I have tried to setup Samba File Server with AD authentication.
The authentication via Active Directory is successful but if you reboot the server the linux Samba file server will NOT join the domain automatically like windows server do.
You still have to manually join the domain by issue the below command line with user password:
net join ads -U username -S DOMAIN.COM
Is there a way to automate this?
I know I can put a init scripts but the user password will change every 3 months and I don't want to change the scripts every 3 months.
I am looking for something like a windows file server in which after reboot it will still be connected to the domain without any login credential requirements.
Here are my configuration file:
cat /etc/samba/smb.conf
#======================= Global Settings =====================================
[global]
workgroup = MYDOMAIN
netbios name = host_name
realm = DOMAIN.COM
password server = dc01.domain.com
security = ads
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /bin/nologin
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
[idmsx_share_only]
path = /var/windows_share
browseable = yes
writeable = yes
valid users = my_name
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
NUS.EDU.SG = {
kdc = dc01.domain.com
admin_server = dc01.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
Here is the samba log after reboot: (I didn't find any abnormal/error messages in the system logs)
[root@samba_server ~]# wbinfo -t
checking the trust secret for domain DOMAIN_NAME via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
[root@samba_server ~]# cat /var/log/samba/log.winbindd
...
[2014/04/28 17:37:24.779467, 0] winbindd/winbindd_util.c:330(trustdom_list_done)
Got invalid trustdom response
[2014/04/28 17:42:24.855052, 0] winbindd/winbindd_util.c:330(trustdom_list_done)
Got invalid trustdom response
[2014/04/28 17:47:24.856028, 0] winbindd/winbindd_util.c:330(trustdom_list_done)
Got invalid trustdom response
[2014/04/28 17:47:48.627719, 0] winbindd/winbindd.c:240(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2014/04/28 17:50:41, 0] winbindd/winbindd.c:1382(main)
winbindd version 3.6.9-168.el6_5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[root@samba_server ~]# cat /var/log/samba/log.nmbd
[2014/04/28 17:47:40, 0] nmbd/nmbd.c:66(terminate)
Got SIGTERM: going down...
[2014/04/28 17:50:44, 0] nmbd/nmbd.c:861(main)
nmbd version 3.6.9-168.el6_5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[2014/04/28 17:51:07, 0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
*****
Samba name server SAMBA_SERVER is now a local master browser for workgroup DOMAIN_NAME on subnet XXX.XXX.XXX.XXX
*****
[root@samba_server]# cat /var/log/samba/log.smbd
[2014/04/28 17:50:44, 0] smbd/server.c:1026(main)
smbd version 3.6.9-168.el6_5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[2014/04/28 17:50:45.890687, 0] printing/nt_printing.c:102(nt_printing_init)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2014/04/28 17:50:45.911910, 0] printing/print_cups.c:151(cups_connect)
Unable to connect to CUPS server localhost:631 - Connection refused
[2014/04/28 17:50:45.912696, 0] printing/print_cups.c:528(cups_async_callback)
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
Then I have to manually join the domain after reboot:
[root@samba_server ~]# net join ads -U USER_NAME -S DC01.DOMAIN.COM
Enter User's password:
Joined domain DOMAIN.
You shouldn't need to join your Samba host back to the domain every time you reboot! If you've done it correctly, it should just reauthenticate after your services come back up.
Are you getting any errors for smb, winbind or kerberos? I can't view the article you've linked.
It seems likely you've omitted some config step for one of these services.
Also, which platform are you on for Samba? I suggest some basic troubleshooting of the underlying services by starting and stopping them and looking for errors in the logs may help.
On a separate note, and not for automating a task to keep joining the domain over and over, you should get a "service account" with a non-expiring password for your Samba service.
In most environments, if you clearly explain the requirement for the non-expiring password, that it doesn't require any unusual privileges, and that you'll follow due process in maintaining it, then there's usually no problem.
If it's an ultra-secure environment and they won't give you an non-expiring password, or longer expiry interval, then you'll probably just have to deal with reconfiguring it every three months.
I have been trying to find this also and stumbled upon it. Unfortunately I can't find the source of where I got it but I believe this is happening because winbind is starting after smbd and nmbd. So the trick is to have smbd and nmbd restart after winbind starts. I don't think this is the correct linux admin way, but it works for me
edit
/etc/rc.localaddservice smbd restartservice nmbd restartSave and reboot to try it out. Mine worked doing this.