Topic: Linux desktops loosing their (winbind) domain membership

[mdo]

Hi

We are using (Ubuntu) Linux desktops (version 9.04 and 10.04) for several installations and setup these machines to 'join' the Windows (Samba) domain via command
"sudo net rpc join -S YOUR_PRIMARY_DOMAIN_CONTROLLER_NAME -Udomainadmin" or
"sudo net rpc join -D YOUR_DOMAIN_NAME -Udomainadmin" (both commands seem to work in the same way).

All that is as described in the Wiki under http://wiki.contribs.org/Client_Authentication:Ubuntu

This works and allows domain user logons - but only for some time and then the machine looses the domain membership which means we have to join the domain again to get everything working.

We cannot find what breaks the domain membership. There is no specific time when this issue occurs. It might be after we have done some other administrative activity on the SME server (currently running SME7.4) like adding a user or an ibay or whatever. We suspect an activity that might imply a change for the file /etc/samba/smbpasswd (which is where the Samba domain memberships are maintained) but again, I cannot see what would trigger this or would then change the entry in that Samba file related to the machine account for the Ubuntu client.

I know this is outside the standard SMEserver setup. There are many documents on the net about Winbind and how to set this all up (including our Contrib.org Wiki with the document above) but I have not found anything about the loosing of the domain membership.

Has anybody out here seen this before?

Michael

[kb-ohnemus]

Same for me since ubuntu 9.10 and also on 10.04. It worked perfectly on 8.10.

I have five machines running ubuntu and each needs to be joined to the domain about once a week. But not on a regular interval (somtimes two days, sometimes two weeks) and also not all machines at the same time.

I get an entry in /var/log/samba/log.machinename on SME-server:
[2010/09/20 18:50:21, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
  _net_auth2: creds_server_check failed. Rejecting auth request from client RECHNER6 machine account RECHNER6$

[kb-ohnemus]

O.k., I've been runnung SME8beta6 for two weeks now and the issue seems to be gone. None of my clients requested a "rejoin" of the domain membership.

What is wierd:

Ubuntu 8.04 and SME 7.x used to work perfectly
Ubuntu 10.04 and SME 8.0 seem to work perfectly
Ubuntu 10.04 joining SME 7.5 loose their connection

So where is the problem? Communication between new winbind and old samba?

[cactus]

Are the clocks of the machine in sync with the server. Kerberos (involved in domain trust and password handling) has a tolerance of 5 mins. Please check the clock on your server and compare it to your clients. If the drift is larger then 5 mins you mind have found the cause. This might help in that case: http://www.liberiangeek.net/2010/06/how-to-synchronize-ubuntu-date-and-time-with-trusted-time-servers/

Did you already check the logfiles on your server (/var/log/samba/ look for the hostname or IP of the offending system) and /var/log/smbd/* as well as the logfiles on the system(s) losing the trust relationship.

[Jáder]

Hi

Do you ever fixed this bug ?
I also find out the problem is Ubuntu 10.04 + SME7.x... nothing more.

I have one server 7.5.1 and Ubuntu 10.04 with this problem... I'll upgrade one of them soon... maybe both of them... but do no like to left problems behind.

O.k., I've been runnung SME8beta6 for two weeks now and the issue seems to be gone. None of my clients requested a "rejoin" of the domain membership.

What is wierd:

Ubuntu 8.04 and SME 7.x used to work perfectly
Ubuntu 10.04 and SME 8.0 seem to work perfectly
Ubuntu 10.04 joining SME 7.5 loose their connection

So where is the problem? Communication between new winbind and old samba?

[kb-ohnemus]

Meanwhile I'm on SME8.0beta7 and ubuntu 11.04 and winbind is doing fine. I will try ubuntu 12.04 soon. No further idea about SME7.5 though.

[mdo]

Up to Ubuntu 11.10 on the desktop and SME8b7 on the server end, winbind was working fine. I recently upgraded one machine to Ubuntu 12.04 and have problems since.
wbinfo -u or wbinfo -g are working (= winbind is working?) but getent passwd <username> will not show any of the domain users. Need to test with a fresh Ubuntu 12.04.