[Samba] Samba AD member lost domain join after reboot

Wed Jun 8 14:57:23 UTC 2016

I conducted many tests and I noticed that I lose the domain-join on SMB1 
soon as I joined SMB2 in the domain.

Step 1: SMB1 "net ads join -Uadministrator" -> OK
Step 2: SMB1 "net ads testjoin" -> OK
Step 3: SMB2 "net ads join -Uadministrator" -> OK
Step 4: SMB2 "net ads testjoin" -> OK
Step 5: SMB1 "net ads testjoin" -> Preauthentication failed

And vice versa in the opposite direction. Obviously I can integrate a 
single domain member server.

With only one Samba server a domain member, it works correctly.
That's when I joined the second server, the first server loses the field.

I reinstalled completely on Debian and Samba SMB2: unsolved problem.
I installed a new domain controller without replication: unsolved problem.

I do not understand because SMB2 is a new install, no servers have been 
cloned.
I checked my hostname, MAC address, there is no duplicate on the servers.

Alexis.

On 08/06/2016 09:22, Alexis RIES wrote:
> Hi,
>
> You will find attached the output of "net ads testjoin -d4" and "-d3".
> Yes replication seems to work properly.
>
> Alexis.
>
> On 07/06/2016 18:55, lingpanda101 at gmail.com wrote:
>> On 6/7/2016 12:31 PM, Alexis RIES wrote:
>>> I was wrong, the problem persists, it is not because of the DNS.
>>> You have the same configuration as me, but with two domains 
>>> controller ?
>>>
>>> On 07/06/2016 18:05, Alexis RIES wrote:
>>>> I think I found my problem, when configuring my second domain 
>>>> controller, I have created by mistake a round robin DNS entry on 
>>>> "Forward Lookup Zones -> ad.samdom.local".
>>>> I speak of round-robin because I have two fields A pointing to the 
>>>> same domain
>>>>
>>>> Now I'm lost, you have a second domain controller in failover?
>>>> If so, could you give me your DNS configuration? I need information 
>>>> on:
>>>>
>>>> Forward Lookup Zones -> ad.samdom.local.
>>>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
>>>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>>>>
>>>> Currently I have two domain controllers in these areas (thus the 
>>>> round-robin).
>>>> However, I have not touched the DomainDnsZones and ForestDnsZones 
>>>> areas, this had to be done by "samba-tool domain join" executed 
>>>> during installation but I'm not sure.
>>>>
>>>> Is it normal to have the round robin on ForestDnsZones and 
>>>> DomainDnsZones ?
>>>>
>>>> Please find attached the export of my DNS configuration.
>>>>
>>>> Thank you,
>>>> Alexis.
>>>>
>>>>
>>>>
>>>> On 07/06/2016 16:05, Rowland penny wrote:
>>>>> On 07/06/16 14:44, Alexis RIES wrote:
>>>>>> I put the usermapping but this does not solve the problem.
>>>>>>
>>>>>> I do not use libpam_winbind and libpam-krb5 because I did not 
>>>>>> need to log in server using domain accounts, it seems to me that 
>>>>>> this is not mandatory, you confirm ?
>>>>>
>>>>> This could well be your problem, try installing them. My domain 
>>>>> member works and this seems to be the only difference between my 
>>>>> domain member and yours.
>>>>>
>>>>>>
>>>>>>
>>>>>> Here are the permissions of the file /etc/krb5.keytab:
>>>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>>>>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>>>>>
>>>>> That again is the same as my domain member
>>>>>
>>>>>>
>>>>>>
>>>>>> Avahi is not installed on this server
>>>>>>
>>>>>> For information, when I run "wbinfo -P", I have this result:
>>>>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>>>>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
>>>>>> wbcPingDc2 (SAMDOM): error code Was 
>>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>>>>
>>>>>
>>>>> This works for me:
>>>>>
>>>>> root at debnet:/home/rowland/ # wbinfo -P
>>>>> checking the NETLOGON dc connection to "dc1.samdom.example.com" 
>>>>> succeeded
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>> Alexis can you run 'net ads testjoin -d 3' and report? Can you also 
>> verify replication is working on your DC's?
>>
>
>
>