[Samba] Failures to renegotiate machine password & domain participation check fails

Rowland Penny rpenny at samba.org
Thu Apr 26 09:32:44 UTC 2018 

On Thu, 26 Apr 2018 10:13:29 +0100
Sean McGrath via samba <samba at lists.samba.org> wrote:

> Hello everyone,
> 
> Can I ask for some assistance please. Apologies if there is an easy
> solution to this tail of wow that I haven't been able to find online.
> 
> We've been having persistent problems with a Scientific Linux release
> 7.4 machine that is joined to an Active Directory domain. Ever 30
> days or so it trust relationship between the server and the domain
> would fail, apparently because the machine password was not renewed.
> It worked for several months then at the end of last year started to
> have this issue very 30 days or so.
> 
> I had originally configured the server using SSSD as the identity
> provider but switched to winbind after the series of failures.
> Winbind has failed to update its machine password successfully now
> though. 
> 

Can you try this smb.conf:

[global]
    # This should be 'DOMAIN' not 'DOMAIN.FQDN'
    workgroup = DOMAIN
    security = ads
    # This should be the dns domain in UPPERCASE 
    realm = DNS.DOMAIN

    idmap config * : backend = tdb
    idmap config * : range = 3000-9999
    # This uses the winbind 'rid' backend
    # If there are uidNumber & gidNumber attributes in AD
    # you could use the 'ad' backend instead but it will be set up differently
    idmap config DOMAIN : backend = rid
    idmap config DOMAIN : range = 10000-2000000
    template shell = /bin/bash

    winbind refresh tickets = yes
    winbind offline logon = yes
    log level = 3 auth:10
    log file = /var/log/samba/log.%m

[Releases]
	comment	= DEPARTMENT Releases
	path = /home/Releases
	read only = no
	create mode = 0775
	valid users =@"department-staff at domain.fqdn",@"department-staff-restricted at domain.fqdn"
	write list =@"department-staff at domain.fqdn"
	inherit permissions = yes

[Department]
	comment = DEPARTMENT share
	path = /home/Department
	read only = no
	valid users =@"department-staff at domain.fqdn"
	create mode = 0770
	force directory mode = 0770

[Finance]
	comment = DEPARTMENT share
	path = /home/Finance
	read only = no
	valid users =@"department-staff at domain.fqdn"
	create mode = 0770
	force directory mode = 0770

[Staff]
	comment = DEPARTMENT staff folders
	path = /home/DOMAIN/%U
    read only = no
	valid users =@"department-staff at domain.fqdn",@"department-staff-restricted at domain.fqdn","doylep6 at domain.fqdn"
	root preexec = /var/lib/samba/scripts/mkhomedir.sh %U

[department-secure]
	comment = DEPARTMENT secure share
	path = /home/department-secure
	read only = no
	valid users =@"department-staff-secure at domain.fqdn"
	create mode = 0770
	directory mask = 0770
	force directory mode = 0770

You will need to replace 'DOMAIN' with your workroup name, this is not
your dns domain name and really shouldn't contain any dots.

You will also have to replace 'DNS.DOMAIN' with your dns domain name.

Also, please read the comments around the 'idmap config' lines

Rowland

More information about the samba mailing list