Re: [Samba] Samba domain member losing membership
On Fri, 2012-11-16 at 15:49 +1030, Andrew Galdes wrote: Hello all, I've recently posted here for help with a Samba domain member system which seems to lose it's domain membership. I want to discuss it a little more. I have more information. I'm after comments and suggestions for troubleshooting. Also, i say loses membership but i don't really know if it has lost it. Just doesn't work anymore until i re-join the Samba system to the domain. I have noticed this behaviour with two sites (installations) now. Both are CentOS systems with Samba versions as follows: samba-*-3.5.10-125.el6.x86_64 samba-*-3.5.10-115.el6_2.x86_64 I successfully join these systems to Active Directory domains (2008 r2 DC's) using the following command. The system can then do as i need and wbinfo works: net join -U Administrator%MyPass After some time the Samba servers will stop functioning as expected and users will get 'access denied' errors. wbinfo stops working. Some error messages: LOG FILE: /var/log/samba/log.wb-MYDOM [2012/11/12 13:20:43.338947, 0] libsmb/cliconnect.c:1052(cli_session_setup_spnego) Kinit failed: Preauthentication failed [2012/11/12 13:20:43.459457, 2] winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap) NTLM CRAP authentication for user [MYDOM]\[myuser] returned NT_STATUS_ACCESS_DENIED (PAM: 4) Notice Kinit in the above error. I have not configured Kerberos at this point. I have not identified consistent time intervals for these 'drop-outs'. I have not updated (YUM) these systems between the joining and dropping from the domains. What might cause this? What causes this is that when we change our domain membership password, and the connection to the DC we change against times out. There is a patch in later releases for this (gives a longer timeout). The issue is, this takes longer than we allow, so we think it failed, but it actually succeed, and so we loose our membership. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member losing membership
Thanks. I've updated to the latest version and so far so good. But time will tell in this case. Thanks alot for your help. -Andrew Galdes On Fri, Nov 16, 2012 at 8:45 PM, Andrew Bartlett abart...@samba.org wrote: On Fri, 2012-11-16 at 15:49 +1030, Andrew Galdes wrote: Hello all, I've recently posted here for help with a Samba domain member system which seems to lose it's domain membership. I want to discuss it a little more. I have more information. I'm after comments and suggestions for troubleshooting. Also, i say loses membership but i don't really know if it has lost it. Just doesn't work anymore until i re-join the Samba system to the domain. I have noticed this behaviour with two sites (installations) now. Both are CentOS systems with Samba versions as follows: samba-*-3.5.10-125.el6.x86_64 samba-*-3.5.10-115.el6_2.x86_64 I successfully join these systems to Active Directory domains (2008 r2 DC's) using the following command. The system can then do as i need and wbinfo works: net join -U Administrator%MyPass After some time the Samba servers will stop functioning as expected and users will get 'access denied' errors. wbinfo stops working. Some error messages: LOG FILE: /var/log/samba/log.wb-MYDOM [2012/11/12 13:20:43.338947, 0] libsmb/cliconnect.c:1052(cli_session_setup_spnego) Kinit failed: Preauthentication failed [2012/11/12 13:20:43.459457, 2] winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap) NTLM CRAP authentication for user [MYDOM]\[myuser] returned NT_STATUS_ACCESS_DENIED (PAM: 4) Notice Kinit in the above error. I have not configured Kerberos at this point. I have not identified consistent time intervals for these 'drop-outs'. I have not updated (YUM) these systems between the joining and dropping from the domains. What might cause this? What causes this is that when we change our domain membership password, and the connection to the DC we change against times out. There is a patch in later releases for this (gives a longer timeout). The issue is, this takes longer than we allow, so we think it failed, but it actually succeed, and so we loose our membership. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- -Andrew Galdes Managing Director RHCSA, LPI, CCENT AGIX Linux Ph: 08 7324 4429 Mb: 0422 927 598 Site: http://www.agix.com.au Twitter: http://twitter.com/agixlinux LinkedIn: http://au.linkedin.com/in/andrewgaldes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba domain member losing membership
Hello all, I've recently posted here for help with a Samba domain member system which seems to lose it's domain membership. I want to discuss it a little more. I have more information. I'm after comments and suggestions for troubleshooting. Also, i say loses membership but i don't really know if it has lost it. Just doesn't work anymore until i re-join the Samba system to the domain. I have noticed this behaviour with two sites (installations) now. Both are CentOS systems with Samba versions as follows: samba-*-3.5.10-125.el6.x86_64 samba-*-3.5.10-115.el6_2.x86_64 I successfully join these systems to Active Directory domains (2008 r2 DC's) using the following command. The system can then do as i need and wbinfo works: net join -U Administrator%MyPass After some time the Samba servers will stop functioning as expected and users will get 'access denied' errors. wbinfo stops working. Some error messages: LOG FILE: /var/log/samba/log.wb-MYDOM [2012/11/12 13:20:43.338947, 0] libsmb/cliconnect.c:1052(cli_session_setup_spnego) Kinit failed: Preauthentication failed [2012/11/12 13:20:43.459457, 2] winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap) NTLM CRAP authentication for user [MYDOM]\[myuser] returned NT_STATUS_ACCESS_DENIED (PAM: 4) Notice Kinit in the above error. I have not configured Kerberos at this point. I have not identified consistent time intervals for these 'drop-outs'. I have not updated (YUM) these systems between the joining and dropping from the domains. What might cause this? -- -Andrew Galdes Managing Director RHCSA, LPI, CCENT AGIX Linux Ph: 08 7324 4429 Mb: 0422 927 598 Site: http://www.agix.com.au Twitter: http://twitter.com/agixlinux LinkedIn: http://au.linkedin.com/in/andrewgaldes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba