>> My OS is Debian Jessie and has a fixed ip.
>>
>> Thank you
>>
>> On 06/06/2016 22:05, Rowland penny wrote:
>>> On 06/06/16 14:52, Alexis RIES wrote:
>>>> Hello,
>>>>
>>>> After each reboot, my Samba AD member server lost domain join after
>>>> reboot, I have to re-enter the server in the domain with the "net
>>>> ads join -U administrator".
>>>>
>>>> I use version 4.4.3 of samba.
>>>> The domain controller is a Samba AD server.
>>>>
>>>> After reboot, when I exectute "net ads testjoin" I have:
>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
>>>> Preauthentication
>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
>>>> Preauthentication
>>>> Join to domain is not valid: Logon failure
>>>>
>>>> And when I execute "wbinfo -t":
>>>> checking the trust secret for domain SAMDOM via RPC calls failed
>>>> wbcCheckTrustCredentials (SAMDOM): error code Was
>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>>>> Could not check secret
>>>>
>>>> é&a z
>>>
>>> Hi, can you post your smb.conf from the domain member.
>>> What OS ?
>>> Does the domain member have a fixed ip or does it use DHCP ?
>>>
>>> Rowland
>>>
>>>
>>
>>
>>
>
> OK, it should work, but can I suggest a few changes to your smb.conf:
>
> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit'
> i.e. make it 'vfs objects = fileid acl_xattr full_audit'
>
> Remove all the 'valid users' etc and use ACLs instead, you can set
> these from windows or with setfacl.
>
> add 'ldap server require strong auth = No'
>
> If you are actually using '.local' and avahi is running, I suggest you
> turn it off.
>
> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf
>
> Finally is /etc/krb5.keytab being created by the join ?
>
> Rowland
-------------- next part --------------
[libdefaults]
default_realm = AD.SAMDOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-------------- next part --------------
127.0.0.1 localhost
192.168.254.3 SMB1.AD.SAMDOM.LOCAL SMB1
192.168.254.4 SMB2.AD.SAMDOM.LOCAL SMB2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-------------- next part --------------
domain samdom.local
search samdom.local
nameserver 192.168.254.1
nameserver 192.168.254.2
options timeout:2
More information about the samba
mailing list