I put the usermapping but this does not solve the problem. I do not use libpam_winbind and libpam-krb5 because I did not need to log in server using domain accounts, it seems to me that this is not mandatory, you confirm ? Here are the permissions of the file /etc/krb5.keytab: root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab Avahi is not installed on this server For information, when I run "wbinfo -P", I have this result: SMB1 root @: / home / adminlocal # wbinfo -P checking the NETLOGON for domain [SAMDOM] dc connection to "" failed wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED (0xc0000203) I see that the domain controller is not specified, on my other server (SMB2) I have the address of the domain controller. Thank you, Alexis. On 07/06/2016 12:57, Rowland penny wrote:> On 07/06/16 10:13, Alexis RIES wrote: >> Yes, the /etc/krb5.keytab file is created when the domain-join. >> >> I just noticed that it's not only after a reboot I have this problem. >> I lost the domain-join on my first SMB server, it has not been >> restarted. >> >> Note that I use Cluster Mode (CTDB), but the problem is the same when >> I remove the cluster configuration. >> >> Attached is the requested files. >> >> >> Thank you, >> Alexis. >> >> >> >> On 07/06/2016 09:43, Rowland penny wrote: >>> On 07/06/16 07:31, Alexis RIES wrote: >>>> Hi, here it attached my smb.conf and Winbind debug log after reboot. >>>> My OS is Debian Jessie and has a fixed ip. >>>> >>>> Thank you >>>> >>>> On 06/06/2016 22:05, Rowland penny wrote: >>>>> On 06/06/16 14:52, Alexis RIES wrote: >>>>>> Hello, >>>>>> >>>>>> After each reboot, my Samba AD member server lost domain join >>>>>> after reboot, I have to re-enter the server in the domain with >>>>>> the "net ads join -U administrator". >>>>>> >>>>>> I use version 4.4.3 of samba. >>>>>> The domain controller is a Samba AD server. >>>>>> >>>>>> After reboot, when I exectute "net ads testjoin" I have: >>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>>>> Preauthentication >>>>>> kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed >>>>>> Preauthentication >>>>>> Join to domain is not valid: Logon failure >>>>>> >>>>>> And when I execute "wbinfo -t": >>>>>> checking the trust secret for domain SAMDOM via RPC calls failed >>>>>> wbcCheckTrustCredentials (SAMDOM): error code Was >>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203) >>>>>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR >>>>>> Could not check secret >>>>>> >>>>>> é&a z >>>>> >>>>> Hi, can you post your smb.conf from the domain member. >>>>> What OS ? >>>>> Does the domain member have a fixed ip or does it use DHCP ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> >>>> >>>> >>> >>> OK, it should work, but can I suggest a few changes to your smb.conf: >>> >>> cat 'vfs objects = fileid' and 'vfs objects = acl_xattr full_audit' >>> i.e. make it 'vfs objects = fileid acl_xattr full_audit' >>> >>> Remove all the 'valid users' etc and use ACLs instead, you can set >>> these from windows or with setfacl. >>> >>> add 'ldap server require strong auth = No' >>> >>> If you are actually using '.local' and avahi is running, I suggest >>> you turn it off. >>> >>> Can you post your /etc/resolv.conf, /etc/hosts and /etc/krb5.conf >>> >>> Finally is /etc/krb5.keytab being created by the join ? >>> >>> Rowland >> >> >> > > Everything looks ok, do you have all these packages installed: > > libpam-winbind libnss-winbind libpam-krb5 > > What are the permissions on /etc/krb5.keytab > > You could try adding this line to smb.conf: > > username map = /etc/samba/samba_usermapping > > Then create /etc/samba/samba_usermapping with this content: > > !root = SAMDOM\Administrator SAMDOM\administrator > > Obviously you can put the usermapping file anywhere and replace > 'SAMDOM' with your NetBIOS domain name. > > Rowland
On 07/06/16 14:44, Alexis RIES wrote:> I put the usermapping but this does not solve the problem. > > I do not use libpam_winbind and libpam-krb5 because I did not need to > log in server using domain accounts, it seems to me that this is not > mandatory, you confirm ?This could well be your problem, try installing them. My domain member works and this seems to be the only difference between my domain member and yours.> > > Here are the permissions of the file /etc/krb5.keytab: > root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab > -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytabThat again is the same as my domain member> > > Avahi is not installed on this server > > For information, when I run "wbinfo -P", I have this result: > SMB1 root @: / home / adminlocal # wbinfo -P > checking the NETLOGON for domain [SAMDOM] dc connection to "" failed > wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED > (0xc0000203) >This works for me: root at debnet:/home/rowland/ # wbinfo -P checking the NETLOGON dc connection to "dc1.samdom.example.com" succeeded Rowland
I think I found my problem, when configuring my second domain controller, I have created by mistake a round robin DNS entry on "Forward Lookup Zones -> ad.samdom.local". I speak of round-robin because I have two fields A pointing to the same domain Now I'm lost, you have a second domain controller in failover? If so, could you give me your DNS configuration? I need information on: Forward Lookup Zones -> ad.samdom.local. Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones Currently I have two domain controllers in these areas (thus the round-robin). However, I have not touched the DomainDnsZones and ForestDnsZones areas, this had to be done by "samba-tool domain join" executed during installation but I'm not sure. Is it normal to have the round robin on ForestDnsZones and DomainDnsZones ? Please find attached the export of my DNS configuration. Thank you, Alexis. On 07/06/2016 16:05, Rowland penny wrote:> On 07/06/16 14:44, Alexis RIES wrote: >> I put the usermapping but this does not solve the problem. >> >> I do not use libpam_winbind and libpam-krb5 because I did not need to >> log in server using domain accounts, it seems to me that this is not >> mandatory, you confirm ? > > This could well be your problem, try installing them. My domain member > works and this seems to be the only difference between my domain > member and yours. > >> >> >> Here are the permissions of the file /etc/krb5.keytab: >> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab >> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab > > That again is the same as my domain member > >> >> >> Avahi is not installed on this server >> >> For information, when I run "wbinfo -P", I have this result: >> SMB1 root @: / home / adminlocal # wbinfo -P >> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed >> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED >> (0xc0000203) >> > > This works for me: > > root at debnet:/home/rowland/ # wbinfo -P > checking the NETLOGON dc connection to "dc1.samdom.example.com" succeeded > > Rowland > > > >-- k Alexis RIES Service informatique Tel : 04.22.32.97.26 Fax : 04.84.25.27.40 Email : alexis.ries at kinaxia.fr http://www.kinaxia.fr -------------- next part -------------- Nom Type Données Horodateur _sites _tcp _udp DomainDnsZones ForestDnsZones (identique au dossier parent) Source de nom (SOA) [43], dc1.ad.samdom.local., hostmaster.ad.samdom.local. ?07/?06/?2016 17:00:00 (identique au dossier parent) Serveur de noms (NS) dc1.ad.samdom.local. statique (identique au dossier parent) Serveur de noms (NS) dc2.ad.samdom.local. ?17/?05/?2016 15:00:00 (identique au dossier parent) Hôte (A) 192.168.254.1 statique (identique au dossier parent) Hôte (A) 192.168.254.2 ?17/?05/?2016 11:00:00 ADMIN Hôte (A) 192.168.254.100 ?26/?05/?2016 11:00:00 dc1 Hôte (A) 192.168.254.1 statique dc2 Hôte (A) 192.168.254.2 ?17/?05/?2016 11:00:00 smb Hôte (A) 192.168.254.10 ?31/?12/?27077 09:00:00 smb Hôte (A) 192.168.254.11 ?31/?12/?27077 13:00:00 smb1 Hôte (A) 192.168.254.3 ?24/?05/?2016 14:00:00 smb2 Hôte (A) 192.168.254.4 ?24/?05/?2016 14:00:00 -------------- next part -------------- Nom Type Données Horodateur _sites _tcp (identique au dossier parent) Hôte (A) 192.168.254.1 statique (identique au dossier parent) Hôte (A) 192.168.254.2 ?17/?05/?2016 11:00:00 -------------- next part -------------- Nom Type Données Horodateur _sites _tcp (identique au dossier parent) Hôte (A) 192.168.254.1 statique (identique au dossier parent) Hôte (A) 192.168.254.2 ?17/?05/?2016 11:00:00