Bug 3324 - Machine Account Password Change Fails
Summary: Machine Account Password Change Fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.21
Hardware: All Linux
: P3 minor
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-13 13:57 UTC by John H Terpstra (mail address dead(
Modified: 2006-03-08 12:57 UTC (History)
2 users (show)

See Also:


Attachments
BDC log file of failed machine password change attempt (628 bytes, text/plain)
2005-12-13 13:58 UTC, John H Terpstra (mail address dead(
no flags Details
PDC log file of failed machine password change attempt (7.52 KB, text/plain)
2005-12-13 13:59 UTC, John H Terpstra (mail address dead(
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra (mail address dead( 2005-12-13 13:57:19 UTC
Network has a head office with a group of remote sites connected over a private WAN. Inter-office bandwidth is 768Kbps min, 3 Mbps max.

Head office has a PDC and 2 BDCs. Remote branches have one BDC.

The PDC is also the master LDAP server. All BDCs have replicate LDAP slaves.

LDAP replication is working flawlessly. Samba is working just as it should, except that machine password changes are failing. The machine password changes on the head office LAN randomly go to the BDCs and the PDC. In the branch offices all password changes are hitting the local BDC.

All machine account password change attempts are failing. On the BDC there is a simple error log (level 1) that says:
    creds_server_check: credentials check failed

There is no evidence that the BDC tried to contact the PDC.

When a windows client hits the PDC to change the machine account password, the level 1 logs show LDAP access errors, as well as the credentials check error.

I am attaching logs from a remote BDC and from the PDC.

Diagnostics so far:
Figured that I should at least test/validate that this is not a basic LDAP configration issue. I tried rejoining a machine to the domain. I captured the network traffic between a remote client and its local BDC. I also captured the resulting traffic on the PDC/master LDAP server.

The domain join works flawlessly. The BDC gets a referral from the BDC's LDAP slave, redirects to the master LDAP server and updates the machine account (creating it if not found).

I am unable to mess with the machine account password change configs on the customer site, so will have to try replicating the environment on my test network som time soon.
Comment 1 John H Terpstra (mail address dead( 2005-12-13 13:58:43 UTC
Created attachment 1615 [details]
BDC log file of failed machine password change attempt
Comment 2 John H Terpstra (mail address dead( 2005-12-13 13:59:05 UTC
Created attachment 1616 [details]
PDC log file of failed machine password change attempt
Comment 3 Guenther Deschner 2006-01-13 13:53:17 UTC
John,

At least the LDAP errors (ldapsam_get_account_policy) should be fixed with https://bugzilla.samba.org/show_bug.cgi?id=3391.

Any chance for you to test the SAMBA_3_0 branch ?
Comment 4 Thomas 2006-02-16 12:25:34 UTC
I have the same problem. But it seems to depend on the windows XP installation.

Because if I installed a "fresh" XP, and do the domain joining during installation it works. But if I used one of my "old" XP image (ghost), I can join the domain but after that I can't log in :(

Moreover if I change the name of my "fresh" XP, i can (re)join the domain but after that, I can't log in too. The only way I found is to put the "fresh" windows in a WORKGROUP and after put it again on the DOMAIN.

I don't really understand what's going wrong. What really are "machine credentials" ? Why do we need sambaNTPassword for a workstation account?!

Error:
Workstation = bordel
[..]
Primary group is 0 and contains 0 supplementary groups
  The connection to the LDAP server was closed
  StartTLS issued: using a TLS connection
  smbldap_open_connection: connection opened
  ldap_connect_system: succesful connection to the LDAP server
  The LDAP server is succesfully connected
  init_sam_from_ldap: Entry found for user: bordel$
  Finding user bordel$
  Trying _Get_Pwnam(), username as lowercase is bordel$
  Finding user bordel$
  Trying _Get_Pwnam(), username as lowercase is bordel$
  Finding user bordel$
  Trying _Get_Pwnam(), username as lowercase is bordel$
  Finding user bordel$
  Trying _Get_Pwnam(), username as lowercase is bordel$
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
  cred_create_session_key
        clnt_chal_in: F2E95EBF58F12672
        srv_chal_in : C683D86B7A43A56A
        clnt+srv : B86D372BD234CCDC
        sess_key_out : A73B78276DC16DDF
  creds_server_check: challenge : D03877B7697CC824
  calculated: 266E0A792D7B87B2
  creds_server_check: credentials check failed.
  _net_auth2: creds_server_check failed. Rejecting auth request from client BORDEL machine account BORDEL$
  000000 net_io_r_auth_2 
          0000 data: 00 00 00 00 00 00 00 00 
          0008 neg_flags: 00000000
      000c status: NT_STATUS_ACCESS_DENIED
  api_rpcTNP: called NETLOGON successfully

[..]

I have a 3.0.21b PDC (sernet debian pkg) with a _readonly_ LDAP. I'm _not_ using smbldap scripts. I do my own LDIF and put it in. 

LDIF sample: 

dn: uid=bordel$, ou=machines, dc=univ-avignon,dc=fr
sambaPwdLastSet: 1140077623
sambaAcctFlags: [W          ]
userPassword:: 
loginShell: /bin/false
uidNumber: 5002
gidNumber: 10001
sambaPwdMustChange: 2147483647
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: account
uid: bordel$
sambaDomainName: UAPV
sambaSID: S-1-5-21-3325825249-2008933289-1582526155-11004
cn: bordel
homeDirectory: /dev/null
sambaNTPassword: CB02212AD8CFA6866C24C10084C99B0F
sambaPwdCanChange: 1140077623
sambaPrimaryGroupSID: S-1-5-21-3325825249-2008933289-1582526155-515



Comment 5 Jeremy Allison 2006-02-16 12:40:33 UTC
I've done a fair amount of work on this in the current SAMBA_3_0 tree and I think this will be fixed for 3.0.22. Unfortunately the changes are too invasive for 3.0.21c, but I'd appreciate it if you could check out the SAMBA_3_0 SVN tree and test this.
Thanks,
Jeremy.
Comment 6 Thomas 2006-02-17 01:40:04 UTC
Ok, I'm trying today. 
Comment 7 Thomas 2006-02-17 04:50:14 UTC
Ok... It seems to work with my "mother" workstation. 
We will retry the cloning. And try with the clone station.
I will update soon. 

But I maybe found a bug. Now I can only access _one_ ldap server with my samba-3.22 (see the checkout rev in the previous post). 
The line below was working with 3.0.21b (sernet.de debian pkg)

passdb backend = ldapsam:"ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
Now, to make samba 3.0.22-dev starting, I must just put :
passdb backend = ldapsam:ldap://ldap01c.univ-avignon.fr 

[UPDATE] Note: it starts without the quotes " ... but have I still redundancy
This line is working too:
    passdb backend = ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr


Check debug 10 below:

I compiled the svn version with: 
./configure --prefix=/usr/local/stow/samba-3.0.22-dev --with-ldap --with-acl-support --with-winbind --with-ads --with-automount --with-pam --with-quotas  --with-utmp --with-libsmbclient --with-smbmount --with-syslog --with-sendfile-support --with-profiling-data && make

Why ?? Does the syntax changed ?

# smbd -S -i -d10 -s /etc/samba/smb.conf
[..]
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:"ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=UAPV))]
smbldap_search_ext: base => [dc=univ-avignon,dc=fr], filter => [(&(objectClass=sambaDomain)(sambaDomainName=UAPV))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
ldap_initialize: Time limit exceeded
Connection to LDAP server failed for the 1 try!
smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
ldap_initialize: Time limit exceeded
Connection to LDAP server failed for the 2 try!
smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
ldap_initialize: Time limit exceeded
Connection to LDAP server failed for the 3 try!
[..]
Connection to LDAP server failed for the 15 try!
smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
ldap_initialize: Time limit exceeded
Problem during LDAPsearch: Time limit exceeded
Query was: dc=univ-avignon,dc=fr, (&(objectClass=sambaDomain)(sambaDomainName=UAPV))
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs
pdb backend ldapsam:"ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr" has a valid init
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
smbldap_search_ext: base => [dc=univ-avignon,dc=fr], filter => [(&(uid=root)(objectclass=sambaSamAccount))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
ldap_initialize: Time limit exceeded
Connection to LDAP server failed for the 1 try!
smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
ldap_initialize: Time limit exceeded
Connection to LDAP server failed for the 2 try!
smb_ldap_setup_connection: "ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr"
[..]


[UPDATE] the same without the quotes after ldapsam
 >>   passdb backend = ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr

Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=UAPV))]
smbldap_search_ext: base => [dc=univ-avignon,dc=fr], filter => [(&(objectClass=sambaDomain)(sambaDomainName=UAPV))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr as "cn=admin, ou=ldap, dc=univ-avignon, dc=fr"
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://ldap01c.univ-avignon.fr ldap://ldap02c.univ-avignon.fr has a valid init
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[..]
Comment 8 Lars Müller 2006-02-17 06:54:26 UTC
John: Should we provide you RPMs for testing?
Comment 9 Thomas 2006-02-17 12:15:05 UTC
[LDAP QUOTES ERROR]

For the LDAPsam in the smb.conf. I test the redundancy. It's OK.
So it's just a typo change (the quotes "). Perhaps you might put a warning if you plan to release as this. 


[CREDENTIALS]

It seems to work for eight stations !! But we just need to put the wkstation in a work group and then put it again in the domain. After that it's ok.
I will investigate and test more next week. And maybe add some infos or close the bug.

Thanks to all the samba team ! 


Comment 10 Thomas 2006-03-08 12:08:15 UTC
[CREDENTIAL]

It seems Ok for me (50 stations are now OK).
Comment 11 Jeremy Allison 2006-03-08 12:57:20 UTC
Great - closing this out.
Jeremy.