lingpanda101 at gmail.com
2016-Jun-07 16:55 UTC
[Samba] Samba AD member lost domain join after reboot
On 6/7/2016 12:31 PM, Alexis RIES wrote:> I was wrong, the problem persists, it is not because of the DNS. > You have the same configuration as me, but with two domains controller ? > > On 07/06/2016 18:05, Alexis RIES wrote: >> I think I found my problem, when configuring my second domain >> controller, I have created by mistake a round robin DNS entry on >> "Forward Lookup Zones -> ad.samdom.local". >> I speak of round-robin because I have two fields A pointing to the >> same domain >> >> Now I'm lost, you have a second domain controller in failover? >> If so, could you give me your DNS configuration? I need information on: >> >> Forward Lookup Zones -> ad.samdom.local. >> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones >> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones >> >> Currently I have two domain controllers in these areas (thus the >> round-robin). >> However, I have not touched the DomainDnsZones and ForestDnsZones >> areas, this had to be done by "samba-tool domain join" executed >> during installation but I'm not sure. >> >> Is it normal to have the round robin on ForestDnsZones and >> DomainDnsZones ? >> >> Please find attached the export of my DNS configuration. >> >> Thank you, >> Alexis. >> >> >> >> On 07/06/2016 16:05, Rowland penny wrote: >>> On 07/06/16 14:44, Alexis RIES wrote: >>>> I put the usermapping but this does not solve the problem. >>>> >>>> I do not use libpam_winbind and libpam-krb5 because I did not need >>>> to log in server using domain accounts, it seems to me that this is >>>> not mandatory, you confirm ? >>> >>> This could well be your problem, try installing them. My domain >>> member works and this seems to be the only difference between my >>> domain member and yours. >>> >>>> >>>> >>>> Here are the permissions of the file /etc/krb5.keytab: >>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab >>>> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab >>> >>> That again is the same as my domain member >>> >>>> >>>> >>>> Avahi is not installed on this server >>>> >>>> For information, when I run "wbinfo -P", I have this result: >>>> SMB1 root @: / home / adminlocal # wbinfo -P >>>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed >>>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED >>>> (0xc0000203) >>>> >>> >>> This works for me: >>> >>> root at debnet:/home/rowland/ # wbinfo -P >>> checking the NETLOGON dc connection to "dc1.samdom.example.com" >>> succeeded >>> >>> Rowland >>> >>> >>> >>> >> >> >> >Alexis can you run 'net ads testjoin -d 3' and report? Can you also verify replication is working on your DC's? -- -James
Hi, You will find attached the output of "net ads testjoin -d4" and "-d3". Yes replication seems to work properly. Alexis. On 07/06/2016 18:55, lingpanda101 at gmail.com wrote:> On 6/7/2016 12:31 PM, Alexis RIES wrote: >> I was wrong, the problem persists, it is not because of the DNS. >> You have the same configuration as me, but with two domains controller ? >> >> On 07/06/2016 18:05, Alexis RIES wrote: >>> I think I found my problem, when configuring my second domain >>> controller, I have created by mistake a round robin DNS entry on >>> "Forward Lookup Zones -> ad.samdom.local". >>> I speak of round-robin because I have two fields A pointing to the >>> same domain >>> >>> Now I'm lost, you have a second domain controller in failover? >>> If so, could you give me your DNS configuration? I need information on: >>> >>> Forward Lookup Zones -> ad.samdom.local. >>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones >>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones >>> >>> Currently I have two domain controllers in these areas (thus the >>> round-robin). >>> However, I have not touched the DomainDnsZones and ForestDnsZones >>> areas, this had to be done by "samba-tool domain join" executed >>> during installation but I'm not sure. >>> >>> Is it normal to have the round robin on ForestDnsZones and >>> DomainDnsZones ? >>> >>> Please find attached the export of my DNS configuration. >>> >>> Thank you, >>> Alexis. >>> >>> >>> >>> On 07/06/2016 16:05, Rowland penny wrote: >>>> On 07/06/16 14:44, Alexis RIES wrote: >>>>> I put the usermapping but this does not solve the problem. >>>>> >>>>> I do not use libpam_winbind and libpam-krb5 because I did not need >>>>> to log in server using domain accounts, it seems to me that this >>>>> is not mandatory, you confirm ? >>>> >>>> This could well be your problem, try installing them. My domain >>>> member works and this seems to be the only difference between my >>>> domain member and yours. >>>> >>>>> >>>>> >>>>> Here are the permissions of the file /etc/krb5.keytab: >>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab >>>>> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab >>>> >>>> That again is the same as my domain member >>>> >>>>> >>>>> >>>>> Avahi is not installed on this server >>>>> >>>>> For information, when I run "wbinfo -P", I have this result: >>>>> SMB1 root @: / home / adminlocal # wbinfo -P >>>>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed >>>>> wbcPingDc2 (SAMDOM): error code Was NT_STATUS_USER_SESSION_DELETED >>>>> (0xc0000203) >>>>> >>>> >>>> This works for me: >>>> >>>> root at debnet:/home/rowland/ # wbinfo -P >>>> checking the NETLOGON dc connection to "dc1.samdom.example.com" >>>> succeeded >>>> >>>> Rowland >>>> >>>> >>>> >>>> >>> >>> >>> >> > > Alexis can you run 'net ads testjoin -d 3' and report? Can you also > verify replication is working on your DC's? >-------------- next part -------------- root at dc1:/home/adminlocal# samba-tool drs showrepl Default-First-Site-Name\DC1 DSA Options: 0x00000001 DSA object GUID: 8b1a800e-6dbb-4d19-aef8-b0fb54f77b3a DSA invocationId: 9394e2f2-61ea-4eb9-961b-7a27d47362a4 ==== INBOUND NEIGHBORS === DC=ForestDnsZones,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ Wed Jun 8 09:07:13 2016 CEST was successful 0 consecutive failure(s). Last success @ Wed Jun 8 09:07:13 2016 CEST DC=DomainDnsZones,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ Wed Jun 8 09:07:13 2016 CEST was successful 0 consecutive failure(s). Last success @ Wed Jun 8 09:07:13 2016 CEST DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ Wed Jun 8 09:07:13 2016 CEST was successful 0 consecutive failure(s). Last success @ Wed Jun 8 09:07:13 2016 CEST CN=Schema,CN=Configuration,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ Wed Jun 8 09:07:14 2016 CEST was successful 0 consecutive failure(s). Last success @ Wed Jun 8 09:07:14 2016 CEST CN=Configuration,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ Wed Jun 8 09:07:14 2016 CEST was successful 0 consecutive failure(s). Last success @ Wed Jun 8 09:07:14 2016 CEST ==== OUTBOUND NEIGHBORS === DC=ForestDnsZones,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=ad,DC=samdom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: a59f5d8a-8690-44b7-9873-39367393d329 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS === Connection -- Connection name: 1f6b4724-19c7-42fc-bbf9-f88a9c6830e3 Enabled : TRUE Server DNS name : dc2.ad.samdom.local Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=local TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! -------------- next part -------------- root at smb2:/home/adminlocal# net ads testjoin -d 3 lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" added interface eth1 ip=10.10.10.2 bcast=10.10.255.255 netmask=255.255.0.0 added interface eth0 ip=192.168.254.4 bcast=192.168.254.255 netmask=255.255.255.0 db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" Successfully contacted LDAP server 192.168.254.1 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" Successfully contacted LDAP server 192.168.254.1 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" Successfully contacted LDAP server 192.168.254.1 Connected to LDAP server dc1.ad.SAMDOM.local ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" Successfully contacted LDAP server 192.168.254.1 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" Successfully contacted LDAP server 192.168.254.1 Connected to LDAP server dc1.ad.SAMDOM.local ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed Join to domain is not valid: Logon failure return code = -1 -------------- next part -------------- root at smb2:/home/adminlocal# net ads testjoin -d 4 lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" doing parameter log file = /var/log/samba/samba.log doing parameter log level = 5 doing parameter netbios name = SMB2 doing parameter workgroup = SAMDOM doing parameter security = ADS doing parameter realm = AD.SAMDOM.LOCAL doing parameter encrypt passwords = yes doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter kerberos method = secrets and keytab doing parameter username map = /usr/local/samba/etc/samba_usermapping doing parameter winbind refresh tickets = yes doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter clustering = Yes doing parameter ctdbd socket = /usr/local/samba/var/run/ctdb/ctdbd.socket doing parameter fileid:mapping = fsid doing parameter vfs objects = fileid doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 2000-9999 doing parameter idmap config SAMDOM:backend = ad doing parameter idmap config SAMDOM:schema_mode = rfc2307 doing parameter idmap config SAMDOM:range = 10000-99999 doing parameter winbind nss info = rfc2307 doing parameter vfs objects = acl_xattr full_audit doing parameter map acl inherit = Yes doing parameter store dos attributes = Yes doing parameter full_audit:prefix = %u|%I|%m|%S doing parameter full_audit:success = mkdir rename unlink rmdir write doing parameter full_audit:failure = read pread mkdir opendir rmdir telldir doing parameter full_audit:facility = local7 doing parameter full_audit:priority = NOTICE pm_process() returned Yes Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" doing parameter log file = /var/log/samba/samba.log doing parameter log level = 5 doing parameter netbios name = SMB2 doing parameter workgroup = SAMDOM doing parameter security = ADS doing parameter realm = AD.SAMDOM.LOCAL doing parameter encrypt passwords = yes doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter kerberos method = secrets and keytab doing parameter username map = /usr/local/samba/etc/samba_usermapping doing parameter winbind refresh tickets = yes doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter clustering = Yes doing parameter ctdbd socket = /usr/local/samba/var/run/ctdb/ctdbd.socket doing parameter fileid:mapping = fsid doing parameter vfs objects = fileid doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 2000-9999 doing parameter idmap config SAMDOM:backend = ad doing parameter idmap config SAMDOM:schema_mode = rfc2307 doing parameter idmap config SAMDOM:range = 10000-99999 doing parameter winbind nss info = rfc2307 doing parameter vfs objects = acl_xattr full_audit doing parameter map acl inherit = Yes doing parameter store dos attributes = Yes doing parameter full_audit:prefix = %u|%I|%m|%S doing parameter full_audit:success = mkdir rename unlink rmdir write doing parameter full_audit:failure = read pread mkdir opendir rmdir telldir doing parameter full_audit:facility = local7 doing parameter full_audit:priority = NOTICE pm_process() returned Yes added interface eth0 ip=192.168.254.4 bcast=192.168.254.255 netmask=255.255.255.0 added interface eth0 ip=192.168.254.11 bcast=192.168.254.255 netmask=255.255.255.0 added interface eth1 ip=10.10.10.2 bcast=10.10.255.255 netmask=255.255.0.0 db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184 ads_dc_name: domain=SAMDOM get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:389 192.168.254.2:389 Successfully contacted LDAP server 192.168.254.1 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" ads_dns_lookup_srv: 2 records returned in the answer section. get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:88 192.168.254.2:88 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" ads_dns_lookup_srv: 2 records returned in the answer section. get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:88 192.168.254.2:88 ads_dc_name: using server='DC1.AD.SAMDOM.LOCAL' IP=192.168.254.1 ads_dc_name: domain=SAMDOM get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:389 192.168.254.2:389 Successfully contacted LDAP server 192.168.254.1 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" ads_dns_lookup_srv: 2 records returned in the answer section. get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:88 192.168.254.2:88 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" ads_dns_lookup_srv: 2 records returned in the answer section. get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:88 192.168.254.2:88 ads_dc_name: using server='DC1.AD.SAMDOM.LOCAL' IP=192.168.254.1 Successfully contacted LDAP server 192.168.254.1 Connected to LDAP server dc1.ad.SAMDOM.local KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed ads_dc_name: domain=SAMDOM get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:389 192.168.254.2:389 Successfully contacted LDAP server 192.168.254.1 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" ads_dns_lookup_srv: 2 records returned in the answer section. get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:88 192.168.254.2:88 get_dc_list: preferred server list: "dc1.ad.SAMDOM.local, *" ads_dns_lookup_srv: 2 records returned in the answer section. get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.254.1:88 192.168.254.2:88 ads_dc_name: using server='DC1.AD.SAMDOM.LOCAL' IP=192.168.254.1 Successfully contacted LDAP server 192.168.254.1 Connected to LDAP server dc1.ad.SAMDOM.local KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: Preauthentication failed Join to domain is not valid: Logon failure return code = -1
I conducted many tests and I noticed that I lose the domain-join on SMB1 soon as I joined SMB2 in the domain. Step 1: SMB1 "net ads join -Uadministrator" -> OK Step 2: SMB1 "net ads testjoin" -> OK Step 3: SMB2 "net ads join -Uadministrator" -> OK Step 4: SMB2 "net ads testjoin" -> OK Step 5: SMB1 "net ads testjoin" -> Preauthentication failed And vice versa in the opposite direction. Obviously I can integrate a single domain member server. With only one Samba server a domain member, it works correctly. That's when I joined the second server, the first server loses the field. I reinstalled completely on Debian and Samba SMB2: unsolved problem. I installed a new domain controller without replication: unsolved problem. I do not understand because SMB2 is a new install, no servers have been cloned. I checked my hostname, MAC address, there is no duplicate on the servers. Alexis. On 08/06/2016 09:22, Alexis RIES wrote:> Hi, > > You will find attached the output of "net ads testjoin -d4" and "-d3". > Yes replication seems to work properly. > > Alexis. > > On 07/06/2016 18:55, lingpanda101 at gmail.com wrote: >> On 6/7/2016 12:31 PM, Alexis RIES wrote: >>> I was wrong, the problem persists, it is not because of the DNS. >>> You have the same configuration as me, but with two domains >>> controller ? >>> >>> On 07/06/2016 18:05, Alexis RIES wrote: >>>> I think I found my problem, when configuring my second domain >>>> controller, I have created by mistake a round robin DNS entry on >>>> "Forward Lookup Zones -> ad.samdom.local". >>>> I speak of round-robin because I have two fields A pointing to the >>>> same domain >>>> >>>> Now I'm lost, you have a second domain controller in failover? >>>> If so, could you give me your DNS configuration? I need information >>>> on: >>>> >>>> Forward Lookup Zones -> ad.samdom.local. >>>> Forward Lookup Zones -> ad.samdom.local -> DomainDnsZones >>>> Forward Lookup Zones -> ad.samdom.local -> ForestDnsZones >>>> >>>> Currently I have two domain controllers in these areas (thus the >>>> round-robin). >>>> However, I have not touched the DomainDnsZones and ForestDnsZones >>>> areas, this had to be done by "samba-tool domain join" executed >>>> during installation but I'm not sure. >>>> >>>> Is it normal to have the round robin on ForestDnsZones and >>>> DomainDnsZones ? >>>> >>>> Please find attached the export of my DNS configuration. >>>> >>>> Thank you, >>>> Alexis. >>>> >>>> >>>> >>>> On 07/06/2016 16:05, Rowland penny wrote: >>>>> On 07/06/16 14:44, Alexis RIES wrote: >>>>>> I put the usermapping but this does not solve the problem. >>>>>> >>>>>> I do not use libpam_winbind and libpam-krb5 because I did not >>>>>> need to log in server using domain accounts, it seems to me that >>>>>> this is not mandatory, you confirm ? >>>>> >>>>> This could well be your problem, try installing them. My domain >>>>> member works and this seems to be the only difference between my >>>>> domain member and yours. >>>>> >>>>>> >>>>>> >>>>>> Here are the permissions of the file /etc/krb5.keytab: >>>>>> root at smb1:/home/adminlocal# ls -l /etc/krb5.keytab >>>>>> -rw------- 1 root root 2312 Jun 7 14:44 /etc/krb5.keytab >>>>> >>>>> That again is the same as my domain member >>>>> >>>>>> >>>>>> >>>>>> Avahi is not installed on this server >>>>>> >>>>>> For information, when I run "wbinfo -P", I have this result: >>>>>> SMB1 root @: / home / adminlocal # wbinfo -P >>>>>> checking the NETLOGON for domain [SAMDOM] dc connection to "" failed >>>>>> wbcPingDc2 (SAMDOM): error code Was >>>>>> NT_STATUS_USER_SESSION_DELETED (0xc0000203) >>>>>> >>>>> >>>>> This works for me: >>>>> >>>>> root at debnet:/home/rowland/ # wbinfo -P >>>>> checking the NETLOGON dc connection to "dc1.samdom.example.com" >>>>> succeeded >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> >> Alexis can you run 'net ads testjoin -d 3' and report? Can you also >> verify replication is working on your DC's? >> > > >