[SOLVED] Domain member, getent no longer working

mfoley · 02-28-2018, 12:51 AM

I have a Slackware64 14.2 workstation that has been running as a Samba4 domain member for 2 1/2 years w/o problem. Today, after a reboot, 'getent passwd' returns NO domain members and domain users can no longer log on. I'm sure I did something inadvertent, yet stupid, but I've no idea what. winbindd and samba appear to be running. smb.conf is unchanged dating to 2 years ago. PAM modules appear to be in place. 'wbinfo -u' and 'wbinfo -g' work. 'wbinfo -i mark' gives:

Code:

# wbinfo -i mark
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user mark

The following messages are repeated in a burst of 9 pairs every 30 seconds:

Code:

Feb 28 01:46:21 labrat winbindd[1326]: [2018/02/28 01:46:21.226625,  0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send)
Feb 28 01:46:21 labrat winbindd[1326]:   Kinit for LABRAT$@HPRS.LOCAL to access cifs/mail.hprs.local@HPRS.LOCAL failed: Preauthentication failed

Do any of you Active Directory gurus have any idea where I might look for the problem?

kjhambrick · 02-28-2018, 05:01 AM

mfoley --

Just guessing here ...

Could your /etc/resolv.conf file have been borked ?

Network Manager tends to make a mess of resolv.conf on our CentOS Boxen so we disable it in favor of good-ole hand-edited network config files.

HTH

-- kjh

mfoley · 02-28-2018, 10:36 PM

Quote:

Originally Posted by kjhambrick

Could your /etc/resolv.conf file have been borked ?

Network Manager tends to make a mess of resolv.conf on our CentOS Boxen so we disable it in favor of good-ole hand-edited network config files.
-- kjh

Yeah, I disabled Network Manager long ago because it messed up other things besides resolv.conf.

I believe I did solve the problem. I tried restoring from a recent backup. Same problem. In fact, I neglected to mention this in my OP, but I had done a previous restore after which the problem manifested. So, for no good reason, I removed the host from the domain, then rejoined the domain (net ads join ...). That actually did the trick!

I'm wondering why. Did restoring to a previous date somehow mess up kerberos settings with respect to the AD server, or something like that which might be time/sequence related? For example I find:

Code:

/var/lib/samba/private/secrets.tdb
/var/lib/samba/private/netlogon_creds_cli.tdb

which would have been restored to a previous date.

If domain rejoining is needed, this would be good to know. I've not actually had to restore a Linux domain workstation since adding them to the AD domain, so if a rejoin needs to be done as a matter of course after a restore I'll have to document that as a mandatory procedure.

mfoley · 03-07-2018, 10:41 AM

Well, no more comments I guess. I'll go ahead and mark this as solved, but will make a note in my documentation that if a domain member is restored from a previous version then it must be rejoined to the domain. If someone feels that's wrong, please comment.