Samba/Winbind join domain requires password at every reboot? - Networking

This is a discussion on Samba/Winbind join domain requires password at every reboot? - Networking ; Hi, I have set up samba to join a windows domain (and everything works great) but it seems to require joining to the domain everytime it reboots with: #net join -w mydomain -S myPDC -U administrator and then it needs ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Samba/Winbind join domain requires password at every reboot?

  1. Samba/Winbind join domain requires password at every reboot?

    Hi,

    I have set up samba to join a windows domain (and everything works
    great) but it seems to require joining to the domain everytime it
    reboots with:
    #net join -w mydomain -S myPDC -U administrator

    and then it needs the administrator password, and then a restart of the
    winbind daemon..

    So the question is why is this necessary at every reboot? I don't want
    to leave the admin password in some script. Windows machines don't need
    to do this at every reboot so why winbind? How can I get it to be joined
    permanently..?

    PS: I have googled this alot and am not able to find a reason for this..
    so any hints will be helpful.
    Thanks.
    Tobias Skytte

  2. Re: Samba/Winbind join domain requires password at every reboot?

    Tobias Skytte wrote:
    > Hi,
    >
    > I have set up samba to join a windows domain (and everything works
    > great) but it seems to require joining to the domain everytime it
    > reboots with:
    > #net join -w mydomain -S myPDC -U administrator
    >
    > and then it needs the administrator password, and then a restart of the
    > winbind daemon..
    >
    > So the question is why is this necessary at every reboot? I don't want
    > to leave the admin password in some script. Windows machines don't need
    > to do this at every reboot so why winbind? How can I get it to be joined
    > permanently..?
    >
    > PS: I have googled this alot and am not able to find a reason for this..
    > so any hints will be helpful.
    > Thanks.
    > Tobias Skytte


    maybe you can send it a HUP signal instead
    because when smbd receives a HUP signal it rereads smb.conf and
    changes its config according to them, maybe winbindd does the same

    i'm not sure about this, it's just a suggestion

  3. Re: Samba/Winbind join domain requires password at every reboot?

    goarilla@work skrev:
    > Tobias Skytte wrote:
    >> Hi,
    >>
    >> I have set up samba to join a windows domain (and everything works
    >> great) but it seems to require joining to the domain everytime it
    >> reboots with:
    >> #net join -w mydomain -S myPDC -U administrator
    >>
    >> and then it needs the administrator password, and then a restart of
    >> the winbind daemon..
    >>
    >> So the question is why is this necessary at every reboot? I don't want
    >> to leave the admin password in some script. Windows machines don't
    >> need to do this at every reboot so why winbind? How can I get it to be
    >> joined permanently..?
    >>
    >> PS: I have googled this alot and am not able to find a reason for
    >> this.. so any hints will be helpful.
    >> Thanks.
    >> Tobias Skytte

    >
    > maybe you can send it a HUP signal instead
    > because when smbd receives a HUP signal it rereads smb.conf and
    > changes its config according to them, maybe winbindd does the same
    >
    > i'm not sure about this, it's just a suggestion


    Hi,
    Thanks, but its not so much a problem with restarting the daemon or
    re-reding the conf, its more of a problem that it has to ask for the
    admin password everytime it reboots (because it has to re-join the
    domain which shouldn't be necessary), and I don't want to leave that in
    some script. So the real question is, why is the domain joining not
    persistent?

    Regards,
    Tobias Skytte

  4. Re: Samba/Winbind join domain requires password at every reboot?

    Tobias Skytte wrote:
    > goarilla@work skrev:
    >> Tobias Skytte wrote:
    >>> Hi,
    >>>
    >>> I have set up samba to join a windows domain (and everything works
    >>> great) but it seems to require joining to the domain everytime it
    >>> reboots with:
    >>> #net join -w mydomain -S myPDC -U administrator
    >>>
    >>> and then it needs the administrator password, and then a restart of
    >>> the winbind daemon..
    >>>
    >>> So the question is why is this necessary at every reboot? I don't
    >>> want to leave the admin password in some script. Windows machines
    >>> don't need to do this at every reboot so why winbind? How can I get
    >>> it to be joined permanently..?
    >>>
    >>> PS: I have googled this alot and am not able to find a reason for
    >>> this.. so any hints will be helpful.
    >>> Thanks.
    >>> Tobias Skytte

    >>
    >> maybe you can send it a HUP signal instead
    >> because when smbd receives a HUP signal it rereads smb.conf and
    >> changes its config according to them, maybe winbindd does the same
    >>
    >> i'm not sure about this, it's just a suggestion

    >
    > Hi,
    > Thanks, but its not so much a problem with restarting the daemon or
    > re-reding the conf, its more of a problem that it has to ask for the
    > admin password everytime it reboots (because it has to re-join the
    > domain which shouldn't be necessary), and I don't want to leave that in
    > some script. So the real question is, why is the domain joining not
    > persistent?
    >
    > Regards,
    > Tobias Skytte


    If you don't have to authenticate yourself to the domain when you
    reboot, then how can the domain be sure who you are?

    You have to store a password somewhere!

    Robert

  5. Re: Samba/Winbind join domain requires password at every reboot?

    Robert Harris skrev:
    > Tobias Skytte wrote:
    >> goarilla@work skrev:
    >>> Tobias Skytte wrote:
    >>>> Hi,
    >>>>
    >>>> I have set up samba to join a windows domain (and everything works
    >>>> great) but it seems to require joining to the domain everytime it
    >>>> reboots with:
    >>>> #net join -w mydomain -S myPDC -U administrator
    >>>>
    >>>> and then it needs the administrator password, and then a restart of
    >>>> the winbind daemon..
    >>>>
    >>>> So the question is why is this necessary at every reboot? I don't
    >>>> want to leave the admin password in some script. Windows machines
    >>>> don't need to do this at every reboot so why winbind? How can I get
    >>>> it to be joined permanently..?
    >>>>
    >>>> PS: I have googled this alot and am not able to find a reason for
    >>>> this.. so any hints will be helpful.
    >>>> Thanks.
    >>>> Tobias Skytte
    >>> maybe you can send it a HUP signal instead
    >>> because when smbd receives a HUP signal it rereads smb.conf and
    >>> changes its config according to them, maybe winbindd does the same
    >>>
    >>> i'm not sure about this, it's just a suggestion

    >> Hi,
    >> Thanks, but its not so much a problem with restarting the daemon or
    >> re-reding the conf, its more of a problem that it has to ask for the
    >> admin password everytime it reboots (because it has to re-join the
    >> domain which shouldn't be necessary), and I don't want to leave that in
    >> some script. So the real question is, why is the domain joining not
    >> persistent?
    >>
    >> Regards,
    >> Tobias Skytte

    >
    > If you don't have to authenticate yourself to the domain when you
    > reboot, then how can the domain be sure who you are?
    >
    > You have to store a password somewhere!
    >
    > Robert


    Well, in Windows once you join the domain you don't have to enter the
    admin password at every reboot, and if you change the admin password in
    the PDC then all the machines don't have to be re-joined, so once they
    are joined they are joined forever. Why should this behaviour be
    different under linux?
    The main prob, is 1) I have to put the PDC admin password in plain text
    in a script, and 2) if the admin password changes then the script has to
    be changed and 3) why should it be different under linux than under windows?


    Regards,
    Tobias

  6. Re: Samba/Winbind join domain requires password at every reboot?

    Tobias Skytte wrote:
    > Robert Harris skrev:
    >>
    >> If you don't have to authenticate yourself to the domain when you
    >> reboot, then how can the domain be sure who you are?
    >>
    >> You have to store a password somewhere!
    >>
    >> Robert

    >
    > Well, in Windows once you join the domain you don't have to enter the
    > admin password at every reboot, and if you change the admin password in
    > the PDC then all the machines don't have to be re-joined, so once they
    > are joined they are joined forever. Why should this behaviour be
    > different under linux?
    > The main prob, is 1) I have to put the PDC admin password in plain text
    > in a script, and 2) if the admin password changes then the script has to
    > be changed and 3) why should it be different under linux than under
    > windows?


    I'm not certain how you've set up Samba, but AD is just the MS
    implementation of Kerberos and LDAP. Each machine needs its own
    account. (In Kerberos, each machine is a principal.) When the machine
    boots, it logs in to the Windows domain (Kerberos realm) as itself, not
    as a person. This is before any human (who would also be a principal)
    ever tries to log in on the client. So...

    Do you have an account for the machine under Computers in Users and
    Computers (LDAP)? And, if you do, why are you logging the client
    machine in as the (domain?) administrator instead of as itself? Or
    maybe you keep creating a machine account over and over and over and
    over and ... which *would* use the domain admin account, but you should
    only have to do it once ever.

    Just some ideas for you.

  7. Re: Samba/Winbind join domain requires password at every reboot?

    Allen Kistler skrev:
    > Tobias Skytte wrote:
    >> Robert Harris skrev:
    >>>
    >>> If you don't have to authenticate yourself to the domain when you
    >>> reboot, then how can the domain be sure who you are?
    >>>
    >>> You have to store a password somewhere!
    >>>
    >>> Robert

    >>
    >> Well, in Windows once you join the domain you don't have to enter the
    >> admin password at every reboot, and if you change the admin password
    >> in the PDC then all the machines don't have to be re-joined, so once
    >> they are joined they are joined forever. Why should this behaviour be
    >> different under linux?
    >> The main prob, is 1) I have to put the PDC admin password in plain
    >> text in a script, and 2) if the admin password changes then the script
    >> has to be changed and 3) why should it be different under linux than
    >> under windows?

    >
    > I'm not certain how you've set up Samba, but AD is just the MS
    > implementation of Kerberos and LDAP. Each machine needs its own
    > account. (In Kerberos, each machine is a principal.) When the machine
    > boots, it logs in to the Windows domain (Kerberos realm) as itself, not
    > as a person. This is before any human (who would also be a principal)
    > ever tries to log in on the client. So...
    >
    > Do you have an account for the machine under Computers in Users and
    > Computers (LDAP)? And, if you do, why are you logging the client
    > machine in as the (domain?) administrator instead of as itself? Or
    > maybe you keep creating a machine account over and over and over and
    > over and ... which *would* use the domain admin account, but you should
    > only have to do it once ever.
    >
    > Just some ideas for you.


    Hi, Thanks for your ideas. There is indeed a machine account under
    'Computers'. When you say why am I 'logging the client in as
    administrator instead of itself' what do you mean by 'logging in'? do
    you mean the 'net join' command? How would I log it in as 'itself'?

    The man page for 'net' says under 'JOIN':
    Join a domain. If the account already exists on the server, and [TYPE]
    is MEMBER, the machine will attempt to join automatically. (assuming
    that the machine has been created in server manager) otherwise a
    password will be prompted for, and new account may be created.

    However, the machine account allready exits, so why does it keep asking
    for the password? should I not use the -U administrator option? and then
    what should I use?

    Thanks!

  8. Re: Samba/Winbind join domain requires password at every reboot?

    Tobias Skytte wrote:
    > Allen Kistler skrev:
    >> Tobias Skytte wrote:
    >>> Robert Harris skrev:
    >>>>
    >>>> If you don't have to authenticate yourself to the domain when you
    >>>> reboot, then how can the domain be sure who you are?
    >>>>
    >>>> You have to store a password somewhere!
    >>>>
    >>>> Robert
    >>>
    >>> Well, in Windows once you join the domain you don't have to enter the
    >>> admin password at every reboot, and if you change the admin password
    >>> in the PDC then all the machines don't have to be re-joined, so once
    >>> they are joined they are joined forever. Why should this behaviour be
    >>> different under linux?
    >>> The main prob, is 1) I have to put the PDC admin password in plain
    >>> text in a script, and 2) if the admin password changes then the
    >>> script has to be changed and 3) why should it be different under
    >>> linux than under windows?

    >>
    >> I'm not certain how you've set up Samba, but AD is just the MS
    >> implementation of Kerberos and LDAP. Each machine needs its own
    >> account. (In Kerberos, each machine is a principal.) When the
    >> machine boots, it logs in to the Windows domain (Kerberos realm) as
    >> itself, not as a person. This is before any human (who would also be
    >> a principal) ever tries to log in on the client. So...
    >>
    >> Do you have an account for the machine under Computers in Users and
    >> Computers (LDAP)? And, if you do, why are you logging the client
    >> machine in as the (domain?) administrator instead of as itself? Or
    >> maybe you keep creating a machine account over and over and over and
    >> over and ... which *would* use the domain admin account, but you
    >> should only have to do it once ever.
    >>
    >> Just some ideas for you.

    >
    > Hi, Thanks for your ideas. There is indeed a machine account under
    > 'Computers'. When you say why am I 'logging the client in as
    > administrator instead of itself' what do you mean by 'logging in'? do
    > you mean the 'net join' command? How would I log it in as 'itself'?


    Well, your machine was asking you for the admin password for something.

    > The man page for 'net' says under 'JOIN':
    > Join a domain. If the account already exists on the server, and [TYPE]
    > is MEMBER, the machine will attempt to join automatically. (assuming
    > that the machine has been created in server manager) otherwise a
    > password will be prompted for, and new account may be created.
    >
    > However, the machine account allready exits, so why does it keep asking
    > for the password? should I not use the -U administrator option? and then
    > what should I use?


    Apparently your machine is forgetting that it has an account, so you
    just keep creating one over and over. You should only have to create
    the account once, then samba and winbind should just use it. Delete the
    account from the Windows side, then run the join. Make sure neither
    samba nor winbind is running when you execute the join command in a
    terminal. When you boot, you shouldn't be asked for a password.

    If that doesn't work, you'll have to dig in to samba/winbind to find out
    why.

+ Reply to Thread