Why is SAMBA dropping out of a domain?

D

Dmitry Shitskov2016-08-01 12:20:48

FreeBSD

Dmitry Shitskov, 2016-08-01 12:20:48

Good afternoon.
Please help me diagnose the problem. SAMBA 4.4.5 falls out of the Microsoft domain every week.
net ads testjoin

kerberos_kinit_password [email protected] failed: Preauthentication failed
kerberos_kinit_password [email protected] failed: Preauthentication failed
Join to domain is not valid: Logon failure

Right now I'm doing just this:

net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYAD
Joined 'FILESERVER' to dns domain 'myad.ru'

net ads testjoin
Join is OK

Tell me how to troubleshoot it, at what point and what log to view?
FreeBSD 10.3 OS
smb4.conf

# Global parameters
[global]
        log level = 2

        server string = Файловый Сервер
        workgroup = MEZON
        realm = MYAD.RU
        netbios name = FILESERVER
        server role = member server
        dns forwarder = 192.168.1.11
        security = ADS
        encrypt passwords = yes

        name resolve order = wins lmhosts hosts bcast
        wins server = 192.168.1.11
        remote announce = 192.168.1.11

        idmap config *:range = 10000-20000

        idmap uid = 10000-20000
        idmap gid = 10000-20000

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        client ldap sasl wrapping = plain

        unix charset = cp1251
        dos charset = 866

        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        read only = yes
        browseable = yes
        inherit owner = yes
        inherit acls = yes
        inherit permissions = yes
        map acl inherit = yes
        map archive = no
        map readonly = no

        locking = yes
        oplocks = true


        store dos attributes = yes
        acl check permissions = yes
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes
        guest ok = no
        map to guest = Bad User
        hide dot files = yes

        veto files = /Thumbs.db/
        delete veto files = yes
        hide files = /*.dwl|*.dwl2/

        deadtime = 360
        getwd cache = yes

krb.conf

[libdefaults]
        default_realm = DOMAIN.RU
        clockskew = 300
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
        }

[realms]
        DOMAIN.RU = {
                kdc = DOMAIN.RU
                admin_server = DOMAIN.RU
        }

[domain_realm]
        .domain.ru = DOMAIN.RU

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dmitry Shitskov, 2016-08-28
@Zarom

Revealed a problem on troubleshooting from the official Wiki.
My keytab file was missing/corrupted. I removed the one I had.
Added to samba configuration:

kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

Then performed

net ads leave -u Administrator
net ads join -u Administrator

After that, the keytab file appeared and SAMBA no longer falls out of the domain, regularly updating the keys from the keytab file.
If the file does not appear, it was recommended to create it manually
net ads keytab create -U Administrator

S

SergeySL, 2016-08-01
@SergeySL

Uncomment pam_krb5.so in /etc/pam.d/system-auth
This is for RHEL, but it's generally a good idea to specify the OS in such matters.

C

CityCat4, 2016-08-02
@CityCat4

Because samba is samba. This has been done since the shaggy times - sometimes it drops out of the domain for no reason. You can check the time on your computer and in the domain - it should not differ in my opinion by more than 5 seconds.