[Samba] Samba AD member lost domain join after reboot

594 views
Skip to first unread message

Alexis RIES

unread,
Jun 6, 2016, 4:00:03 PM6/6/16
to
Hello,

After each reboot, my Samba AD member server lost domain join after
reboot, I have to re-enter the server in the domain with the "net ads
join -U administrator".

I use version 4.4.3 of samba.
The domain controller is a Samba AD server.

After reboot, when I exectute "net ads testjoin" I have:
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
Preauthentication
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
Preauthentication
Join to domain is not valid: Logon failure

And when I execute "wbinfo -t":
checking the trust secret for domain SAMDOM via RPC calls failed
wbcCheckTrustCredentials (SAMDOM): error code Was
NT_STATUS_USER_SESSION_DELETED (0xc0000203)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

Anyone know this problem?
How can I make the domain-join to persist reboots?

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland penny

unread,
Jun 6, 2016, 4:10:04 PM6/6/16
to
On 06/06/16 14:52, Alexis RIES wrote:
> Hello,
>
> After each reboot, my Samba AD member server lost domain join after
> reboot, I have to re-enter the server in the domain with the "net ads
> join -U administrator".
>
> I use version 4.4.3 of samba.
> The domain controller is a Samba AD server.
>
> After reboot, when I exectute "net ads testjoin" I have:
> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
> Preauthentication
> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
> Preauthentication
> Join to domain is not valid: Logon failure
>
> And when I execute "wbinfo -t":
> checking the trust secret for domain SAMDOM via RPC calls failed
> wbcCheckTrustCredentials (SAMDOM): error code Was
> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> Could not check secret
>
> Anyone know this problem?
> How can I make the domain-join to persist reboots?
>

Hi, can you post your smb.conf from the domain member.
What OS ?
Does the domain member have a fixed ip or does it use DHCP ?

Rowland

Alexis RIES

unread,
Jun 7, 2016, 3:20:04 AM6/7/16
to
Hi, here it attached my smb.conf and Winbind debug log after reboot.
My OS is Debian Jessie and has a fixed ip.

Thank you
k
Alexis RIES
Service informatique
Tel : 04.22.32.97.26
Fax : 04.84.25.27.40
Email : alexi...@kinaxia.fr
http://www.kinaxia.fr



smb.conf
winbind_debug.txt

Rowland penny

unread,
Jun 7, 2016, 3:50:02 AM6/7/16
to
OK, it should work, but can I suggest a few changes to your smb.conf:

cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' i.e.
make it 'vfs objects = fileid acl_xattr full_audit'

Remove all the 'valid users' etc and use ACLs instead, you can set these
from windows or with setfacl.

add 'ldap server require strong auth = No'

If you are actually using '.local' and avahi is running, I suggest you
turn it off.

Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf

Finally is /etc/krb5.keytab being created by the join ?

Alexis RIES

unread,
Jun 7, 2016, 6:40:03 AM6/7/16
to
Yes, the /etc/krb5.keytab file is created when the domain-join.

I just noticed that it's not only after a reboot I have this problem.
I lost the domain-join on my first SMB server, it has not been restarted.

Note that I use Cluster Mode (CTDB), but the problem is the same when I
remove the cluster configuration.

Attached is the requested files.


Thank you,
Alexis.
>>>> é&a z
krb5.conf
hosts.txt
resolv.conf

Rowland penny

unread,
Jun 7, 2016, 7:00:02 AM6/7/16
to
Everything looks ok, do you have all these packages installed:

libpam-winbind libnss-winbind libpam-krb5

What are the permissions on /etc/krb5.keytab

You could try adding this line to smb.conf:

username map = /etc/samba/samba_usermapping

Then create /etc/samba/samba_usermapping with this content:

!root = SAMDOM\Administrator SAMDOM\administrator

Obviously you can put the usermapping file anywhere and replace 'SAMDOM'
with your NetBIOS domain name.

Alexis RIES

unread,
Jun 7, 2016, 9:50:03 AM6/7/16
to
I put the usermapping but this does not solve the problem.

I do not use libpam_winbind and libpam-krb5 because I did not need to
log in server using domain accounts, it seems to me that this is not
mandatory, you confirm ?

Here are the permissions of the file /etc/krb5.keytab:
root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
-rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab

Avahi is not installed on this server

For information, when I run "wbinfo -P", I have this result:
SMB1 root @: / home / adminlocal # wbinfo -P
checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
(0xc0000203)

I see that the domain controller is not specified, on my other server
(SMB2) I have the address of the domain controller.

Thank you,
Alexis.

Rowland penny

unread,
Jun 7, 2016, 10:10:04 AM6/7/16
to
On 07/06/16 14:44, Alexis RIES wrote:
> I put the usermapping but this does not solve the problem.
>
> I do not use libpam_winbind and libpam-krb5 because I did not need to
> log in server using domain accounts, it seems to me that this is not
> mandatory, you confirm ?

This could well be your problem, try installing them. My domain member
works and this seems to be the only difference between my domain member
and yours.

>
>
> Here are the permissions of the file /etc/krb5.keytab:
> root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab

That again is the same as my domain member

>
>
> Avahi is not installed on this server
>
> For information, when I run "wbinfo -P", I have this result:
> SMB1 root @: / home / adminlocal # wbinfo -P
> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
> (0xc0000203)
>

This works for me:

root@debnet:/home/rowland/ # wbinfo -P
checking the NETLOGON dc connection to "dc1.samdom.example.com" succeeded

Alexis RIES

unread,
Jun 7, 2016, 12:20:03 PM6/7/16
to
I think I found my problem, when configuring my second domain
controller, I have created by mistake a round robin DNS entry on
"Forward Lookup Zones -> ad.samdom.local".
I speak of round-robin because I have two fields A pointing to the same
domain

Now I'm lost, you have a second domain controller in failover?
If so, could you give me your DNS configuration? I need information on:

Forward Lookup Zones -> ad.samdom.local.
Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones

Currently I have two domain controllers in these areas (thus the
round-robin).
However, I have not touched the DomainDnsZones and ForestDnsZones areas,
this had to be done by "samba-tool domain join" executed during
installation but I'm not sure.

Is it normal to have the round robin on ForestDnsZones and DomainDnsZones ?

Please find attached the export of my DNS configuration.

Thank you,
Alexis.



On 07/06/2016 16:05, Rowland penny wrote:
> On 07/06/16 14:44, Alexis RIES wrote:
>> I put the usermapping but this does not solve the problem.
>>
>> I do not use libpam_winbind and libpam-krb5 because I did not need to
>> log in server using domain accounts, it seems to me that this is not
>> mandatory, you confirm ?
>
> This could well be your problem, try installing them. My domain member
> works and this seems to be the only difference between my domain
> member and yours.
>
>>
>>
>> Here are the permissions of the file /etc/krb5.keytab:
>> root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab
>
> That again is the same as my domain member
>
>>
>>
>> Avahi is not installed on this server
>>
>> For information, when I run "wbinfo -P", I have this result:
>> SMB1 root @: / home / adminlocal # wbinfo -P
>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
>> (0xc0000203)
>>
>
> This works for me:
>
> root@debnet:/home/rowland/ # wbinfo -P
> checking the NETLOGON dc connection to "dc1.samdom.example.com" succeeded
>
> Rowland
>
>
>
>

--
ad.samdom.local.txt
ForestDnsZones.txt
DomainDnsZones.txt

Rowland penny

unread,
Jun 7, 2016, 12:40:03 PM6/7/16
to
How did you obtain the three files you attached ? what command(s) did
you run ?
Are you using the internal DNS server on the DCs, or are you using Bind9?
If you are using bind9, how have you configured it ?

Alexis RIES

unread,
Jun 7, 2016, 1:00:03 PM6/7/16
to
I was wrong, the problem persists, it is not because of the DNS.
You have the same configuration as me, but with two domains controller ?

Rowland penny

unread,
Jun 7, 2016, 1:00:03 PM6/7/16
to
On 07/06/16 17:31, Alexis RIES wrote:
> I was wrong, the problem persists, it is not because of the DNS.
> You have the same configuration as me, but with two domains controller ?
>

I have two DCs but I don't know if the DNS is set up like yours, so can
you please answer the questions from my last post ???

lingpa...@gmail.com

unread,
Jun 7, 2016, 1:00:04 PM6/7/16
to
Alexis can you run 'net ads testjoin -d 3' and report? Can you also
verify replication is working on your DC's?

--
-James

lingpa...@gmail.com

unread,
Jun 7, 2016, 1:10:03 PM6/7/16
to
On 6/7/2016 12:31 PM, Alexis RIES wrote:
Actually can you run it at level 4? 'net ads testjoin -d 4'

--
-James

Alexis RIES

unread,
Jun 8, 2016, 4:10:03 AM6/8/16
to
Hi,

You will find attached the output of "net ads testjoin -d4" and "-d3".
Yes replication seems to work properly.

Alexis.
showrepl_drs.txt
testjoin_d3.txt
testjoin_d4.txt

Alexis RIES

unread,
Jun 8, 2016, 4:40:03 AM6/8/16
to
Hi,

I used the DNS management console, right click on zone and "export list".
I use Bind9, and yes it is configured.

Alexis.

Rowland penny

unread,
Jun 8, 2016, 5:00:04 AM6/8/16
to
On 08/06/16 08:17, Alexis RIES wrote:
> Hi,
>
> I used the DNS management console, right click on zone and "export list".
> I use Bind9, and yes it is configured.

Yes, but *how* is it configured ?

Alexis RIES

unread,
Jun 8, 2016, 11:10:03 AM6/8/16
to
I conducted many tests and I noticed that I lose the domain-join on SMB1
soon as I joined SMB2 in the domain.

Step 1: SMB1 "net ads join -Uadministrator" -> OK
Step 2: SMB1 "net ads testjoin" -> OK
Step 3: SMB2 "net ads join -Uadministrator" -> OK
Step 4: SMB2 "net ads testjoin" -> OK
Step 5: SMB1 "net ads testjoin" -> Preauthentication failed

And vice versa in the opposite direction. Obviously I can integrate a
single domain member server.

With only one Samba server a domain member, it works correctly.
That's when I joined the second server, the first server loses the field.

I reinstalled completely on Debian and Samba SMB2: unsolved problem.
I installed a new domain controller without replication: unsolved problem.

I do not understand because SMB2 is a new install, no servers have been
cloned.
I checked my hostname, MAC address, there is no duplicate on the servers.

Alexis.

Alexis RIES

unread,
Jun 8, 2016, 12:10:03 PM6/8/16
to
Aah! problem solved !

The netbios name was different between SMB1 and SMB2.
In the documentation of CTDB it is specified that the netbios name must
be the same on all nodes.

I have not lost domain-join, even after a reboot.

Thank you all for your help.

lingpa...@gmail.com

unread,
Jun 8, 2016, 12:50:03 PM6/8/16
to
I do not know what could be the issue looking through the logs. Have you
tried cleaning up your domain by removing all traces of the member
servers and attempting to re-join?

Can you compare the DC's ldap databases against each other to make sure
replication is in fact working? Is NTP installed on the DC's?

https://wiki.samba.org/index.php/Samba-tool_ldapcmp

--
-James
Reply all
Reply to author
Forward
0 new messages