Yes, the /etc/krb5.keytab file is created when the domain-join. I just noticed that it's not only after a reboot I have this problem. I lost the domain-join on my first SMB server, it has not been restarted. Note that I use Cluster Mode (CTDB), but the problem is the same when I remove the cluster configuration. Attached is the requested files. Thank you, Alexis. On 07/06/2016 09:43, Rowland penny wrote:> On 07/06/16 07:31, Alexis RIES wrote: >> Hi, here it attached my smb.conf and Winbind debug log after reboot. >> My OS is Debian Jessie and has a fixed ip. >> >> Thank you >> >> On 06/06/2016 22:05, Rowland penny wrote: >>> On 06/06/16 14:52, Alexis RIES wrote: >>>> Hello, >>>> >>>> After each reboot, my Samba AD member server lost domain join after >>>> reboot, I have to re-enter the server in the domain with the "net >>>> ads join -U administrator". >>>> >>>> I use version 4.4.3 of samba. >>>> The domain controller is a Samba AD server. >>>> >>>> After reboot, when I exectute "net ads testjoin" I have: >>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>> Preauthentication >>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>> Preauthentication >>>> Join to domain is not valid: Logon failure >>>> >>>> And when I execute "wbinfo -t": >>>> checking the trust secret for domain SAMDOM via RPC calls failed >>>> wbcCheckTrustCredentials (SAMDOM): error code Was >>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203) >>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR >>>> Could not check secret >>>> >>>> é&a z >>> >>> Hi, can you post your smb.conf from the domain member. >>> What OS ? >>> Does the domain member have a fixed ip or does it use DHCP ? >>> >>> Rowland >>> >>> >> >> >> > > OK, it should work, but can I suggest a few changes to your smb.conf: > > cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' > i.e. make it 'vfs objects = fileid acl_xattr full_audit' > > Remove all the 'valid users' etc and use ACLs instead, you can set > these from windows or with setfacl. > > add 'ldap server require strong auth = No' > > If you are actually using '.local' and avahi is running, I suggest you > turn it off. > > Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf > > Finally is /etc/krb5.keytab being created by the join ? > > Rowland-------------- next part -------------- [libdefaults] default_realm = AD.SAMDOM.LOCAL dns_lookup_realm = false dns_lookup_kdc = true -------------- next part -------------- 127.0.0.1 localhost 192.168.254.3 SMB1.AD.SAMDOM.LOCAL SMB1 192.168.254.4 SMB2.AD.SAMDOM.LOCAL SMB2 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters -------------- next part -------------- domain samdom.local search samdom.local nameserver 192.168.254.1 nameserver 192.168.254.2 options timeout:2
On 07/06/16 10:13, Alexis RIES wrote:> Yes, the /etc/krb5.keytab file is created when the domain-join. > > I just noticed that it's not only after a reboot I have this problem. > I lost the domain-join on my first SMB server, it has not been restarted. > > Note that I use Cluster Mode (CTDB), but the problem is the same when > I remove the cluster configuration. > > Attached is the requested files. > > > Thank you, > Alexis. > > > > On 07/06/2016 09:43, Rowland penny wrote: >> On 07/06/16 07:31, Alexis RIES wrote: >>> Hi, here it attached my smb.conf and Winbind debug log after reboot. >>> My OS is Debian Jessie and has a fixed ip. >>> >>> Thank you >>> >>> On 06/06/2016 22:05, Rowland penny wrote: >>>> On 06/06/16 14:52, Alexis RIES wrote: >>>>> Hello, >>>>> >>>>> After each reboot, my Samba AD member server lost domain join >>>>> after reboot, I have to re-enter the server in the domain with the >>>>> "net ads join -U administrator". >>>>> >>>>> I use version 4.4.3 of samba. >>>>> The domain controller is a Samba AD server. >>>>> >>>>> After reboot, when I exectute "net ads testjoin" I have: >>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>>> Preauthentication >>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>>> Preauthentication >>>>> Join to domain is not valid: Logon failure >>>>> >>>>> And when I execute "wbinfo -t": >>>>> checking the trust secret for domain SAMDOM via RPC calls failed >>>>> wbcCheckTrustCredentials (SAMDOM): error code Was >>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203) >>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR >>>>> Could not check secret >>>>> >>>>> é&a z >>>> >>>> Hi, can you post your smb.conf from the domain member. >>>> What OS ? >>>> Does the domain member have a fixed ip or does it use DHCP ? >>>> >>>> Rowland >>>> >>>> >>> >>> >>> >> >> OK, it should work, but can I suggest a few changes to your smb.conf: >> >> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' >> i.e. make it 'vfs objects = fileid acl_xattr full_audit' >> >> Remove all the 'valid users' etc and use ACLs instead, you can set >> these from windows or with setfacl. >> >> add 'ldap server require strong auth = No' >> >> If you are actually using '.local' and avahi is running, I suggest >> you turn it off. >> >> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf >> >> Finally is /etc/krb5.keytab being created by the join ? >> >> Rowland > > >Everything looks ok, do you have all these packages installed: libpam-winbind libnss-winbind libpam-krb5 What are the permissions on /etc/krb5.keytab You could try adding this line to smb.conf: username map = /etc/samba/samba_usermapping Then create /etc/samba/samba_usermapping with this content: !root = SAMDOM\Administrator SAMDOM\administrator Obviously you can put the usermapping file anywhere and replace 'SAMDOM' with your NetBIOS domain name. Rowland
I put the usermapping but this does not solve the problem. I do not use libpam_winbind and libpam-krb5 because I did not need to log in server using domain accounts, it seems to me that this is not mandatory, you confirm ? Here are the permissions of the file /etc/krb5.keytab: root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab Avahi is not installed on this server For information, when I run "wbinfo -P", I have this result: SMB1 root @: / home / adminlocal # wbinfo -P checking the NETLOGON for domain [SAMDOM] dc connection to "" failed wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED (0xc0000203) I see that the domain controller is not specified, on my other server (SMB2) I have the address of the domain controller. Thank you, Alexis. On 07/06/2016 12:57, Rowland penny wrote:> On 07/06/16 10:13, Alexis RIES wrote: >> Yes, the /etc/krb5.keytab file is created when the domain-join. >> >> I just noticed that it's not only after a reboot I have this problem. >> I lost the domain-join on my first SMB server, it has not been >> restarted. >> >> Note that I use Cluster Mode (CTDB), but the problem is the same when >> I remove the cluster configuration. >> >> Attached is the requested files. >> >> >> Thank you, >> Alexis. >> >> >> >> On 07/06/2016 09:43, Rowland penny wrote: >>> On 07/06/16 07:31, Alexis RIES wrote: >>>> Hi, here it attached my smb.conf and Winbind debug log after reboot. >>>> My OS is Debian Jessie and has a fixed ip. >>>> >>>> Thank you >>>> >>>> On 06/06/2016 22:05, Rowland penny wrote: >>>>> On 06/06/16 14:52, Alexis RIES wrote: >>>>>> Hello, >>>>>> >>>>>> After each reboot, my Samba AD member server lost domain join >>>>>> after reboot, I have to re-enter the server in the domain with >>>>>> the "net ads join -U administrator". >>>>>> >>>>>> I use version 4.4.3 of samba. >>>>>> The domain controller is a Samba AD server. >>>>>> >>>>>> After reboot, when I exectute "net ads testjoin" I have: >>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>>>> Preauthentication >>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>>>> Preauthentication >>>>>> Join to domain is not valid: Logon failure >>>>>> >>>>>> And when I execute "wbinfo -t": >>>>>> checking the trust secret for domain SAMDOM via RPC calls failed >>>>>> wbcCheckTrustCredentials (SAMDOM): error code Was >>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203) >>>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR >>>>>> Could not check secret >>>>>> >>>>>> é&a z >>>>> >>>>> Hi, can you post your smb.conf from the domain member. >>>>> What OS ? >>>>> Does the domain member have a fixed ip or does it use DHCP ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> >>>> >>>> >>> >>> OK, it should work, but can I suggest a few changes to your smb.conf: >>> >>> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' >>> i.e. make it 'vfs objects = fileid acl_xattr full_audit' >>> >>> Remove all the 'valid users' etc and use ACLs instead, you can set >>> these from windows or with setfacl. >>> >>> add 'ldap server require strong auth = No' >>> >>> If you are actually using '.local' and avahi is running, I suggest >>> you turn it off. >>> >>> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf >>> >>> Finally is /etc/krb5.keytab being created by the join ? >>> >>> Rowland >> >> >> > > Everything looks ok, do you have all these packages installed: > > libpam-winbind libnss-winbind libpam-krb5 > > What are the permissions on /etc/krb5.keytab > > You could try adding this line to smb.conf: > > username map = /etc/samba/samba_usermapping > > Then create /etc/samba/samba_usermapping with this content: > > !root = SAMDOM\Administrator SAMDOM\administrator > > Obviously you can put the usermapping file anywhere and replace > 'SAMDOM' with your NetBIOS domain name. > > Rowland