samba - Jun 2016 - Samba AD member lost domain join after reboot

I think I found my problem, when configuring my second domain 
controller, I have created by mistake a round robin DNS entry on 
"Forward Lookup Zones -> ad.samdom.local".
I speak of round-robin because I have two fields A pointing to the same 
domain

Now I'm lost, you have a second domain controller in failover?
If so, could you give me your DNS configuration? I need information on:

Forward Lookup Zones -> ad.samdom.local.
Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones

Currently I have two domain controllers in these areas (thus the 
round-robin).
However, I have not touched the DomainDnsZones and ForestDnsZones areas, 
this had to be done by "samba-tool domain join" executed during 
installation but I'm not sure.

Is it normal to have the round robin on ForestDnsZones and DomainDnsZones ?

Please find attached the export of my DNS configuration.

Thank you,
Alexis.



On 07/06/2016 16:05, Rowland penny wrote:
> On 07/06/16 14:44, Alexis RIES wrote:
>> I put the usermapping but this does not solve the problem.
>>
>> I do not use libpam_winbind and libpam-krb5 because I did not need to 
>> log in server using domain accounts, it seems to me that this is not 
>> mandatory, you confirm ?
>
> This could well be your problem, try installing them. My domain member 
> works and this seems to be the only difference between my domain 
> member and yours.
>
>>
>>
>> Here are the permissions of the file /etc/krb5.keytab:
>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>
> That again is the same as my domain member
>
>>
>>
>> Avahi is not installed on this server
>>
>> For information, when I run "wbinfo -P", I have this result:
>> SMB1 root @: / home / adminlocal # wbinfo -P
>> checking the NETLOGON for domain [SAMDOM] dc connection to ""
failed
>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED 
>> (0xc0000203)
>>
>
> This works for me:
>
> root at debnet:/home/rowland/ # wbinfo -P
> checking the NETLOGON dc connection to "dc1.samdom.example.com"
succeeded
>
> Rowland
>
>
>
>
-- 
k 	
Alexis RIES
Service informatique
Tel : 04.22.32.97.26
Fax : 04.84.25.27.40
Email : alexis.ries at kinaxia.fr
http://www.kinaxia.fr



-------------- next part --------------
Nom	Type	Données	Horodateur
_sites			
_tcp			
_udp			
DomainDnsZones			
ForestDnsZones			
(identique au dossier parent)	Source de nom (SOA)	[43], dc1.ad.samdom.local.,
hostmaster.ad.samdom.local.	?07/?06/?2016 17:00:00
(identique au dossier parent)	Serveur de noms (NS)	dc1.ad.samdom.local.	statique
(identique au dossier parent)	Serveur de noms (NS)	dc2.ad.samdom.local.
?17/?05/?2016 15:00:00
(identique au dossier parent)	Hôte (A)	192.168.254.1	statique
(identique au dossier parent)	Hôte (A)	192.168.254.2	?17/?05/?2016 11:00:00
ADMIN	Hôte (A)	192.168.254.100	?26/?05/?2016 11:00:00
dc1	Hôte (A)	192.168.254.1	statique
dc2	Hôte (A)	192.168.254.2	?17/?05/?2016 11:00:00
smb	Hôte (A)	192.168.254.10	?31/?12/?27077 09:00:00
smb	Hôte (A)	192.168.254.11	?31/?12/?27077 13:00:00
smb1	Hôte (A)	192.168.254.3	?24/?05/?2016 14:00:00
smb2	Hôte (A)	192.168.254.4	?24/?05/?2016 14:00:00
-------------- next part --------------
Nom	Type	Données	Horodateur
_sites			
_tcp			
(identique au dossier parent)	Hôte (A)	192.168.254.1	statique
(identique au dossier parent)	Hôte (A)	192.168.254.2	?17/?05/?2016 11:00:00
-------------- next part --------------
Nom	Type	Données	Horodateur
_sites			
_tcp			
(identique au dossier parent)	Hôte (A)	192.168.254.1	statique
(identique au dossier parent)	Hôte (A)	192.168.254.2	?17/?05/?2016 11:00:00

On 07/06/16 17:05, Alexis RIES wrote:
> I think I found my problem, when configuring my second domain 
> controller, I have created by mistake a round robin DNS entry on 
> "Forward Lookup Zones -> ad.samdom.local".
> I speak of round-robin because I have two fields A pointing to the 
> same domain
>
> Now I'm lost, you have a second domain controller in failover?
> If so, could you give me your DNS configuration? I need information on:
>
> Forward Lookup Zones -> ad.samdom.local.
> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>
> Currently I have two domain controllers in these areas (thus the 
> round-robin).
> However, I have not touched the DomainDnsZones and ForestDnsZones 
> areas, this had to be done by "samba-tool domain join" executed
during
> installation but I'm not sure.
>
> Is it normal to have the round robin on ForestDnsZones and 
> DomainDnsZones ?
>
> Please find attached the export of my DNS configuration.
>
> Thank you,
> Alexis.
>
>
>
> On 07/06/2016 16:05, Rowland penny wrote:
>> On 07/06/16 14:44, Alexis RIES wrote:
>>> I put the usermapping but this does not solve the problem.
>>>
>>> I do not use libpam_winbind and libpam-krb5 because I did not need 
>>> to log in server using domain accounts, it seems to me that this is
>>> not mandatory, you confirm ?
>>
>> This could well be your problem, try installing them. My domain 
>> member works and this seems to be the only difference between my 
>> domain member and yours.
>>
>>>
>>>
>>> Here are the permissions of the file /etc/krb5.keytab:
>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>>
>> That again is the same as my domain member
>>
>>>
>>>
>>> Avahi is not installed on this server
>>>
>>> For information, when I run "wbinfo -P", I have this
result:
>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>> checking the NETLOGON for domain [SAMDOM] dc connection to
"" failed
>>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED 
>>> (0xc0000203)
>>>
>>
>> This works for me:
>>
>> root at debnet:/home/rowland/ # wbinfo -P
>> checking the NETLOGON dc connection to
"dc1.samdom.example.com"
>> succeeded
>>
>> Rowland
>>
>>
>>
>>
>
>
>
How did you obtain the three files you attached ? what command(s) did 
you run ?
Are you using the internal DNS server on the DCs, or are you using Bind9?
If you are using bind9, how have you configured it ?

Rowland

I was wrong, the problem persists, it is not because of the DNS.
You have the same configuration as me, but with two domains controller ?

On 07/06/2016 18:05, Alexis RIES wrote:
> I think I found my problem, when configuring my second domain 
> controller, I have created by mistake a round robin DNS entry on 
> "Forward Lookup Zones -> ad.samdom.local".
> I speak of round-robin because I have two fields A pointing to the 
> same domain
>
> Now I'm lost, you have a second domain controller in failover?
> If so, could you give me your DNS configuration? I need information on:
>
> Forward Lookup Zones -> ad.samdom.local.
> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>
> Currently I have two domain controllers in these areas (thus the 
> round-robin).
> However, I have not touched the DomainDnsZones and ForestDnsZones 
> areas, this had to be done by "samba-tool domain join" executed
during
> installation but I'm not sure.
>
> Is it normal to have the round robin on ForestDnsZones and 
> DomainDnsZones ?
>
> Please find attached the export of my DNS configuration.
>
> Thank you,
> Alexis.
>
>
>
> On 07/06/2016 16:05, Rowland penny wrote:
>> On 07/06/16 14:44, Alexis RIES wrote:
>>> I put the usermapping but this does not solve the problem.
>>>
>>> I do not use libpam_winbind and libpam-krb5 because I did not need 
>>> to log in server using domain accounts, it seems to me that this is
>>> not mandatory, you confirm ?
>>
>> This could well be your problem, try installing them. My domain 
>> member works and this seems to be the only difference between my 
>> domain member and yours.
>>
>>>
>>>
>>> Here are the permissions of the file /etc/krb5.keytab:
>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>>
>> That again is the same as my domain member
>>
>>>
>>>
>>> Avahi is not installed on this server
>>>
>>> For information, when I run "wbinfo -P", I have this
result:
>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>> checking the NETLOGON for domain [SAMDOM] dc connection to
"" failed
>>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED 
>>> (0xc0000203)
>>>
>>
>> This works for me:
>>
>> root at debnet:/home/rowland/ # wbinfo -P
>> checking the NETLOGON dc connection to
"dc1.samdom.example.com"
>> succeeded
>>
>> Rowland
>>
>>
>>
>>
>
>
>

On 07/06/16 17:31, Alexis RIES wrote:
> I was wrong, the problem persists, it is not because of the DNS.
> You have the same configuration as me, but with two domains controller ?
>
I have two DCs but I don't know if the DNS is set up like yours, so can 
you please answer the questions from my last post ???

Rowland

On 6/7/2016 12:31 PM, Alexis RIES wrote:
> I was wrong, the problem persists, it is not because of the DNS.
> You have the same configuration as me, but with two domains controller ?
>
> On 07/06/2016 18:05, Alexis RIES wrote:
>> I think I found my problem, when configuring my second domain 
>> controller, I have created by mistake a round robin DNS entry on 
>> "Forward Lookup Zones -> ad.samdom.local".
>> I speak of round-robin because I have two fields A pointing to the 
>> same domain
>>
>> Now I'm lost, you have a second domain controller in failover?
>> If so, could you give me your DNS configuration? I need information on:
>>
>> Forward Lookup Zones -> ad.samdom.local.
>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>>
>> Currently I have two domain controllers in these areas (thus the 
>> round-robin).
>> However, I have not touched the DomainDnsZones and ForestDnsZones 
>> areas, this had to be done by "samba-tool domain join"
executed
>> during installation but I'm not sure.
>>
>> Is it normal to have the round robin on ForestDnsZones and 
>> DomainDnsZones ?
>>
>> Please find attached the export of my DNS configuration.
>>
>> Thank you,
>> Alexis.
>>
>>
>>
>> On 07/06/2016 16:05, Rowland penny wrote:
>>> On 07/06/16 14:44, Alexis RIES wrote:
>>>> I put the usermapping but this does not solve the problem.
>>>>
>>>> I do not use libpam_winbind and libpam-krb5 because I did not
need
>>>> to log in server using domain accounts, it seems to me that
this is
>>>> not mandatory, you confirm ?
>>>
>>> This could well be your problem, try installing them. My domain 
>>> member works and this seems to be the only difference between my 
>>> domain member and yours.
>>>
>>>>
>>>>
>>>> Here are the permissions of the file /etc/krb5.keytab:
>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>>>
>>> That again is the same as my domain member
>>>
>>>>
>>>>
>>>> Avahi is not installed on this server
>>>>
>>>> For information, when I run "wbinfo -P", I have this
result:
>>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>>> checking the NETLOGON for domain [SAMDOM] dc connection to
"" failed
>>>> wbcPingDc2 (SAMDOM): error code Was
NT_STATUS_USER_SESSION_DELETED
>>>> (0xc0000203)
>>>>
>>>
>>> This works for me:
>>>
>>> root at debnet:/home/rowland/ # wbinfo -P
>>> checking the NETLOGON dc connection to
"dc1.samdom.example.com"
>>> succeeded
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>
>>
>>
>
Alexis can you run 'net ads testjoin -d 3' and report? Can you also 
verify replication is working on your DC's?

-- 
-James

On 6/7/2016 12:31 PM, Alexis RIES wrote:
> I was wrong, the problem persists, it is not because of the DNS.
> You have the same configuration as me, but with two domains controller ?
>
> On 07/06/2016 18:05, Alexis RIES wrote:
>> I think I found my problem, when configuring my second domain 
>> controller, I have created by mistake a round robin DNS entry on 
>> "Forward Lookup Zones -> ad.samdom.local".
>> I speak of round-robin because I have two fields A pointing to the 
>> same domain
>>
>> Now I'm lost, you have a second domain controller in failover?
>> If so, could you give me your DNS configuration? I need information on:
>>
>> Forward Lookup Zones -> ad.samdom.local.
>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>>
>> Currently I have two domain controllers in these areas (thus the 
>> round-robin).
>> However, I have not touched the DomainDnsZones and ForestDnsZones 
>> areas, this had to be done by "samba-tool domain join"
executed
>> during installation but I'm not sure.
>>
>> Is it normal to have the round robin on ForestDnsZones and 
>> DomainDnsZones ?
>>
>> Please find attached the export of my DNS configuration.
>>
>> Thank you,
>> Alexis.
>>
>>
>>
>> On 07/06/2016 16:05, Rowland penny wrote:
>>> On 07/06/16 14:44, Alexis RIES wrote:
>>>> I put the usermapping but this does not solve the problem.
>>>>
>>>> I do not use libpam_winbind and libpam-krb5 because I did not
need
>>>> to log in server using domain accounts, it seems to me that
this is
>>>> not mandatory, you confirm ?
>>>
>>> This could well be your problem, try installing them. My domain 
>>> member works and this seems to be the only difference between my 
>>> domain member and yours.
>>>
>>>>
>>>>
>>>> Here are the permissions of the file /etc/krb5.keytab:
>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>>>
>>> That again is the same as my domain member
>>>
>>>>
>>>>
>>>> Avahi is not installed on this server
>>>>
>>>> For information, when I run "wbinfo -P", I have this
result:
>>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>>> checking the NETLOGON for domain [SAMDOM] dc connection to
"" failed
>>>> wbcPingDc2 (SAMDOM): error code Was
NT_STATUS_USER_SESSION_DELETED
>>>> (0xc0000203)
>>>>
>>>
>>> This works for me:
>>>
>>> root at debnet:/home/rowland/ # wbinfo -P
>>> checking the NETLOGON dc connection to
"dc1.samdom.example.com"
>>> succeeded
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>
>>
>>
>
Actually can you run it at level 4? 'net ads testjoin -d 4'

-- 
-James

Hi,

I used the DNS management console, right click on zone and "export
list".
I use Bind9, and yes it is configured.

Alexis.

On 07/06/2016 18:29, Rowland penny wrote:
> On 07/06/16 17:05, Alexis RIES wrote:
>> I think I found my problem, when configuring my second domain 
>> controller, I have created by mistake a round robin DNS entry on 
>> "Forward Lookup Zones -> ad.samdom.local".
>> I speak of round-robin because I have two fields A pointing to the 
>> same domain
>>
>> Now I'm lost, you have a second domain controller in failover?
>> If so, could you give me your DNS configuration? I need information on:
>>
>> Forward Lookup Zones -> ad.samdom.local.
>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones
>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones
>>
>> Currently I have two domain controllers in these areas (thus the 
>> round-robin).
>> However, I have not touched the DomainDnsZones and ForestDnsZones 
>> areas, this had to be done by "samba-tool domain join"
executed
>> during installation but I'm not sure.
>>
>> Is it normal to have the round robin on ForestDnsZones and 
>> DomainDnsZones ?
>>
>> Please find attached the export of my DNS configuration.
>>
>> Thank you,
>> Alexis.
>>
>>
>>
>> On 07/06/2016 16:05, Rowland penny wrote:
>>> On 07/06/16 14:44, Alexis RIES wrote:
>>>> I put the usermapping but this does not solve the problem.
>>>>
>>>> I do not use libpam_winbind and libpam-krb5 because I did not
need
>>>> to log in server using domain accounts, it seems to me that
this is
>>>> not mandatory, you confirm ?
>>>
>>> This could well be your problem, try installing them. My domain 
>>> member works and this seems to be the only difference between my 
>>> domain member and yours.
>>>
>>>>
>>>>
>>>> Here are the permissions of the file /etc/krb5.keytab:
>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab
>>>> -rw------- 1 root root 2312 Jun  7 14:44 /etc/krb5.keytab
>>>
>>> That again is the same as my domain member
>>>
>>>>
>>>>
>>>> Avahi is not installed on this server
>>>>
>>>> For information, when I run "wbinfo -P", I have this
result:
>>>> SMB1 root @: / home / adminlocal # wbinfo -P
>>>> checking the NETLOGON for domain [SAMDOM] dc connection to
"" failed
>>>> wbcPingDc2 (SAMDOM): error code Was
NT_STATUS_USER_SESSION_DELETED
>>>> (0xc0000203)
>>>>
>>>
>>> This works for me:
>>>
>>> root at debnet:/home/rowland/ # wbinfo -P
>>> checking the NETLOGON dc connection to
"dc1.samdom.example.com"
>>> succeeded
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>
>>
>>
>
> How did you obtain the three files you attached ? what command(s) did 
> you run ?
> Are you using the internal DNS server on the DCs, or are you using Bind9?
> If you are using bind9, how have you configured it ?
>
> Rowland
>