[Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED

Oliver Werner oliver.werner at kontrast.de
Fri Sep 30 11:01:35 UTC 2016 

Ok now i have leave and join the Domain with my member (Debian 8 - Samba 4.5.0 deb-pkg)

smb.conf DCs (i have two):

[global]
	workgroup = HQKONTRAST
	realm = HQ.KONTRAST
	netbios name = VL0227
	interfaces = eth0:35
   	bind interfaces only = yes
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

	ldap server require strong auth = no
	ntlm auth = yes

   	# Debug logging information
   	log level = 3
   	log file = /var/log/samba/samba.log.debug

	tls enabled  = yes
	tls keyfile  = /var/lib/samba/private/tls/key.pem
	tls certfile = /var/lib/samba/private/tls/cert.pem
	tls cafile   = /var/lib/samba/private/tls/ca.pem

[netlogon]
	path = /var/lib/samba/sysvol/hq.kontrast/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

member smb.conf:

[global]
       netbios name = PL0024
       security = ADS
       workgroup = HQKONTRAST
       realm = HQ.KONTRAST

       log file = /var/log/samba/%m.log
       log level = 3 passdb:5 auth:10 winbind:10

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes
       winbind cache time = 300
       winbind refresh tickets = yes

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 500-1023

       # idmap config for domain HQKONTRAST
       idmap config HQKONTRAST:backend = ad
       idmap config HQKONTRAST:schema_mode = rfc2307
       idmap config HQKONTRAST:range = 1024-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307

[Archiv]
	path = /daten/archiv
	browseable = yes
	writeable = no
	valid users = @Kontrast_Intern

krb.conf on all Sambas:

[libdefaults]
   default_realm = HQ.KONTRAST
   dns_lookup_realm = false
   dns_lookup_kdc = true


OLIVER WERNER
Systemadministrator


> Am 30.09.2016 um 12:46 schrieb Rowland Penny <rpenny at samba.org>:
> 
> On Fri, 30 Sep 2016 12:24:25 +0200
> Oliver Werner via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> 
>> Hi Louis,
>> 
>> i have checked my /var/tmp
>> 
>> But there is nothing like host_ or other for kerberos inside.
>> 
>> ls -lisa /var/tmp/
>> 2  4 drwxrwxrwt  3 root root  4096 Sep 25 08:39 .
>> 2  4 drwxr-xr-x 13 root root  4096 Jun 20  2013 ..
>> 11 16 drwx------  2 root root 16384 Aug  9  2012 lost+found
>> 
>> 
>> In /tmp i can see  4 krb5cc files for users there has used kerberos
>> on this member. So this look ok between Client and Fileserver. But
>> not between Member an DC
>> 
>> For recreate keytab i can use this manual?
>> https://wiki.samba.org/index.php/Generating_Keytabs
>> <https://wiki.samba.org/index.php/Generating_Keytabs>
>> 
>> 
> 
> If need be yes, but joining the domain should recreate the keytab for
> you, provided you ensure there isn't an existing one before the join.
> 
> What OS's are you using ?
> 
> Please post the smb.conf from the DC and domain member.
> 
> Rowland

More information about the samba mailing list