Thanks. I've updated to the latest version and so far so good. But time will tell in this case.
Thanks alot for your help. -Andrew Galdes On Fri, Nov 16, 2012 at 8:45 PM, Andrew Bartlett <[email protected]> wrote: > On Fri, 2012-11-16 at 15:49 +1030, Andrew Galdes wrote: > > Hello all, > > > > I've recently posted here for help with a Samba domain member system > which > > seems to lose it's domain membership. I want to discuss it a little > more. I > > have more information. I'm after comments and suggestions for > > troubleshooting. Also, i say "loses membership" but i don't really know > if > > it has lost it. Just doesn't work anymore until i re-join the Samba > system > > to the domain. > > > > I have noticed this behaviour with two sites (installations) now. Both > are > > CentOS systems with Samba versions as follows: > > > > samba-*-3.5.10-125.el6.x86_64 > > samba-*-3.5.10-115.el6_2.x86_64 > > > > I successfully join these systems to Active Directory domains (2008 r2 > > DC's) using the following command. The system can then do as i need and > > "wbinfo" works: > > > > net join -U Administrator%MyPass > > > > After some time the Samba servers will stop functioning as expected and > > users will get 'access denied' errors. "wbinfo" stops working. > > > > Some error messages: > > > > LOG FILE: "/var/log/samba/log.wb-MYDOM" > > > > [2012/11/12 13:20:43.338947, 0] > > libsmb/cliconnect.c:1052(cli_session_setup_spnego) > > Kinit failed: Preauthentication failed > > [2012/11/12 13:20:43.459457, 2] > > winbindd/winbindd_pam.c:2121(winbindd_dual_pam_auth_crap) > > NTLM CRAP authentication for user [MYDOM]\[myuser] returned > > NT_STATUS_ACCESS_DENIED (PAM: 4) > > > > Notice Kinit in the above error. I have not configured Kerberos at this > > point. > > > > I have not identified consistent time intervals for these 'drop-outs'. I > > have not updated (YUM) these systems between the joining and dropping > from > > the domains. > > > > What might cause this? > > What causes this is that when we change our domain membership password, > and the connection to the DC we change against times out. There is a > patch in later releases for this (gives a longer timeout). > > The issue is, this takes longer than we allow, so we think it failed, > but it actually succeed, and so we loose our membership. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- -Andrew Galdes Managing Director RHCSA, LPI, CCENT AGIX Linux Ph: 08 7324 4429 Mb: 0422 927 598 Site: http://www.agix.com.au Twitter: http://twitter.com/agixlinux LinkedIn: http://au.linkedin.com/in/andrewgaldes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
