info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba AD member lost domain join after reboot
1,908 views
Skip to first unread message
Alexis RIES
Jun 6, 2016, 4:00:03 PM6/6/16
to
Hello,
After each reboot, my Samba AD member server lost domain join after
reboot, I have to re-enter the server in the domain with the "net ads
join -U administrator".
I use version 4.4.3 of samba.
The domain controller is a Samba AD server.
After reboot, when I exectute "net ads testjoin" I have:
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
Preauthentication
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
Preauthentication
Join to domain is not valid: Logon failure
And when I execute "wbinfo -t":
checking the trust secret for domain SAMDOM via RPC calls failed
wbcCheckTrustCredentials (SAMDOM): error code Was
NT_STATUS_USER_SESSION_DELETED (0xc0000203)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
Anyone know this problem?
How can I make the domain-join to persist reboots?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
After each reboot, my Samba AD member server lost domain join after
reboot, I have to re-enter the server in the domain with the "net ads
join -U administrator".
I use version 4.4.3 of samba.
The domain controller is a Samba AD server.
After reboot, when I exectute "net ads testjoin" I have:
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
Preauthentication
kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
Preauthentication
Join to domain is not valid: Logon failure
And when I execute "wbinfo -t":
checking the trust secret for domain SAMDOM via RPC calls failed
wbcCheckTrustCredentials (SAMDOM): error code Was
NT_STATUS_USER_SESSION_DELETED (0xc0000203)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
Anyone know this problem?
How can I make the domain-join to persist reboots?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Jun 6, 2016, 4:10:04 PM6/6/16
to
On 06/06/16 14:52, Alexis RIES wrote:
> Hello,
>
> After each reboot, my Samba AD member server lost domain join after
> reboot, I have to re-enter the server in the domain with the "net ads
> join -U administrator".
>
> I use version 4.4.3 of samba.
> The domain controller is a Samba AD server.
>
> After reboot, when I exectute "net ads testjoin" I have:
> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
> Preauthentication
> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
> Preauthentication
> Join to domain is not valid: Logon failure
>
> And when I execute "wbinfo -t":
> checking the trust secret for domain SAMDOM via RPC calls failed
> wbcCheckTrustCredentials (SAMDOM): error code Was
> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> Could not check secret
>
> Anyone know this problem?
> How can I make the domain-join to persist reboots?
>
Hi, can you post your smb.conf from the domain member.
> Hello,
>
> After each reboot, my Samba AD member server lost domain join after
> reboot, I have to re-enter the server in the domain with the "net ads
> join -U administrator".
>
> I use version 4.4.3 of samba.
> The domain controller is a Samba AD server.
>
> After reboot, when I exectute "net ads testjoin" I have:
> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
> Preauthentication
> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed
> Preauthentication
> Join to domain is not valid: Logon failure
>
> And when I execute "wbinfo -t":
> checking the trust secret for domain SAMDOM via RPC calls failed
> wbcCheckTrustCredentials (SAMDOM): error code Was
> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> Could not check secret
>
> Anyone know this problem?
> How can I make the domain-join to persist reboots?
>
What OS ?
Does the domain member have a fixed ip or does it use DHCP ?
Rowland
Alexis RIES
Jun 7, 2016, 3:20:04 AM6/7/16
to
Hi, here it attached my smb.conf and Winbind debug log after reboot.
My OS is Debian Jessie and has a fixed ip.
Thank you
k
Alexis RIES
Service informatique
Tel : 04.22.32.97.26
Fax : 04.84.25.27.40
Email : alexi...@kinaxia.fr
http://www.kinaxia.fr
My OS is Debian Jessie and has a fixed ip.
Thank you
Alexis RIES
Service informatique
Tel : 04.22.32.97.26
Fax : 04.84.25.27.40
Email : alexi...@kinaxia.fr
http://www.kinaxia.fr
Rowland penny
Jun 7, 2016, 3:50:02 AM6/7/16
to
cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' i.e.
make it 'vfs objects = fileid acl_xattr full_audit'
Remove all the 'valid users' etc and use ACLs instead, you can set these
from windows or with setfacl.
add 'ldap server require strong auth = No'
If you are actually using '.local' and avahi is running, I suggest you
turn it off.
Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf
Finally is /etc/krb5.keytab being created by the join ?
Alexis RIES
Jun 7, 2016, 6:40:03 AM6/7/16
to
Yes, the /etc/krb5.keytab file is created when the domain-join.
I just noticed that it's not only after a reboot I have this problem.
I lost the domain-join on my first SMB server, it has not been restarted.
Note that I use Cluster Mode (CTDB), but the problem is the same when I
remove the cluster configuration.
Attached is the requested files.
Thank you,
Alexis.
>>>> é&a z
I just noticed that it's not only after a reboot I have this problem.
I lost the domain-join on my first SMB server, it has not been restarted.
Note that I use Cluster Mode (CTDB), but the problem is the same when I
remove the cluster configuration.
Attached is the requested files.
Thank you,
Alexis.
Rowland penny
Jun 7, 2016, 7:00:02 AM6/7/16
to
libpam-winbind libnss-winbind libpam-krb5
What are the permissions on /etc/krb5.keytab
You could try adding this line to smb.conf:
username map = /etc/samba/samba_usermapping
Then create /etc/samba/samba_usermapping with this content:
!root = SAMDOM\Administrator SAMDOM\administrator
Obviously you can put the usermapping file anywhere and replace 'SAMDOM'
with your NetBIOS domain name.
Alexis RIES
Jun 7, 2016, 9:50:03 AM6/7/16
to
I put the usermapping but this does not solve the problem.
I do not use libpam_winbind and libpam-krb5 because I did not need to
log in server using domain accounts, it seems to me that this is not
mandatory, you confirm ?
Here are the permissions of the file /etc/krb5.keytab:
root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
-rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab
Avahi is not installed on this server
For information, when I run "wbinfo -P", I have this result:
SMB1 root @: / home / adminlocal # wbinfo -P
checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
(0xc0000203)
I see that the domain controller is not specified, on my other server
(SMB2) I have the address of the domain controller.
Thank you,
Alexis.
I do not use libpam_winbind and libpam-krb5 because I did not need to
log in server using domain accounts, it seems to me that this is not
mandatory, you confirm ?
Here are the permissions of the file /etc/krb5.keytab:
root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
-rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab
Avahi is not installed on this server
For information, when I run "wbinfo -P", I have this result:
SMB1 root @: / home / adminlocal # wbinfo -P
checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
(0xc0000203)
I see that the domain controller is not specified, on my other server
(SMB2) I have the address of the domain controller.
Thank you,
Alexis.
Rowland penny
Jun 7, 2016, 10:10:04 AM6/7/16
to
On 07/06/16 14:44, Alexis RIES wrote:
> I put the usermapping but this does not solve the problem.
>
> I do not use libpam_winbind and libpam-krb5 because I did not need to
> log in server using domain accounts, it seems to me that this is not
> mandatory, you confirm ?
This could well be your problem, try installing them. My domain member
> I put the usermapping but this does not solve the problem.
>
> I do not use libpam_winbind and libpam-krb5 because I did not need to
> log in server using domain accounts, it seems to me that this is not
> mandatory, you confirm ?
works and this seems to be the only difference between my domain member
and yours.
>
>
> Here are the permissions of the file /etc/krb5.keytab:
> root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab
>
>
> Avahi is not installed on this server
>
> For information, when I run "wbinfo -P", I have this result:
> SMB1 root @: / home / adminlocal # wbinfo -P
> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
> (0xc0000203)
>
root@debnet:/home/rowland/ # wbinfo -P
checking the NETLOGON dc connection to "dc1.samdom.example.com" succeeded
Alexis RIES
Jun 7, 2016, 12:20:03 PM6/7/16
to
I think I found my problem, when configuring my second domain
controller, I have created by mistake a round robin DNS entry on
"Forward Lookup Zones -> ad.samdom.local".
I speak of round-robin because I have two fields A pointing to the same
domain
Now I'm lost, you have a second domain controller in failover?
If so, could you give me your DNS configuration? I need information on:
Forward Lookup Zones -> ad.samdom.local.
Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
Currently I have two domain controllers in these areas (thus the
round-robin).
However, I have not touched the DomainDnsZones and ForestDnsZones areas,
this had to be done by "samba-tool domain join" executed during
installation but I'm not sure.
Is it normal to have the round robin on ForestDnsZones and DomainDnsZones ?
Please find attached the export of my DNS configuration.
Thank you,
Alexis.
On 07/06/2016 16:05, Rowland penny wrote:
> On 07/06/16 14:44, Alexis RIES wrote:
>> I put the usermapping but this does not solve the problem.
>>
>> I do not use libpam_winbind and libpam-krb5 because I did not need to
>> log in server using domain accounts, it seems to me that this is not
>> mandatory, you confirm ?
>
> This could well be your problem, try installing them. My domain member
> works and this seems to be the only difference between my domain
> member and yours.
>
>>
>>
>> Here are the permissions of the file /etc/krb5.keytab:
>> root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab
>
> That again is the same as my domain member
>
>>
>>
>> Avahi is not installed on this server
>>
>> For information, when I run "wbinfo -P", I have this result:
>> SMB1 root @: / home / adminlocal # wbinfo -P
>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
>> (0xc0000203)
>>
>
> This works for me:
>
> root@debnet:/home/rowland/ # wbinfo -P
> checking the NETLOGON dc connection to "dc1.samdom.example.com" succeeded
>
> Rowland
>
>
>
>
--
controller, I have created by mistake a round robin DNS entry on
"Forward Lookup Zones -> ad.samdom.local".
I speak of round-robin because I have two fields A pointing to the same
domain
Now I'm lost, you have a second domain controller in failover?
If so, could you give me your DNS configuration? I need information on:
Forward Lookup Zones -> ad.samdom.local.
Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
Currently I have two domain controllers in these areas (thus the
round-robin).
However, I have not touched the DomainDnsZones and ForestDnsZones areas,
this had to be done by "samba-tool domain join" executed during
installation but I'm not sure.
Is it normal to have the round robin on ForestDnsZones and DomainDnsZones ?
Please find attached the export of my DNS configuration.
Thank you,
Alexis.
On 07/06/2016 16:05, Rowland penny wrote:
> On 07/06/16 14:44, Alexis RIES wrote:
>> I put the usermapping but this does not solve the problem.
>>
>> I do not use libpam_winbind and libpam-krb5 because I did not need to
>> log in server using domain accounts, it seems to me that this is not
>> mandatory, you confirm ?
>
> This could well be your problem, try installing them. My domain member
> works and this seems to be the only difference between my domain
> member and yours.
>
>>
>>
>> Here are the permissions of the file /etc/krb5.keytab:
>> root@smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab
>
> That again is the same as my domain member
>
>>
>>
>> Avahi is not installed on this server
>>
>> For information, when I run "wbinfo -P", I have this result:
>> SMB1 root @: / home / adminlocal # wbinfo -P
>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED
>> (0xc0000203)
>>
>
> This works for me:
>
> root@debnet:/home/rowland/ # wbinfo -P
> checking the NETLOGON dc connection to "dc1.samdom.example.com" succeeded
>
> Rowland
>
>
>
>
--
Rowland penny
Jun 7, 2016, 12:40:03 PM6/7/16
to
you run ?
Are you using the internal DNS server on the DCs, or are you using Bind9?
If you are using bind9, how have you configured it ?
Alexis RIES
Jun 7, 2016, 1:00:03 PM6/7/16
to
I was wrong, the problem persists, it is not because of the DNS.
You have the same configuration as me, but with two domains controller ?
You have the same configuration as me, but with two domains controller ?
Rowland penny
Jun 7, 2016, 1:00:03 PM6/7/16
to
On 07/06/16 17:31, Alexis RIES wrote:
> I was wrong, the problem persists, it is not because of the DNS.
> You have the same configuration as me, but with two domains controller ?
>
I have two DCs but I don't know if the DNS is set up like yours, so can
> I was wrong, the problem persists, it is not because of the DNS.
> You have the same configuration as me, but with two domains controller ?
>
you please answer the questions from my last post ???
lingpa...@gmail.com
Jun 7, 2016, 1:00:04 PM6/7/16
to
verify replication is working on your DC's?
--
-James
lingpa...@gmail.com
Jun 7, 2016, 1:10:03 PM6/7/16
to
On 6/7/2016 12:31 PM, Alexis RIES wrote:
--
-James
Alexis RIES
Jun 8, 2016, 4:40:03 AM6/8/16
to
Hi,
I used the DNS management console, right click on zone and "export list".
I use Bind9, and yes it is configured.
Alexis.
I used the DNS management console, right click on zone and "export list".
I use Bind9, and yes it is configured.
Alexis.
Rowland penny
Jun 8, 2016, 5:00:04 AM6/8/16
to
On 08/06/16 08:17, Alexis RIES wrote:
> Hi,
>
> I used the DNS management console, right click on zone and "export list".
> I use Bind9, and yes it is configured.
Yes, but *how* is it configured ?
> Hi,
>
> I used the DNS management console, right click on zone and "export list".
> I use Bind9, and yes it is configured.
Alexis RIES
Jun 8, 2016, 11:10:03 AM6/8/16
to
I conducted many tests and I noticed that I lose the domain-join on SMB1
soon as I joined SMB2 in the domain.
Step 1: SMB1 "net ads join -Uadministrator" -> OK
Step 2: SMB1 "net ads testjoin" -> OK
Step 3: SMB2 "net ads join -Uadministrator" -> OK
Step 4: SMB2 "net ads testjoin" -> OK
Step 5: SMB1 "net ads testjoin" -> Preauthentication failed
And vice versa in the opposite direction. Obviously I can integrate a
single domain member server.
With only one Samba server a domain member, it works correctly.
That's when I joined the second server, the first server loses the field.
I reinstalled completely on Debian and Samba SMB2: unsolved problem.
I installed a new domain controller without replication: unsolved problem.
I do not understand because SMB2 is a new install, no servers have been
cloned.
I checked my hostname, MAC address, there is no duplicate on the servers.
Alexis.
soon as I joined SMB2 in the domain.
Step 1: SMB1 "net ads join -Uadministrator" -> OK
Step 2: SMB1 "net ads testjoin" -> OK
Step 3: SMB2 "net ads join -Uadministrator" -> OK
Step 4: SMB2 "net ads testjoin" -> OK
Step 5: SMB1 "net ads testjoin" -> Preauthentication failed
And vice versa in the opposite direction. Obviously I can integrate a
single domain member server.
With only one Samba server a domain member, it works correctly.
That's when I joined the second server, the first server loses the field.
I reinstalled completely on Debian and Samba SMB2: unsolved problem.
I installed a new domain controller without replication: unsolved problem.
I do not understand because SMB2 is a new install, no servers have been
cloned.
I checked my hostname, MAC address, there is no duplicate on the servers.
Alexis.
Alexis RIES
Jun 8, 2016, 12:10:03 PM6/8/16
to
Aah! problem solved !
The netbios name was different between SMB1 and SMB2.
In the documentation of CTDB it is specified that the netbios name must
be the same on all nodes.
I have not lost domain-join, even after a reboot.
Thank you all for your help.
The netbios name was different between SMB1 and SMB2.
In the documentation of CTDB it is specified that the netbios name must
be the same on all nodes.
I have not lost domain-join, even after a reboot.
Thank you all for your help.
lingpa...@gmail.com
Jun 8, 2016, 12:50:03 PM6/8/16
to
tried cleaning up your domain by removing all traces of the member
servers and attempting to re-join?
Can you compare the DC's ldap databases against each other to make sure
replication is in fact working? Is NTP installed on the DC's?
https://wiki.samba.org/index.php/Samba-tool_ldapcmp
--
-James
0 new messages