[Samba] Samba AD member lost domain join after reboot

Tue Jun 7 13:44:16 UTC 2016

I put the usermapping but this does not solve the problem.

I do not use libpam_winbind and libpam-krb5 because I did not need to 
log in server using domain accounts, it seems to me that this is not 
mandatory, you confirm ?

Here are the permissions of the file /etc/krb5.keytab:
root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
-rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab

Avahi is not installed on this server

For information, when I run "wbinfo -P", I have this result:
SMB1 root @: / home / adminlocal # wbinfo -P
checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED 
(0xc0000203)

I see that the domain controller is not specified, on my other server 
(SMB2) I have the address of the domain controller.

Thank you,
Alexis.

On 07/06/2016 12:57, Rowland penny wrote:
> On 07/06/16 10:13, Alexis RIES wrote:
>> Yes, the /etc/krb5.keytab file is created when the domain-join.
>>
>> I just noticed that it's not only after a reboot I have this problem.
>> I lost the domain-join on my first SMB server, it has not been 
>> restarted.
>>
>> Note that I use Cluster Mode (CTDB), but the problem is the same when 
>> I remove the cluster configuration.
>>
>> Attached is the requested files.
>>
>>
>> Thank you,
>> Alexis.
>>
>>
>>
>> On 07/06/2016 09:43, Rowland penny wrote:
>>> On 07/06/16 07:31, Alexis RIES wrote:
>>>> Hi, here it attached my smb.conf and Winbind debug log after reboot.
>>>> My OS is Debian Jessie and has a fixed ip.
>>>>
>>>> Thank you
>>>>
>>>> On 06/06/2016 22:05, Rowland penny wrote:
>>>>> On 06/06/16 14:52, Alexis RIES wrote:
>>>>>> Hello,
>>>>>>
>>>>>> After each reboot, my Samba AD member server lost domain join 
>>>>>> after reboot, I have to re-enter the server in the domain with 
>>>>>> the "net ads join -U administrator".
>>>>>>
>>>>>> I use version 4.4.3 of samba.
>>>>>> The domain controller is a Samba AD server.
>>>>>>
>>>>>> After reboot, when I exectute "net ads testjoin" I have:
>>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed 
>>>>>> Preauthentication
>>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed 
>>>>>> Preauthentication
>>>>>> Join to domain is not valid: Logon failure
>>>>>>
>>>>>> And when I execute "wbinfo -t":
>>>>>> checking the trust secret for domain SAMDOM via RPC calls failed
>>>>>> wbcCheckTrustCredentials (SAMDOM): error code Was 
>>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>>>>>> Could not check secret
>>>>>>
>>>>>> é&a    z
>>>>>
>>>>> Hi, can you post your smb.conf from the domain member.
>>>>> What OS ?
>>>>> Does the domain member have a fixed ip or does it use DHCP ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> OK, it should work, but can I suggest a few changes to your smb.conf:
>>>
>>> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' 
>>> i.e. make it 'vfs objects = fileid acl_xattr full_audit'
>>>
>>> Remove all the 'valid users' etc and use ACLs instead, you can set 
>>> these from windows or with setfacl.
>>>
>>> add 'ldap server require strong auth = No'
>>>
>>> If you are actually using '.local' and avahi is running, I suggest 
>>> you turn it off.
>>>
>>> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf
>>>
>>> Finally is /etc/krb5.keytab being created by the join ?
>>>
>>> Rowland
>>
>>
>>
>
> Everything looks ok, do you have all these packages installed:
>
> libpam-winbind libnss-winbind libpam-krb5
>
> What are the permissions on /etc/krb5.keytab
>
> You could try adding this line to smb.conf:
>
> username map = /etc/samba/samba_usermapping
>
> Then create /etc/samba/samba_usermapping with this content:
>
> !root = SAMDOM\Administrator SAMDOM\administrator
>
> Obviously you can put the usermapping file anywhere and replace 
> 'SAMDOM' with your NetBIOS domain name.
>
> Rowland