Samba/Winbind join domain requires password at every reboot?

Hi,

I have set up samba to join a windows domain (and everything works
great) but it seems to require joining to the domain everytime it
reboots with:
#net join -w mydomain -S myPDC -U administrator

and then it needs the administrator password, and then a restart of the
winbind daemon..

So the question is why is this necessary at every reboot? I don't want
to leave the admin password in some script. Windows machines don't need
to do this at every reboot so why winbind? How can I get it to be joined
permanently..?

PS: I have googled this alot and am not able to find a reason for this..
so any hints will be helpful.
Thanks.
Tobias Skytte

Tobias Skytte wrote:
> Hi,
>
> I have set up samba to join a windows domain (and everything works
> great) but it seems to require joining to the domain everytime it
> reboots with:
> #net join -w mydomain -S myPDC -U administrator
>
> and then it needs the administrator password, and then a restart of the
> winbind daemon..
>
> So the question is why is this necessary at every reboot? I don't want
> to leave the admin password in some script. Windows machines don't need
> to do this at every reboot so why winbind? How can I get it to be joined
> permanently..?
>
> PS: I have googled this alot and am not able to find a reason for this..
> so any hints will be helpful.
> Thanks.
> Tobias Skytte

maybe you can send it a HUP signal instead
because when smbd receives a HUP signal it rereads smb.conf and
changes its config according to them, maybe winbindd does the same

i'm not sure about this, it's just a suggestion

goarilla@work skrev:
> Tobias Skytte wrote:
>> Hi,
>>
>> I have set up samba to join a windows domain (and everything works
>> great) but it seems to require joining to the domain everytime it
>> reboots with:
>> #net join -w mydomain -S myPDC -U administrator
>>
>> and then it needs the administrator password, and then a restart of
>> the winbind daemon..
>>
>> So the question is why is this necessary at every reboot? I don't want
>> to leave the admin password in some script. Windows machines don't
>> need to do this at every reboot so why winbind? How can I get it to be
>> joined permanently..?
>>
>> PS: I have googled this alot and am not able to find a reason for
>> this.. so any hints will be helpful.
>> Thanks.
>> Tobias Skytte
>
> maybe you can send it a HUP signal instead
> because when smbd receives a HUP signal it rereads smb.conf and
> changes its config according to them, maybe winbindd does the same
>
> i'm not sure about this, it's just a suggestion

Hi,
Thanks, but its not so much a problem with restarting the daemon or
re-reding the conf, its more of a problem that it has to ask for the
admin password everytime it reboots (because it has to re-join the
domain which shouldn't be necessary), and I don't want to leave that in
some script. So the real question is, why is the domain joining not
persistent?

Regards,
Tobias Skytte

Tobias Skytte wrote:
> goarilla@work skrev:
>> Tobias Skytte wrote:
>>> Hi,
>>>
>>> I have set up samba to join a windows domain (and everything works
>>> great) but it seems to require joining to the domain everytime it
>>> reboots with:
>>> #net join -w mydomain -S myPDC -U administrator
>>>
>>> and then it needs the administrator password, and then a restart of
>>> the winbind daemon..
>>>
>>> So the question is why is this necessary at every reboot? I don't
>>> want to leave the admin password in some script. Windows machines
>>> don't need to do this at every reboot so why winbind? How can I get
>>> it to be joined permanently..?
>>>
>>> PS: I have googled this alot and am not able to find a reason for
>>> this.. so any hints will be helpful.
>>> Thanks.
>>> Tobias Skytte
>>
>> maybe you can send it a HUP signal instead
>> because when smbd receives a HUP signal it rereads smb.conf and
>> changes its config according to them, maybe winbindd does the same
>>
>> i'm not sure about this, it's just a suggestion
>
> Hi,
> Thanks, but its not so much a problem with restarting the daemon or
> re-reding the conf, its more of a problem that it has to ask for the
> admin password everytime it reboots (because it has to re-join the
> domain which shouldn't be necessary), and I don't want to leave that in
> some script. So the real question is, why is the domain joining not
> persistent?
>
> Regards,
> Tobias Skytte

If you don't have to authenticate yourself to the domain when you
reboot, then how can the domain be sure who you are?

You have to store a password somewhere!

Robert

Robert Harris skrev:
> Tobias Skytte wrote:
>> goarilla@work skrev:
>>> Tobias Skytte wrote:
>>>> Hi,
>>>>
>>>> I have set up samba to join a windows domain (and everything works
>>>> great) but it seems to require joining to the domain everytime it
>>>> reboots with:
>>>> #net join -w mydomain -S myPDC -U administrator
>>>>
>>>> and then it needs the administrator password, and then a restart of
>>>> the winbind daemon..
>>>>
>>>> So the question is why is this necessary at every reboot? I don't
>>>> want to leave the admin password in some script. Windows machines
>>>> don't need to do this at every reboot so why winbind? How can I get
>>>> it to be joined permanently..?
>>>>
>>>> PS: I have googled this alot and am not able to find a reason for
>>>> this.. so any hints will be helpful.
>>>> Thanks.
>>>> Tobias Skytte
>>> maybe you can send it a HUP signal instead
>>> because when smbd receives a HUP signal it rereads smb.conf and
>>> changes its config according to them, maybe winbindd does the same
>>>
>>> i'm not sure about this, it's just a suggestion
>> Hi,
>> Thanks, but its not so much a problem with restarting the daemon or
>> re-reding the conf, its more of a problem that it has to ask for the
>> admin password everytime it reboots (because it has to re-join the
>> domain which shouldn't be necessary), and I don't want to leave that in
>> some script. So the real question is, why is the domain joining not
>> persistent?
>>
>> Regards,
>> Tobias Skytte
>
> If you don't have to authenticate yourself to the domain when you
> reboot, then how can the domain be sure who you are?
>
> You have to store a password somewhere!
>
> Robert

Well, in Windows once you join the domain you don't have to enter the
admin password at every reboot, and if you change the admin password in
the PDC then all the machines don't have to be re-joined, so once they
are joined they are joined forever. Why should this behaviour be
different under linux?
The main prob, is 1) I have to put the PDC admin password in plain text
in a script, and 2) if the admin password changes then the script has to
be changed and 3) why should it be different under linux than under windows?


Regards,
Tobias

Tobias Skytte wrote:
> Robert Harris skrev:
>>
>> If you don't have to authenticate yourself to the domain when you
>> reboot, then how can the domain be sure who you are?
>>
>> You have to store a password somewhere!
>>
>> Robert
>
> Well, in Windows once you join the domain you don't have to enter the
> admin password at every reboot, and if you change the admin password in
> the PDC then all the machines don't have to be re-joined, so once they
> are joined they are joined forever. Why should this behaviour be
> different under linux?
> The main prob, is 1) I have to put the PDC admin password in plain text
> in a script, and 2) if the admin password changes then the script has to
> be changed and 3) why should it be different under linux than under
> windows?

I'm not certain how you've set up Samba, but AD is just the MS
implementation of Kerberos and LDAP. Each machine needs its own
account. (In Kerberos, each machine is a principal.) When the machine
boots, it logs in to the Windows domain (Kerberos realm) as itself, not
as a person. This is before any human (who would also be a principal)
ever tries to log in on the client. So...

Do you have an account for the machine under Computers in Users and
Computers (LDAP)? And, if you do, why are you logging the client
machine in as the (domain?) administrator instead of as itself? Or
maybe you keep creating a machine account over and over and over and
over and ... which *would* use the domain admin account, but you should
only have to do it once ever.

Just some ideas for you.

Allen Kistler skrev:
> Tobias Skytte wrote:
>> Robert Harris skrev:
>>>
>>> If you don't have to authenticate yourself to the domain when you
>>> reboot, then how can the domain be sure who you are?
>>>
>>> You have to store a password somewhere!
>>>
>>> Robert
>>
>> Well, in Windows once you join the domain you don't have to enter the
>> admin password at every reboot, and if you change the admin password
>> in the PDC then all the machines don't have to be re-joined, so once
>> they are joined they are joined forever. Why should this behaviour be
>> different under linux?
>> The main prob, is 1) I have to put the PDC admin password in plain
>> text in a script, and 2) if the admin password changes then the script
>> has to be changed and 3) why should it be different under linux than
>> under windows?
>
> I'm not certain how you've set up Samba, but AD is just the MS
> implementation of Kerberos and LDAP. Each machine needs its own
> account. (In Kerberos, each machine is a principal.) When the machine
> boots, it logs in to the Windows domain (Kerberos realm) as itself, not
> as a person. This is before any human (who would also be a principal)
> ever tries to log in on the client. So...
>
> Do you have an account for the machine under Computers in Users and
> Computers (LDAP)? And, if you do, why are you logging the client
> machine in as the (domain?) administrator instead of as itself? Or
> maybe you keep creating a machine account over and over and over and
> over and ... which *would* use the domain admin account, but you should
> only have to do it once ever.
>
> Just some ideas for you.

Hi, Thanks for your ideas. There is indeed a machine account under
'Computers'. When you say why am I 'logging the client in as
administrator instead of itself' what do you mean by 'logging in'? do
you mean the 'net join' command? How would I log it in as 'itself'?

The man page for 'net' says under 'JOIN':
Join a domain. If the account already exists on the server, and [TYPE]
is MEMBER, the machine will attempt to join automatically. (assuming
that the machine has been created in server manager) otherwise a
password will be prompted for, and new account may be created.

However, the machine account allready exits, so why does it keep asking
for the password? should I not use the -U administrator option? and then
what should I use?

Thanks!

Tobias Skytte wrote:
> Allen Kistler skrev:
>> Tobias Skytte wrote:
>>> Robert Harris skrev:
>>>>
>>>> If you don't have to authenticate yourself to the domain when you
>>>> reboot, then how can the domain be sure who you are?
>>>>
>>>> You have to store a password somewhere!
>>>>
>>>> Robert
>>>
>>> Well, in Windows once you join the domain you don't have to enter the
>>> admin password at every reboot, and if you change the admin password
>>> in the PDC then all the machines don't have to be re-joined, so once
>>> they are joined they are joined forever. Why should this behaviour be
>>> different under linux?
>>> The main prob, is 1) I have to put the PDC admin password in plain
>>> text in a script, and 2) if the admin password changes then the
>>> script has to be changed and 3) why should it be different under
>>> linux than under windows?
>>
>> I'm not certain how you've set up Samba, but AD is just the MS
>> implementation of Kerberos and LDAP. Each machine needs its own
>> account. (In Kerberos, each machine is a principal.) When the
>> machine boots, it logs in to the Windows domain (Kerberos realm) as
>> itself, not as a person. This is before any human (who would also be
>> a principal) ever tries to log in on the client. So...
>>
>> Do you have an account for the machine under Computers in Users and
>> Computers (LDAP)? And, if you do, why are you logging the client
>> machine in as the (domain?) administrator instead of as itself? Or
>> maybe you keep creating a machine account over and over and over and
>> over and ... which *would* use the domain admin account, but you
>> should only have to do it once ever.
>>
>> Just some ideas for you.
>
> Hi, Thanks for your ideas. There is indeed a machine account under
> 'Computers'. When you say why am I 'logging the client in as
> administrator instead of itself' what do you mean by 'logging in'? do
> you mean the 'net join' command? How would I log it in as 'itself'?

Well, your machine was asking you for the admin password for something.

> The man page for 'net' says under 'JOIN':
> Join a domain. If the account already exists on the server, and [TYPE]
> is MEMBER, the machine will attempt to join automatically. (assuming
> that the machine has been created in server manager) otherwise a
> password will be prompted for, and new account may be created.
>
> However, the machine account allready exits, so why does it keep asking
> for the password? should I not use the -U administrator option? and then
> what should I use?

Apparently your machine is forgetting that it has an account, so you
just keep creating one over and over. You should only have to create
the account once, then samba and winbind should just use it. Delete the
account from the Windows side, then run the join. Make sure neither
samba nor winbind is running when you execute the join command in a
terminal. When you boot, you shouldn't be asked for a password.

If that doesn't work, you'll have to dig in to samba/winbind to find out
why.