On Wed, 24 Apr 2024 10:20:57 +0300 Alexis Pellicier via samba <samba at lists.samba.org> wrote:> Hello, > > I'm facing an issue with a file server working under samba 4.17.12 > and joined to my domain as domain member: Every 24h hours the domain > join becomes invalid: > #net ads testjoin > kerberos_kinit_password FILESERVER$@MY.DOMAIN failed: > Preauthentication failed Join to domain is not valid: > LDAP_INVALID_CREDENTIALS > > Then I need to rejoin to come back to normal: > net ads join --use-krb5-ccache=CCACHE > > The domain is controlled by a DC and a BC under samba 4.17.12. > > below are some settings which seems to be relevant from smb.conf: > member smb.conf > [global] > security = ads > realm = MY.DOMAIN > preferred master = no > domain master = no > local master = no > disable netbios = Yes > server signing = auto > kerberos method = secrets and keytab >Your smb.conf seems to be insufficient, there are no 'idmap config' lines, are you using sssd ? Rowland PS there really wasn't much point in sanitising the realm in the fileserver and not in the DC, also what happened to the 'workgroup' line ?
Hi Rowland,> Your smb.conf seems to be insufficient, there are no 'idmap config' > lines, are you using sssd ?Yes I'm using sssd and I didn't posted idmap config lines to keep it brief, here it is: [global] netbios name = FILESEVER workgroup = WORKGROUP security = ads realm = MY.DOMAIN preferred master = no domain master = no local master = no disable netbios = Yes server signing = auto kerberos method = secrets and keytab min domain uid = 500 idmap config * : backend = tdb idmap config * : range = 1000100-3000000 idmap config WORKGROUP : backend = ad idmap config WORKGROUP : range = 500-1000000 idmap config WORKGROUP : unix_nss_info = yes idmap config WORKGROUP : unix_primary_group = yes idmap config WORKGROUP : schema_mode = rfc2307 reset on zero vc = yes socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=30 TCP_KEEPCNT=3 TCP_KEEPINTVL=3 disable spoolss = yes> > Rowland > > PS there really wasn't much point in sanitising the realm in the > fileserver and not in the DC, also what happened to the 'workgroup' > line ?Oups... I guess it's too late now. Here a more complete version of DC's smb.conf [global] workgroup = WORKGROUP realm = my.domain netbios name = DOM server role = active directory domain controller server services = -nbt smb ports = 445 idmap_ldb:use rfc2307 = yes kerberos method = default kdc enable fast = yes allow dns updates = signed ntp signd socket directory = /var/lib/ntp/ntp_signd ldap server require strong auth = no