Bug 7019 - Windows 7 failed to logon to Samba Domain. Credentials Check Failed
Summary: Windows 7 failed to logon to Samba Domain. Credentials Check Failed
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.4.3
Hardware: x86 Windows 7
: P3 major
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL: http://docs.google.com/View?id=dctqhn...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-04 05:01 UTC by Koala Yeung
Modified: 2015-05-02 18:22 UTC (History)
2 users (show)

See Also:


Attachments
per-machine log file show the error (82.39 KB, text/plain)
2010-01-04 05:04 UTC, Koala Yeung
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Koala Yeung 2010-01-04 05:01:53 UTC
I have a Samba domain of Windows XP.
I tried to have a new Windows 7 PC join the Samba domain.
And I failed to logon, as any account, on that PC.
It says that either my user name or password is incorrect.

I checked by log, and this seems to be related:
------------------------------
[2010/01/04 17:49:13,  2] libsmb/credentials.c:223(netlogon_creds_server_check)
  netlogon_creds_server_check: credentials check failed.
[2010/01/04 17:49:13,  0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENT-PC machine account CLIENT-PC$
------------------------------


You can find the full per-machine log at the URL attached.
Comment 1 Koala Yeung 2010-01-04 05:04:28 UTC
Created attachment 5116 [details]
per-machine log file show the error

To prevent Google Docs from failing us, I also attach the per-machine log-file here.
Comment 2 Andreas Matthus 2010-07-01 07:12:07 UTC
Hallo,

have you change the registry on then windows 7 machine?:

HKLM\System\CCS\Services\LanmanWorkstation\Parameters
            DWORD  DomainCompatibilityMode = 1
            DWORD  DNSNameResolutionRequired = 0

Have you change the user over the button "other user" (or similary - i havn't a english windows) to domain-users?

On my installations logon are possible, but in logfiles the error-messages was similary: 
Rejecting auth request from client CLIENT-PC machine account CLIENT-PC$

I found out, that all machine-names use lower letters in /etc/passwd and /var/lib/samba/passwd.tdb. If in /etc/passwd the same entry in uppercase the errormessages disappears. So I create a workarround:

Frist create a file /usr/sbin/maschineadd:
#!/bin/bash
gross=$(echo $* | /usr/bin/tr a-z A-Z)
/usr/sbin/useradd -s /bin/false -d /dev/null -g 515 $gross

second change in smb.conf:
 add machine script = /usr/sbin/machineadd %u

Hint: You must have a group 515 (Domain-Computers).
Then delete the old entries in /etc/passwd and /var/lib/samba/passwd.tdb

pdbedit -x CLIENT-PC$
userdel CLIENT-PC$

and get domain-member from the client-pc-side. It should create the names in capital letters and the error-message disappears. I hope your login-problem too.

with regards
Andreas Matthus
Comment 3 Berni Elbourn 2010-09-09 10:55:48 UTC
Sorry to confirm that the add machine script work rounds here do not work here.

I actually had a windows 7 ultimate PC working in a Samba 3.4 domain earlier in the year. As of this week profiles failed to load. 

The usual fix to remove all traces of the client in the domain and re-add the client back into the domain are failing to create a valid machine account. This is logged:

[2010/09/09 16:50:31,  0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client W7 machine account W7$

As such none of the users can login to the Windows 7 client with these logs:

[2010/09/09 16:52:53,  1] smbd/service.c:1063(make_connection_snum)
  w7 (::ffff:192.168.2.106) connect to service profiles initially as user elbournb (uid=1000, gid=100) (pid 14074)
[2010/09/09 16:52:53,  0] smbd/nttrans.c:2119(call_nt_transact_ioctl)
  call_nt_transact_ioctl(0x900eb): Currently not implemented.
[2010/09/09 16:52:53,  1] smbd/service.c:1063(make_connection_snum)
  w7 (::ffff:192.168.2.106) connect to service profiles initially as user w7$ (uid=1017, gid=1017) (pid 14074)
[2010/09/09 16:52:53,  1] smbd/vfs.c:932(check_reduced_name)
  reduce_name: couldn't get realpath for elbournb.V2/ntuser.ini
[2010/09/09 16:52:53,  1] smbd/vfs.c:932(check_reduced_name)
  reduce_name: couldn't get realpath for elbournb.V2/ntuser.ini
[2010/09/09 16:52:54,  1] smbd/service.c:1063(make_connection_snum)
  w7 (::ffff:192.168.2.106) connect to service elbournb initially as user elbournb (uid=1000, gid=100) (pid 14074)
[2010/09/09 16:53:04,  1] smbd/service.c:1240(close_cnum)
  w7 (::ffff:192.168.2.106) closed connection to service profiles

Samba version is 3.4.8 from Debian backports.
Comment 4 Björn Jacke 2015-05-02 18:22:54 UTC
if this does not work this is most probably a client registry setting fault.