[Samba] Samba AD member lost domain join after reboot
Alexis RIES
alexis.ries at kinaxia.fr
Wed Jun 8 07:22:38 UTC 2016
Hi,
You will find attached the output of "net ads testjoin -d4" and "-d3".
Yes replication seems to work properly.
Alexis.
On 07/06/2016 18:55, lingpanda101 at gmail.com wrote:
> On 6/7/2016 12:31 PM, Alexis RIES wrote:
>> I was wrong, the problem persists, it is not because of the DNS.
>> You have the same configuration as me, but with two domains controller ?
>>
>> On 07/06/2016 18:05, Alexis RIES wrote:
>>> I think I found my problem, when configuring my second domain
>>> controller, I have created by mistake a round robin DNS entry on
>>> "Forward Lookup Zones -> ad.samdom.local".
>>> I speak of round-robin because I have two fields A pointing to the
>>> same domain
>>>
>>> Now I'm lost, you have a second domain controller in failover?
>>> If so, could you give me your DNS configuration? I need information on:
>>>
>>> Forward Lookup Zones -> ad.samdom.local.
>>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
>>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>>>
>>> Currently I have two domain controllers in these areas (thus the
>>> round-robin).
>>> However, I have not touched the DomainDnsZones and ForestDnsZones
>>> areas, this had to be done by "samba-tool domain join" executed
>>> during installation but I'm not sure.
>>>
>>> Is it normal to have the round robin on ForestDnsZones and
>>> DomainDnsZones ?
>>>
>>> Please find attached the export of my DNS configuration.
>>>
>>> Thank you,
>>> Alexis.
>>>
>>>
>>>
>>> On 07/06/2016 16:05, Rowland penny wrote:
>>>> On 07/06/16 14:44, Alexis RIES wrote:
>>>>> I put the usermapping but this does not solve the problem.
>>>>>
>>>>> I do not use libpam_winbind and libpam-krb5 because I did not need
>>>>> to log in server using domain accounts, it seems to me that this
>>>>> is not mandatory, you confirm ?
>>>>
>>>> This could well be your problem, try installing them. My domain
>>>> member works and this seems to be the only difference between my
>>>> domain member and yours.
>>>>
>>>>>
>>>>>
>>>>> Here are the permissions of the file /etc/krb5.keytab:
>>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>>>> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab
>>>>
>>>> That again is the same as my domain member
>>>>
>>>>>
>>>>>
>>>>> Avahi is not installed on this server
>>>>>
>>>>> For information, when I run "wbinfo -P", I have this result:
>>>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>>>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
>>>>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
>>>>> (0xc0000203)
>>>>>
>>>>
>>>> This works for me:
>>>>
>>>> root at debnet:/home/rowland/ # wbinfo -P
>>>> checking the NETLOGON dc connection to "dc1.samdom.example.com"
>>>> succeeded
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>
> Alexis can you run 'net ads testjoin -d 3' and report? Can you also
> verify replication is working on your DC's?
>
-------------- next part --------------
root at dc1:/home/adminlocal# samba-tool drs showrepl
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 8b1a800e-6dbb-4d19-aef8-b0fb54f77b3a
DSA invocationId: 9394e2f2-61ea-4eb9-961b-7a27d47362a4
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ Wed Jun 8 09:07:13 2016 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 8 09:07:13 2016 CEST
DC=DomainDnsZones,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ Wed Jun 8 09:07:13 2016 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 8 09:07:13 2016 CEST
DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ Wed Jun 8 09:07:13 2016 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 8 09:07:13 2016 CEST
CN=Schema,CN=Configuration,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ Wed Jun 8 09:07:14 2016 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 8 09:07:14 2016 CEST
CN=Configuration,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ Wed Jun 8 09:07:14 2016 CEST was successful
0 consecutive failure(s).
Last success @ Wed Jun 8 09:07:14 2016 CEST
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=ad,DC=samdom,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 1f6b4724-19c7-42fc-bbf9-f88a9c6830e3
Enabled : TRUE
Server DNS name : dc2.ad.samdom.local
Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
-------------- next part --------------
root at smb2:/home/adminlocal# net ads testjoin -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface eth1 ip=10.10.10.2 bcast=10.10.255.255 netmask=255.255.0.0
added interface eth0 ip=192.168.254.4 bcast=192.168.254.255 netmask=255.255.255.0
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b
db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
Successfully contacted LDAP server 192.168.254.1
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
Successfully contacted LDAP server 192.168.254.1
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
Successfully contacted LDAP server 192.168.254.1
Connected to LDAP server dc1.ad.SAMDOM.local
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
Successfully contacted LDAP server 192.168.254.1
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
Successfully contacted LDAP server 192.168.254.1
Connected to LDAP server dc1.ad.SAMDOM.local
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed
Join to domain is not valid: Logon failure
return code = -1
-------------- next part --------------
root at smb2:/home/adminlocal# net ads testjoin -d 4
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
doing parameter log file = /var/log/samba/samba.log
doing parameter log level = 5
doing parameter netbios name = SMB2
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = AD.SAMDOM.LOCAL
doing parameter encrypt passwords = yes
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter username map = /usr/local/samba/etc/samba_usermapping
doing parameter winbind refresh tickets = yes
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter clustering = Yes
doing parameter ctdbd socket = /usr/local/samba/var/run/ctdb/ctdbd.socket
doing parameter fileid:mapping = fsid
doing parameter vfs objects = fileid
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-99999
doing parameter winbind nss info = rfc2307
doing parameter vfs objects = acl_xattr full_audit
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
doing parameter full_audit:prefix = %u|%I|%m|%S
doing parameter full_audit:success = mkdir rename unlink rmdir write
doing parameter full_audit:failure = read pread mkdir opendir rmdir telldir
doing parameter full_audit:facility = local7
doing parameter full_audit:priority = NOTICE
pm_process() returned Yes
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
doing parameter log file = /var/log/samba/samba.log
doing parameter log level = 5
doing parameter netbios name = SMB2
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = AD.SAMDOM.LOCAL
doing parameter encrypt passwords = yes
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter username map = /usr/local/samba/etc/samba_usermapping
doing parameter winbind refresh tickets = yes
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter clustering = Yes
doing parameter ctdbd socket = /usr/local/samba/var/run/ctdb/ctdbd.socket
doing parameter fileid:mapping = fsid
doing parameter vfs objects = fileid
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-99999
doing parameter winbind nss info = rfc2307
doing parameter vfs objects = acl_xattr full_audit
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
doing parameter full_audit:prefix = %u|%I|%m|%S
doing parameter full_audit:success = mkdir rename unlink rmdir write
doing parameter full_audit:failure = read pread mkdir opendir rmdir telldir
doing parameter full_audit:facility = local7
doing parameter full_audit:priority = NOTICE
pm_process() returned Yes
added interface eth0 ip=192.168.254.4 bcast=192.168.254.255 netmask=255.255.255.0
added interface eth0 ip=192.168.254.11 bcast=192.168.254.255 netmask=255.255.255.0
added interface eth1 ip=10.10.10.2 bcast=10.10.255.255 netmask=255.255.0.0
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b
db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184
ads_dc_name: domain=SAMDOM
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:389 192.168.254.2:389
Successfully contacted LDAP server 192.168.254.1
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:88 192.168.254.2:88
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:88 192.168.254.2:88
ads_dc_name: using server='DC1.AD.SAMDOM.LOCAL' IP=192.168.254.1
ads_dc_name: domain=SAMDOM
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:389 192.168.254.2:389
Successfully contacted LDAP server 192.168.254.1
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:88 192.168.254.2:88
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:88 192.168.254.2:88
ads_dc_name: using server='DC1.AD.SAMDOM.LOCAL' IP=192.168.254.1
Successfully contacted LDAP server 192.168.254.1
Connected to LDAP server dc1.ad.SAMDOM.local
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed
ads_dc_name: domain=SAMDOM
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:389 192.168.254.2:389
Successfully contacted LDAP server 192.168.254.1
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:88 192.168.254.2:88
get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *"
ads_dns_lookup_srv: 2 records returned in the answer section.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.254.1:88 192.168.254.2:88
ads_dc_name: using server='DC1.AD.SAMDOM.LOCAL' IP=192.168.254.1
Successfully contacted LDAP server 192.168.254.1
Connected to LDAP server dc1.ad.SAMDOM.local
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed
Join to domain is not valid: Logon failure
return code = -1
More information about the samba
mailing list