samba - Jun 2016 - Samba AD member lost domain join after reboot

Yes, the /etc/krb5.keytab file is created when the domain-join.

I just noticed that it's not only after a reboot I have this problem.
I lost the domain-join on my first SMB server, it has not been restarted.

Note that I use Cluster Mode (CTDB), but the problem is the same when I 
remove the cluster configuration.

Attached is the requested files.


Thank you,
Alexis.



On 07/06/2016 09:43, Rowland penny wrote:
> On 07/06/16 07:31, Alexis RIES wrote:
>> Hi, here it attached my smb.conf and Winbind debug log after reboot.
>> My OS is Debian Jessie and has a fixed ip.
>>
>> Thank you
>>
>> On 06/06/2016 22:05, Rowland penny wrote:
>>> On 06/06/16 14:52, Alexis RIES wrote:
>>>> Hello,
>>>>
>>>> After each reboot, my Samba AD member server lost domain join
after
>>>> reboot, I have to re-enter the server in the domain with the
"net
>>>> ads join -U administrator".
>>>>
>>>> I use version 4.4.3 of samba.
>>>> The domain controller is a Samba AD server.
>>>>
>>>> After reboot, when I exectute "net ads testjoin" I
have:
>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed 
>>>> Preauthentication
>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed 
>>>> Preauthentication
>>>> Join to domain is not valid: Logon failure
>>>>
>>>> And when I execute "wbinfo -t":
>>>> checking the trust secret for domain SAMDOM via RPC calls
failed
>>>> wbcCheckTrustCredentials (SAMDOM): error code Was 
>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>>>> Could not check secret
>>>>
>>>> é&a    z
>>>
>>> Hi, can you post your smb.conf from the domain member.
>>> What OS ?
>>> Does the domain member have a fixed ip or does it use DHCP ?
>>>
>>> Rowland
>>>
>>>
>>
>>
>>
>
> OK, it should work, but can I suggest a few changes to your smb.conf:
>
> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr
full_audit'
> i.e. make it 'vfs objects = fileid acl_xattr full_audit'
>
> Remove all the 'valid users' etc and use ACLs instead, you can set 
> these from windows or with setfacl.
>
> add 'ldap server require strong auth = No'
>
> If you are actually using '.local' and avahi is running, I suggest
you
> turn it off.
>
> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf
>
> Finally is /etc/krb5.keytab being created by the join ?
>
> Rowland
-------------- next part --------------
[libdefaults]
        default_realm = AD.SAMDOM.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

-------------- next part --------------
127.0.0.1	localhost
192.168.254.3	SMB1.AD.SAMDOM.LOCAL	SMB1
192.168.254.4	SMB2.AD.SAMDOM.LOCAL	SMB2

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-------------- next part --------------
domain samdom.local
search samdom.local
nameserver 192.168.254.1
nameserver 192.168.254.2
options timeout:2

On 07/06/16 10:13, Alexis RIES wrote:
> Yes, the /etc/krb5.keytab file is created when the domain-join.
>
> I just noticed that it's not only after a reboot I have this problem.
> I lost the domain-join on my first SMB server, it has not been restarted.
>
> Note that I use Cluster Mode (CTDB), but the problem is the same when 
> I remove the cluster configuration.
>
> Attached is the requested files.
>
>
> Thank you,
> Alexis.
>
>
>
> On 07/06/2016 09:43, Rowland penny wrote:
>> On 07/06/16 07:31, Alexis RIES wrote:
>>> Hi, here it attached my smb.conf and Winbind debug log after
reboot.
>>> My OS is Debian Jessie and has a fixed ip.
>>>
>>> Thank you
>>>
>>> On 06/06/2016 22:05, Rowland penny wrote:
>>>> On 06/06/16 14:52, Alexis RIES wrote:
>>>>> Hello,
>>>>>
>>>>> After each reboot, my Samba AD member server lost domain
join
>>>>> after reboot, I have to re-enter the server in the domain
with the
>>>>> "net ads join -U administrator".
>>>>>
>>>>> I use version 4.4.3 of samba.
>>>>> The domain controller is a Samba AD server.
>>>>>
>>>>> After reboot, when I exectute "net ads testjoin"
I have:
>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed:
failed
>>>>> Preauthentication
>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed:
failed
>>>>> Preauthentication
>>>>> Join to domain is not valid: Logon failure
>>>>>
>>>>> And when I execute "wbinfo -t":
>>>>> checking the trust secret for domain SAMDOM via RPC calls
failed
>>>>> wbcCheckTrustCredentials (SAMDOM): error code Was 
>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>>>>> Could not check secret
>>>>>
>>>>> é&a    z
>>>>
>>>> Hi, can you post your smb.conf from the domain member.
>>>> What OS ?
>>>> Does the domain member have a fixed ip or does it use DHCP ?
>>>>
>>>> Rowland
>>>>
>>>>
>>>
>>>
>>>
>>
>> OK, it should work, but can I suggest a few changes to your smb.conf:
>>
>> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr
full_audit'
>> i.e. make it 'vfs objects = fileid acl_xattr full_audit'
>>
>> Remove all the 'valid users' etc and use ACLs instead, you can
set
>> these from windows or with setfacl.
>>
>> add 'ldap server require strong auth = No'
>>
>> If you are actually using '.local' and avahi is running, I
suggest
>> you turn it off.
>>
>> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf
>>
>> Finally is /etc/krb5.keytab being created by the join ?
>>
>> Rowland
>
>
>
Everything looks ok, do you have all these packages installed:

libpam-winbind libnss-winbind libpam-krb5

What are the permissions on /etc/krb5.keytab

You could try adding this line to smb.conf:

username map = /etc/samba/samba_usermapping

Then create /etc/samba/samba_usermapping with this content:

!root = SAMDOM\Administrator SAMDOM\administrator

Obviously you can put the usermapping file anywhere and replace 'SAMDOM'
with your NetBIOS domain name.

Rowland

I put the usermapping but this does not solve the problem.

I do not use libpam_winbind and libpam-krb5 because I did not need to 
log in server using domain accounts, it seems to me that this is not 
mandatory, you confirm ?

Here are the permissions of the file /etc/krb5.keytab:
root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
-rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab

Avahi is not installed on this server

For information, when I run "wbinfo -P", I have this result:
SMB1 root @: / home / adminlocal # wbinfo -P
checking the NETLOGON for domain [SAMDOM] dc connection to "" failed
wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED 
(0xc0000203)

I see that the domain controller is not specified, on my other server 
(SMB2) I have the address of the domain controller.

Thank you,
Alexis.


On 07/06/2016 12:57, Rowland penny wrote:
> On 07/06/16 10:13, Alexis RIES wrote:
>> Yes, the /etc/krb5.keytab file is created when the domain-join.
>>
>> I just noticed that it's not only after a reboot I have this
problem.
>> I lost the domain-join on my first SMB server, it has not been 
>> restarted.
>>
>> Note that I use Cluster Mode (CTDB), but the problem is the same when 
>> I remove the cluster configuration.
>>
>> Attached is the requested files.
>>
>>
>> Thank you,
>> Alexis.
>>
>>
>>
>> On 07/06/2016 09:43, Rowland penny wrote:
>>> On 07/06/16 07:31, Alexis RIES wrote:
>>>> Hi, here it attached my smb.conf and Winbind debug log after
reboot.
>>>> My OS is Debian Jessie and has a fixed ip.
>>>>
>>>> Thank you
>>>>
>>>> On 06/06/2016 22:05, Rowland penny wrote:
>>>>> On 06/06/16 14:52, Alexis RIES wrote:
>>>>>> Hello,
>>>>>>
>>>>>> After each reboot, my Samba AD member server lost
domain join
>>>>>> after reboot, I have to re-enter the server in the
domain with
>>>>>> the "net ads join -U administrator".
>>>>>>
>>>>>> I use version 4.4.3 of samba.
>>>>>> The domain controller is a Samba AD server.
>>>>>>
>>>>>> After reboot, when I exectute "net ads
testjoin" I have:
>>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed:
failed
>>>>>> Preauthentication
>>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed:
failed
>>>>>> Preauthentication
>>>>>> Join to domain is not valid: Logon failure
>>>>>>
>>>>>> And when I execute "wbinfo -t":
>>>>>> checking the trust secret for domain SAMDOM via RPC
calls failed
>>>>>> wbcCheckTrustCredentials (SAMDOM): error code Was 
>>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203)
>>>>>> failed to call wbcCheckTrustCredentials:
WBC_ERR_AUTH_ERROR
>>>>>> Could not check secret
>>>>>>
>>>>>> é&a    z
>>>>>
>>>>> Hi, can you post your smb.conf from the domain member.
>>>>> What OS ?
>>>>> Does the domain member have a fixed ip or does it use DHCP
?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> OK, it should work, but can I suggest a few changes to your
smb.conf:
>>>
>>> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr
full_audit'
>>> i.e. make it 'vfs objects = fileid acl_xattr full_audit'
>>>
>>> Remove all the 'valid users' etc and use ACLs instead, you
can set
>>> these from windows or with setfacl.
>>>
>>> add 'ldap server require strong auth = No'
>>>
>>> If you are actually using '.local' and avahi is running, I
suggest
>>> you turn it off.
>>>
>>> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf
>>>
>>> Finally is /etc/krb5.keytab being created by the join ?
>>>
>>> Rowland
>>
>>
>>
>
> Everything looks ok, do you have all these packages installed:
>
> libpam-winbind libnss-winbind libpam-krb5
>
> What are the permissions on /etc/krb5.keytab
>
> You could try adding this line to smb.conf:
>
> username map = /etc/samba/samba_usermapping
>
> Then create /etc/samba/samba_usermapping with this content:
>
> !root = SAMDOM\Administrator SAMDOM\administrator
>
> Obviously you can put the usermapping file anywhere and replace 
> 'SAMDOM' with your NetBIOS domain name.
>
> Rowland