[Samba] Failures to renegotiate machine password & domain participation check fails
Rowland Penny
rpenny at samba.org
Thu Apr 26 09:32:44 UTC 2018
On Thu, 26 Apr 2018 10:13:29 +0100
Sean McGrath via samba <samba at lists.samba.org> wrote:
> Hello everyone,
>
> Can I ask for some assistance please. Apologies if there is an easy
> solution to this tail of wow that I haven't been able to find online.
>
> We've been having persistent problems with a Scientific Linux release
> 7.4 machine that is joined to an Active Directory domain. Ever 30
> days or so it trust relationship between the server and the domain
> would fail, apparently because the machine password was not renewed.
> It worked for several months then at the end of last year started to
> have this issue very 30 days or so.
>
> I had originally configured the server using SSSD as the identity
> provider but switched to winbind after the series of failures.
> Winbind has failed to update its machine password successfully now
> though.
>
Can you try this smb.conf:
[global]
# This should be 'DOMAIN' not 'DOMAIN.FQDN'
workgroup = DOMAIN
security = ads
# This should be the dns domain in UPPERCASE
realm = DNS.DOMAIN
idmap config * : backend = tdb
idmap config * : range = 3000-9999
# This uses the winbind 'rid' backend
# If there are uidNumber & gidNumber attributes in AD
# you could use the 'ad' backend instead but it will be set up differently
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-2000000
template shell = /bin/bash
winbind refresh tickets = yes
winbind offline logon = yes
log level = 3 auth:10
log file = /var/log/samba/log.%m
[Releases]
comment = DEPARTMENT Releases
path = /home/Releases
read only = no
create mode = 0775
valid users =@"department-staff at domain.fqdn",@"department-staff-restricted at domain.fqdn"
write list =@"department-staff at domain.fqdn"
inherit permissions = yes
[Department]
comment = DEPARTMENT share
path = /home/Department
read only = no
valid users =@"department-staff at domain.fqdn"
create mode = 0770
force directory mode = 0770
[Finance]
comment = DEPARTMENT share
path = /home/Finance
read only = no
valid users =@"department-staff at domain.fqdn"
create mode = 0770
force directory mode = 0770
[Staff]
comment = DEPARTMENT staff folders
path = /home/DOMAIN/%U
read only = no
valid users =@"department-staff at domain.fqdn",@"department-staff-restricted at domain.fqdn","doylep6 at domain.fqdn"
root preexec = /var/lib/samba/scripts/mkhomedir.sh %U
[department-secure]
comment = DEPARTMENT secure share
path = /home/department-secure
read only = no
valid users =@"department-staff-secure at domain.fqdn"
create mode = 0770
directory mask = 0770
force directory mode = 0770
You will need to replace 'DOMAIN' with your workroup name, this is not
your dns domain name and really shouldn't contain any dots.
You will also have to replace 'DNS.DOMAIN' with your dns domain name.
Also, please read the comments around the 'idmap config' lines
Rowland
More information about the samba
mailing list