samba - Nov 2012 - Samba domain member losing membership

Hello all,

I've recently posted here for help with a Samba domain member system which
seems to lose it's domain membership. I want to discuss it a little more. I
have more information. I'm after comments and suggestions for
troubleshooting. Also, i say "loses membership" but i don't really
know if
it has lost it. Just doesn't work anymore until i re-join the Samba system
to the domain.

I have noticed this behaviour with two sites (installations) now. Both are
CentOS systems with Samba versions as follows:

samba-*-3.5.10-125.el6.x86_64
samba-*-3.5.10-115.el6_2.x86_64

I successfully join these systems to Active Directory domains (2008 r2
DC's) using the following command. The system can then do as i need and
"wbinfo" works:

net join -U Administrator%MyPass

After some time the Samba servers will stop functioning as expected and
users will get 'access denied' errors. "wbinfo" stops working.

Some error messages:

LOG FILE: "/var/log/samba/log.wb-MYDOM"

[2012/11/12 13:20:43.338947,  0]
libsmb/cliconnect.c:1052(cli_session_setup_spnego)
  Kinit failed: Preauthentication failed
[2012/11/12 13:20:43.459457,  2]
winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [MYDOM]\[myuser] returned
NT_STATUS_ACCESS_DENIED (PAM: 4)

Notice Kinit in the above error. I have not configured Kerberos at this
point.

I have not identified consistent time intervals for these 'drop-outs'. I
have not updated (YUM) these systems between the joining and dropping from
the domains.

What might cause this?


-- 
-Andrew Galdes
Managing Director

RHCSA, LPI, CCENT

AGIX Linux

Ph: 08 7324 4429
Mb: 0422 927 598

Site: http://www.agix.com.au
Twitter: http://twitter.com/agixlinux
LinkedIn: http://au.linkedin.com/in/andrewgaldes

On Fri, 2012-11-16 at 15:49 +1030, Andrew Galdes wrote:
> Hello all,
> 
> I've recently posted here for help with a Samba domain member system
which
> seems to lose it's domain membership. I want to discuss it a little
more. I
> have more information. I'm after comments and suggestions for
> troubleshooting. Also, i say "loses membership" but i don't
really know if
> it has lost it. Just doesn't work anymore until i re-join the Samba
system
> to the domain.
> 
> I have noticed this behaviour with two sites (installations) now. Both are
> CentOS systems with Samba versions as follows:
> 
> samba-*-3.5.10-125.el6.x86_64
> samba-*-3.5.10-115.el6_2.x86_64
> 
> I successfully join these systems to Active Directory domains (2008 r2
> DC's) using the following command. The system can then do as i need and
> "wbinfo" works:
> 
> net join -U Administrator%MyPass
> 
> After some time the Samba servers will stop functioning as expected and
> users will get 'access denied' errors. "wbinfo" stops
working.
> 
> Some error messages:
> 
> LOG FILE: "/var/log/samba/log.wb-MYDOM"
> 
> [2012/11/12 13:20:43.338947,  0]
> libsmb/cliconnect.c:1052(cli_session_setup_spnego)
>   Kinit failed: Preauthentication failed
> [2012/11/12 13:20:43.459457,  2]
> winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap)
>   NTLM CRAP authentication for user [MYDOM]\[myuser] returned
> NT_STATUS_ACCESS_DENIED (PAM: 4)
> 
> Notice Kinit in the above error. I have not configured Kerberos at this
> point.
> 
> I have not identified consistent time intervals for these
'drop-outs'. I
> have not updated (YUM) these systems between the joining and dropping from
> the domains.
> 
> What might cause this?
What causes this is that when we change our domain membership password,
and the connection to the DC we change against times out.  There is a
patch in later releases for this (gives a longer timeout).

The issue is, this takes longer than we allow, so we think it failed,
but it actually succeed, and so we loose our membership.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org