[Samba] Samba AD member lost domain join after reboot

lingpanda101 at gmail.com lingpanda101 at gmail.com
Wed Jun 8 16:14:39 UTC 2016 

On 6/8/2016 10:57 AM, Alexis RIES wrote:
> I conducted many tests and I noticed that I lose the domain-join on 
> SMB1 soon as I joined SMB2 in the domain.
>
> Step 1: SMB1 "net ads join -Uadministrator" -> OK
> Step 2: SMB1 "net ads testjoin" -> OK
> Step 3: SMB2 "net ads join -Uadministrator" -> OK
> Step 4: SMB2 "net ads testjoin" -> OK
> Step 5: SMB1 "net ads testjoin" -> Preauthentication failed
>
> And vice versa in the opposite direction. Obviously I can integrate a 
> single domain member server.
>
> With only one Samba server a domain member, it works correctly.
> That's when I joined the second server, the first server loses the field.
>
> I reinstalled completely on Debian and Samba SMB2: unsolved problem.
> I installed a new domain controller without replication: unsolved 
> problem.
>
> I do not understand because SMB2 is a new install, no servers have 
> been cloned.
> I checked my hostname, MAC address, there is no duplicate on the servers.
>
> Alexis.
>
>
> On 08/06/2016 09:22, Alexis RIES wrote:
>> Hi,
>>
>> You will find attached the output of "net ads testjoin -d4" and "-d3".
>> Yes replication seems to work properly.
>>
>> Alexis.
>>
>> On 07/06/2016 18:55, lingpanda101 at gmail.com wrote:
>>> On 6/7/2016 12:31 PM, Alexis RIES wrote:
>>>> I was wrong, the problem persists, it is not because of the DNS.
>>>> You have the same configuration as me, but with two domains 
>>>> controller ?
>>>>
>>>> On 07/06/2016 18:05, Alexis RIES wrote:
>>>>> I think I found my problem, when configuring my second domain 
>>>>> controller, I have created by mistake a round robin DNS entry on 
>>>>> "Forward Lookup Zones -> ad.samdom.local".
>>>>> I speak of round-robin because I have two fields A pointing to the 
>>>>> same domain
>>>>>
>>>>> Now I'm lost, you have a second domain controller in failover?
>>>>> If so, could you give me your DNS configuration? I need 
>>>>> information on:
>>>>>
>>>>> Forward Lookup Zones -> ad.samdom.local.
>>>>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
>>>>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>>>>>
>>>>> Currently I have two domain controllers in these areas (thus the 
>>>>> round-robin).
>>>>> However, I have not touched the DomainDnsZones and ForestDnsZones 
>>>>> areas, this had to be done by "samba-tool domain join" executed 
>>>>> during installation but I'm not sure.
>>>>>
>>>>> Is it normal to have the round robin on ForestDnsZones and 
>>>>> DomainDnsZones ?
>>>>>
>>>>> Please find attached the export of my DNS configuration.
>>>>>
>>>>> Thank you,
>>>>> Alexis.
>>>>>
>>>>>
>>>>>
>>>>> On 07/06/2016 16:05, Rowland penny wrote:
>>>>>> On 07/06/16 14:44, Alexis RIES wrote:
>>>>>>> I put the usermapping but this does not solve the problem.
>>>>>>>
>>>>>>> I do not use libpam_winbind and libpam-krb5 because I did not 
>>>>>>> need to log in server using domain accounts, it seems to me that 
>>>>>>> this is not mandatory, you confirm ?
>>>>>>
>>>>>> This could well be your problem, try installing them. My domain 
>>>>>> member works and this seems to be the only difference between my 
>>>>>> domain member and yours.
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Here are the permissions of the file /etc/krb5.keytab:
>>>>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>>>>>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>>>>>>
>>>>>> That again is the same as my domain member
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Avahi is not installed on this server
>>>>>>>
>>>>>>> For information, when I run "wbinfo -P", I have this result:
>>>>>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>>>>>> checking the NETLOGON for domain [SAMDOM] dc connection to "" 
>>>>>>> failed
>>>>>>> wbcPingDc2 (SAMDOM): error code Was 
>>>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>>>>>
>>>>>>
>>>>>> This works for me:
>>>>>>
>>>>>> root at debnet:/home/rowland/ # wbinfo -P
>>>>>> checking the NETLOGON dc connection to "dc1.samdom.example.com" 
>>>>>> succeeded
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> Alexis can you run 'net ads testjoin -d 3' and report? Can you also 
>>> verify replication is working on your DC's?
>>>
>>
>>
>>
>

I do not know what could be the issue looking through the logs. Have you 
tried cleaning up your domain by removing all traces of the member 
servers and attempting to re-join?

Can you compare the DC's ldap databases against each other to make sure 
replication is in fact working? Is NTP installed on the DC's?

https://wiki.samba.org/index.php/Samba-tool_ldapcmp

-- 
-James

More information about the samba mailing list