samba - Apr 2024 - domain join becomes invalid every 24h

Hello,

I'm facing an issue with a file server working under samba  4.17.12
and  joined to my domain as domain member:  Every 24h hours the domain
join becomes invalid:
#net ads testjoin
kerberos_kinit_password FILESERVER$@MY.DOMAIN failed: Preauthentication failed
Join to domain is not valid: LDAP_INVALID_CREDENTIALS

Then  I need to rejoin to come back to normal:
net ads join --use-krb5-ccache=CCACHE

The domain is controlled by a DC and a BC  under samba 4.17.12.

below are some settings which seems to be relevant from smb.conf:
member smb.conf
[global]
       security = ads
       realm = MY.DOMAIN
       preferred master = no
       domain master = no
       local master = no
       disable netbios = Yes
       server signing = auto
       kerberos method = secrets and keytab

controler smb.conf
[global]
       realm = ilkokul.nds.k12.tr
       netbios name = DOM
       server role = active directory domain controller
       server services = -nbt
       smb ports = 445
       idmap_ldb:use rfc2307 = yes
       kerberos method = default
       kdc enable fast = yes
       ldap server require strong auth = no

As test I joined another server as member and I didnt see this issue.
I have another site with the same setup and I haven't seen this issue
neither

Any information which could help me to solve this is welcome.

Thanks

On Wed, 24 Apr 2024 10:20:57 +0300
Alexis Pellicier via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm facing an issue with a file server working under samba  4.17.12
> and  joined to my domain as domain member:  Every 24h hours the domain
> join becomes invalid:
> #net ads testjoin
> kerberos_kinit_password FILESERVER$@MY.DOMAIN failed:
> Preauthentication failed Join to domain is not valid:
> LDAP_INVALID_CREDENTIALS
> 
> Then  I need to rejoin to come back to normal:
> net ads join --use-krb5-ccache=CCACHE
> 
> The domain is controlled by a DC and a BC  under samba 4.17.12.
> 
> below are some settings which seems to be relevant from smb.conf:
> member smb.conf
> [global]
>        security = ads
>        realm = MY.DOMAIN
>        preferred master = no
>        domain master = no
>        local master = no
>        disable netbios = Yes
>        server signing = auto
>        kerberos method = secrets and keytab
> 
Your smb.conf seems to be insufficient, there are no 'idmap config'
lines, are you using sssd ?

Rowland

PS there really wasn't much point in sanitising the realm in the
fileserver and not in the DC, also what happened to the 'workgroup'
line ?

On Wed, 2024-04-24 at 10:20 +0300, Alexis Pellicier via samba
wrote:
> As test I joined another server as member and I didnt see this issue.
> I have another site with the same setup and I haven't seen this issue
> neither
> 
> 
> Any information which could help me to solve this is welcome.
I think you have two things (eg perhaps sssd and winbind, as suggested,
or two different devices) joined under the same name somehow.

Samba DB change audit logs might give a clue, but every 24 hours is
very short, most tooling rotates their password every couple of weeks,
not every 24 hours.
https://wiki.samba.org/index.php/Setting_up_Audit_Logging#Enabling_AD_DC_Database_Audit_Logging

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead               
https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions