Bug 7585 - Machine account password change fails
Machine account password change fails
Status: NEW
Product: Samba 3.4
Classification: Unclassified
Component: Winbind
x86 Linux
: P3 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-07-26 02:38 UTC by Andreas Heinlein
Modified: 2010-07-27 02:01 UTC (History)
0 users

See Also:

Winbind log showing the problem (4.77 KB, text/plain)
2010-07-26 02:39 UTC, Andreas Heinlein
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Heinlein 2010-07-26 02:38:37 UTC
I posted my problem of clients loosing their domain membership a couple
of days ago on the mailing list, but got no answer. I now could track it down to a problem with machine password changes in the domain. When a client changes its machine account password, it loses domain connection afterwards, i.e. 'net rpc testjoin' gives NT_STATUS_ACCESS_DENIED.

I have attached a winbind log which shows the problem; it first says
"Changed password", then immediately afterwards the connection fails. I
did a tcpdump which showed pretty much the same; first a successful
password change and then a login failure. I have no idea how to debug
this further. I can provide the tcpdump capture if neccessary.

Clients are using Ubuntu 10.04 with samba 3.4.7 and Linux 2.6.32; Server
is Debian 5.0 with samba 3.2.5 and Linux 2.6.26. PDC is configured to
use LDAP as passdb backend, this is also the UNIX user db for both
server and clients (using libnss-ldap/libpam-ldap).
Comment 1 Andreas Heinlein 2010-07-26 02:39:21 UTC
Created attachment 5865 [details]
Winbind log showing the problem
Comment 2 Björn Jacke 2010-07-26 09:52:57 UTC
I think this is bug 6998. You might need to update the DC to a newer Samba release. Can you test if that cures your problems?
Comment 3 Andreas Heinlein 2010-07-27 02:01:17 UTC
As I understand bug 6998, the problem occurs if the clients are < 3.4 while the DC is at 3.4 or above. In our case, it's the other way round. I also thought the debian team would most likely backport all important fixes, but I will give 3.4.8 from lenny-backports a try.