Hello, I'm facing an issue with a file server working under samba 4.17.12 and joined to my domain as domain member: Every 24h hours the domain join becomes invalid: #net ads testjoin kerberos_kinit_password FILESERVER$@MY.DOMAIN failed: Preauthentication failed Join to domain is not valid: LDAP_INVALID_CREDENTIALS Then I need to rejoin to come back to normal: net ads join --use-krb5-ccache=CCACHE The domain is controlled by a DC and a BC under samba 4.17.12. below are some settings which seems to be relevant from smb.conf: member smb.conf [global] security = ads realm = MY.DOMAIN preferred master = no domain master = no local master = no disable netbios = Yes server signing = auto kerberos method = secrets and keytab controler smb.conf [global] realm = ilkokul.nds.k12.tr netbios name = DOM server role = active directory domain controller server services = -nbt smb ports = 445 idmap_ldb:use rfc2307 = yes kerberos method = default kdc enable fast = yes ldap server require strong auth = no As test I joined another server as member and I didnt see this issue. I have another site with the same setup and I haven't seen this issue neither Any information which could help me to solve this is welcome. Thanks
On Wed, 24 Apr 2024 10:20:57 +0300 Alexis Pellicier via samba <samba at lists.samba.org> wrote:> Hello, > > I'm facing an issue with a file server working under samba 4.17.12 > and joined to my domain as domain member: Every 24h hours the domain > join becomes invalid: > #net ads testjoin > kerberos_kinit_password FILESERVER$@MY.DOMAIN failed: > Preauthentication failed Join to domain is not valid: > LDAP_INVALID_CREDENTIALS > > Then I need to rejoin to come back to normal: > net ads join --use-krb5-ccache=CCACHE > > The domain is controlled by a DC and a BC under samba 4.17.12. > > below are some settings which seems to be relevant from smb.conf: > member smb.conf > [global] > security = ads > realm = MY.DOMAIN > preferred master = no > domain master = no > local master = no > disable netbios = Yes > server signing = auto > kerberos method = secrets and keytab >Your smb.conf seems to be insufficient, there are no 'idmap config' lines, are you using sssd ? Rowland PS there really wasn't much point in sanitising the realm in the fileserver and not in the DC, also what happened to the 'workgroup' line ?
On Wed, 2024-04-24 at 10:20 +0300, Alexis Pellicier via samba wrote:> As test I joined another server as member and I didnt see this issue. > I have another site with the same setup and I haven't seen this issue > neither > > > Any information which could help me to solve this is welcome.I think you have two things (eg perhaps sssd and winbind, as suggested, or two different devices) joined under the same name somehow. Samba DB change audit logs might give a clue, but every 24 hours is very short, most tooling rotates their password every couple of weeks, not every 24 hours. https://wiki.samba.org/index.php/Setting_up_Audit_Logging#Enabling_AD_DC_Database_Audit_Logging Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions