I've noticed this happening quite often, my server after a while gets dropped from the domain controller. I join it like this... net ads join -U samba@CORPEDIA.INTERNAL -S windowsserver.corpeda.internal I came in this morning and noticed that I could not login to my shares, so I did a net ads info. and it came back with could not find any login servers. I re-ran the above command, and restarted smb and winbind. And everything is working again. Would anyone know why this is happening? -- Kyle Unix Administrator kcorupe@corpedia.com
On Mon, 2008-05-05 at 09:54 -0700, Kyle Corupe wrote:> I've noticed this happening quite often, my server after a while gets > dropped from the domain controller. I join it like this... > > net ads join -U samba@CORPEDIA.INTERNAL -S windowsserver.corpeda.internal > > I came in this morning and noticed that I could not login to my shares, so I > did a net ads info. and it came back with could not find any login servers. > I re-ran the above command, and restarted smb and winbind. And everything is > working again. > > Would anyone know why this is happening?Perhaps for some reason your AD domain controller is enforcing a maximum password age? I think we try to set a 'password does not expire', but given the timed nature of the failure, this is where I would start looking. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20080506/7e19e02e/attachment.bin
I wanted to bring this question back to the main list. I am lost for ideas,
The issue is that my samba server is being dropped from ADS for some reason,
or is disconnecting itself. Everything is up and working but randomly
winbind will be unable to lookup domain users. Any debug info or ideas would
be much appreciated, could there be something on the windows side? It looks
like the kerberos ticket is only valid for today?
here is some of my configs:
smb.conf
----------------------------------------
[global]
workgroup = WINIX
realm = CORPEDIA.INTERNAL
preferred master = no
server string = File Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
# printcap name = cups
# printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = true
winbind nested groups = Yes
# winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
#template primary group = "Domain Users"
template shell = /bin/bash
# obey pam restrictions = no
# winbind use default domain = yes
obey pam restrictions = yes
#pam password change = yes
#root preexec = /usr/local/sbin/mkhomedir.sh %U
#template homedir = /home/WINIX+%U
security mask = 0775
force security mode = 0
directory security mask = 0775
force directory security mode = 0
create mask = 0775
----------------------------
[kylec@beedril ~]$ wbinfo -u
administrator
guest
support_388945a0
(cut ....)
---------------------------
[kylec@beedril ~]$ net ads info
LDAP server: 10.0.0.6
LDAP server name: charizard.corpedia.internal
Realm: CORPEDIA.INTERNAL
Bind Path: dc=CORPEDIA,dc=INTERNAL
LDAP port: 389
Server time: Thu, 08 May 2008 09:52:29 MST
KDC server: 10.0.0.6
Server time offset: 95
-----------------------------
[root@beedril kylec]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: samba@CORPEDIA.INTERNAL
Valid starting Expires Service principal
05/08/08 09:54:25 05/08/08 19:55:48
krbtgt/CORPEDIA.INTERNAL@CORPEDIA.INTERNAL
renew until 05/09/08 09:54:25
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
-------------- next part --------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQBIIkh0z4A8Wyi0NrsRAjejAJ0emsUL9Y220opS8B6jZe/A+Y4fIwCfUQUq
/JSvpoPawpTjW2ag37cXtL8=ipo2
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kyle,> I wanted to bring this question back to the main list. I > am lost for ideas, > > The issue is that my samba server is being dropped from ADS for some reason, > or is disconnecting itself. Everything is up and working but randomly > winbind will be unable to lookup domain users. Any debug info or ideas would > be much appreciated, could there be something on the windows side? It looks > like the kerberos ticket is only valid for today?Tickets expire. Generally 8 - 12 hours depending on policy. But are renewed or reissued. Is the machine account in AD gone? or disabled? Have you set log level = 10 and urn `wbinto -t` to verify the machine account? cheers, jerry - -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFIIzO7IR7qMdg1EfYRAoH/AJ9qcMHF86Ec6cUqKVnkmCR9usSYBQCXTVVG l8SYub3qARjMCjMrM7bKYA==8qZA -----END PGP SIGNATURE-----