I posted my problem of clients loosing their domain membership a couple
of days ago on the mailing list, but got no answer. I now could track it down to a problem with machine password changes in the domain. When a client changes its machine account password, it loses domain connection afterwards, i.e. 'net rpc testjoin' gives NT_STATUS_ACCESS_DENIED.
I have attached a winbind log which shows the problem; it first says
"Changed password", then immediately afterwards the connection fails. I
did a tcpdump which showed pretty much the same; first a successful
password change and then a login failure. I have no idea how to debug
this further. I can provide the tcpdump capture if neccessary.
Clients are using Ubuntu 10.04 with samba 3.4.7 and Linux 2.6.32; Server
is Debian 5.0 with samba 3.2.5 and Linux 2.6.26. PDC is configured to
use LDAP as passdb backend, this is also the UNIX user db for both
server and clients (using libnss-ldap/libpam-ldap).
Created attachment 5865 [details]
Winbind log showing the problem
I think this is bug 6998. You might need to update the DC to a newer Samba release. Can you test if that cures your problems?
As I understand bug 6998, the problem occurs if the clients are < 3.4 while the DC is at 3.4 or above. In our case, it's the other way round. I also thought the debian team would most likely backport all important fixes, but I will give 3.4.8 from lenny-backports a try.