Network has a head office with a group of remote sites connected over a private WAN. Inter-office bandwidth is 768Kbps min, 3 Mbps max. Head office has a PDC and 2 BDCs. Remote branches have one BDC. The PDC is also the master LDAP server. All BDCs have replicate LDAP slaves. LDAP replication is working flawlessly. Samba is working just as it should, except that machine password changes are failing. The machine password changes on the head office LAN randomly go to the BDCs and the PDC. In the branch offices all password changes are hitting the local BDC. All machine account password change attempts are failing. On the BDC there is a simple error log (level 1) that says: creds_server_check: credentials check failed There is no evidence that the BDC tried to contact the PDC. When a windows client hits the PDC to change the machine account password, the level 1 logs show LDAP access errors, as well as the credentials check error. I am attaching logs from a remote BDC and from the PDC. Diagnostics so far: Figured that I should at least test/validate that this is not a basic LDAP configration issue. I tried rejoining a machine to the domain. I captured the network traffic between a remote client and its local BDC. I also captured the resulting traffic on the PDC/master LDAP server. The domain join works flawlessly. The BDC gets a referral from the BDC's LDAP slave, redirects to the master LDAP server and updates the machine account (creating it if not found). I am unable to mess with the machine account password change configs on the customer site, so will have to try replicating the environment on my test network som time soon.
Created attachment 1615 [details] BDC log file of failed machine password change attempt
Created attachment 1616 [details] PDC log file of failed machine password change attempt
John, At least the LDAP errors (ldapsam_get_account_policy) should be fixed with https://bugzilla.samba.org/show_bug.cgi?id=3391. Any chance for you to test the SAMBA_3_0 branch ?
I have the same problem. But it seems to depend on the windows XP installation. Because if I installed a "fresh" XP, and do the domain joining during installation it works. But if I used one of my "old" XP image (ghost), I can join the domain but after that I can't log in :( Moreover if I change the name of my "fresh" XP, i can (re)join the domain but after that, I can't log in too. The only way I found is to put the "fresh" windows in a WORKGROUP and after put it again on the DOMAIN. I don't really understand what's going wrong. What really are "machine credentials" ? Why do we need sambaNTPassword for a workstation account?! Error: Workstation = bordel [..] Primary group is 0 and contains 0 supplementary groups The connection to the LDAP server was closed StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected init_sam_from_ldap: Entry found for user: bordel$ Finding user bordel$ Trying _Get_Pwnam(), username as lowercase is bordel$ Finding user bordel$ Trying _Get_Pwnam(), username as lowercase is bordel$ Finding user bordel$ Trying _Get_Pwnam(), username as lowercase is bordel$ Finding user bordel$ Trying _Get_Pwnam(), username as lowercase is bordel$ pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 cred_create_session_key clnt_chal_in: F2E95EBF58F12672 srv_chal_in : C683D86B7A43A56A clnt+srv : B86D372BD234CCDC sess_key_out : A73B78276DC16DDF creds_server_check: challenge : D03877B7697CC824 calculated: 266E0A792D7B87B2 creds_server_check: credentials check failed. _net_auth2: creds_server_check failed. Rejecting auth request from client BORDEL machine account BORDEL$ 000000 net_io_r_auth_2 0000 data: 00 00 00 00 00 00 00 00 0008 neg_flags: 00000000 000c status: NT_STATUS_ACCESS_DENIED api_rpcTNP: called NETLOGON successfully [..] I have a 3.0.21b PDC (sernet debian pkg) with a _readonly_ LDAP. I'm _not_ using smbldap scripts. I do my own LDIF and put it in. LDIF sample: dn: uid=bordel$, ou=machines, dc=univ-avignon,dc=fr sambaPwdLastSet: 1140077623 sambaAcctFlags: [W ] userPassword:: loginShell: /bin/false uidNumber: 5002 gidNumber: 10001 sambaPwdMustChange: 2147483647 objectClass: posixAccount objectClass: sambaSamAccount objectClass: account uid: bordel$ sambaDomainName: UAPV sambaSID: S-1-5-21-3325825249-2008933289-1582526155-11004 cn: bordel homeDirectory: /dev/null sambaNTPassword: CB02212AD8CFA6866C24C10084C99B0F sambaPwdCanChange: 1140077623 sambaPrimaryGroupSID: S-1-5-21-3325825249-2008933289-1582526155-515
I've done a fair amount of work on this in the current SAMBA_3_0 tree and I think this will be fixed for 3.0.22. Unfortunately the changes are too invasive for 3.0.21c, but I'd appreciate it if you could check out the SAMBA_3_0 SVN tree and test this. Thanks, Jeremy.
Ok, I'm trying today.
Ok... It seems to work with my "mother" workstation. We will retry the cloning. And try with the clone station. I will update soon. But I maybe found a bug. Now I can only access _one_ ldap server with my samba-3.22 (see the checkout rev in the previous post). The line below was working with 3.0.21b (sernet.de debian pkg) passdb backend = ldapsam:"ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" Now, to make samba 3.0.22-dev starting, I must just put : passdb backend = ldapsam:ldap://ldap01c.univ-avignon.fr [UPDATE] Note: it starts without the quotes " ... but have I still redundancy This line is working too: passdb backend = ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr Check debug 10 below: I compiled the svn version with: ./configure --prefix=/usr/local/stow/samba-3.0.22-dev --with-ldap --with-acl-support --with-winbind --with-ads --with-automount --with-pam --with-quotas --with-utmp --with-libsmbclient --with-smbmount --with-syslog --with-sendfile-support --with-profiling-data && make Why ?? Does the syntax changed ? # smbd -S -i -d10 -s /etc/samba/smb.conf [..] Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match ldapsam:"ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" (ldapsam) Found pdb backend ldapsam Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=UAPV))] smbldap_search_ext: base => [dc=univ-avignon,dc=fr], filter => [(&(objectClass=sambaDomain)(sambaDomainName=UAPV))], scope => [2] The connection to the LDAP server was closed smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" ldap_initialize: Time limit exceeded Connection to LDAP server failed for the 1 try! smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" ldap_initialize: Time limit exceeded Connection to LDAP server failed for the 2 try! smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" ldap_initialize: Time limit exceeded Connection to LDAP server failed for the 3 try! [..] Connection to LDAP server failed for the 15 try! smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" ldap_initialize: Time limit exceeded Problem during LDAPsearch: Time limit exceeded Query was: dc=univ-avignon,dc=fr, (&(objectClass=sambaDomain)(sambaDomainName=UAPV)) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs pdb backend ldapsam:"ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" has a valid init push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 push_conn_ctx(0) : conn_ctx_stack_ndx = 0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 NT user token: (NULL) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups smbldap_search_ext: base => [dc=univ-avignon,dc=fr], filter => [(&(uid=root)(objectclass=sambaSamAccount))], scope => [2] The connection to the LDAP server was closed smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" ldap_initialize: Time limit exceeded Connection to LDAP server failed for the 1 try! smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" ldap_initialize: Time limit exceeded Connection to LDAP server failed for the 2 try! smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" [..] [UPDATE] the same without the quotes after ldapsam >> passdb backend = ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr (ldapsam) Found pdb backend ldapsam Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=UAPV))] smbldap_search_ext: base => [dc=univ-avignon,dc=fr], filter => [(&(objectClass=sambaDomain)(sambaDomainName=UAPV))], scope => [2] The connection to the LDAP server was closed smb_ldap_setup_connection: ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr smbldap_open_connection: connection opened ldap_connect_system: Binding to ldap server ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr as "cn=admin, ou=ldap, dc=univ-avignon, dc=fr" ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results The LDAP server is succesfully connected pdb backend ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr has a valid init push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 push_conn_ctx(0) : conn_ctx_stack_ndx = 0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 NT user token: (NULL) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [..]
John: Should we provide you RPMs for testing?
[LDAP QUOTES ERROR] For the LDAPsam in the smb.conf. I test the redundancy. It's OK. So it's just a typo change (the quotes "). Perhaps you might put a warning if you plan to release as this. [CREDENTIALS] It seems to work for eight stations !! But we just need to put the wkstation in a work group and then put it again in the domain. After that it's ok. I will investigate and test more next week. And maybe add some infos or close the bug. Thanks to all the samba team !
[CREDENTIAL] It seems Ok for me (50 stations are now OK).
Great - closing this out. Jeremy.