Bug 7678 - Reject auth request from machine account & Windows 7
Reject auth request from machine account & Windows 7
Status: NEEDINFO
Product: Samba 3.5
Classification: Unclassified
Component: Domain Control
3.5.4
x64 Windows 7
: P3 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-13 11:28 UTC by Martin Hochreiter
Modified: 2012-02-07 10:51 UTC (History)
3 users (show)

See Also:


Attachments
Log level 256 samba.log (276.94 KB, application/x-rar)
2010-10-11 07:59 UTC, Martin Hochreiter
no flags Details
Log 10 level when joining to domain (92.54 KB, application/x-gzip)
2011-02-02 05:21 UTC, olaf
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Hochreiter 2010-09-13 11:28:52 UTC
Hi!

As the help of the samba mailing list does not lead to anything, and everything
I tried to troubleshoot was not sucessfully - I do file a bug here:

I am using Ubuntu 8.04.4 with samba 3.5.4 and ldap as backend.

If a windows 7 machine (with the registry entries according the samba - windows 7 wiki) joins the domain, the domain controller refuses the machine account every logon of a domain user:

netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client XXX machine account XXX$

The machine accounts are visible on the linux host (getent passwd) and as
add machine scripts I am using the smbldap-tools.

Windows XP does not show that behaviour.

Maybe I can find some more help here.

regards
Martin
Comment 1 Szombathelyi György 2010-09-24 03:00:37 UTC
Probably 3447 and this are the same
Comment 2 Martin Hochreiter 2010-09-24 03:53:38 UTC
(In reply to comment #1)
> Probably 3447 and this are the same
> 

Sounds quit similar, I monitor both further, but I am missing kind of reaction from the developers here

regards
Comment 3 Martin Hochreiter 2010-10-11 07:59:05 UTC
Created attachment 6008 [details]
Log level 256 samba.log

I did a log level 256 - login with samba 3.5.5 and windows 7 

Please find the log attached and have a look at it
Comment 4 olaf 2011-02-02 05:21:29 UTC
Created attachment 6243 [details]
Log 10 level when joining to domain

Log level 10 for adding Windows 7 to domain
Comment 5 olaf 2011-02-02 05:23:00 UTC
I have the same problem when joining to domain with Win 7.
Windows 2000 and XP join OK.
The attachment added above.
Comment 6 Volker Lendecke 2011-02-02 09:59:46 UTC
Very likely this is a dup of bug 7743. Can you try the patch in there? 

https://bugzilla.samba.org/attachment.cgi?id=6027&action=view

3.5.7 with this patch will be released very soon, you might consider waiting.

Volker
Comment 7 olaf 2011-02-10 03:45:52 UTC
I'll wait for 3.5.7. 
Comment 8 Martin Hochreiter 2011-03-14 14:01:41 UTC
I tested 3.5.8 today and I still see the reject errors.
I tried to manually drop a machine out of the domain and join the domain again ... still the same "reject messages"

regards
Martin
Comment 9 Guenther Deschner 2011-05-18 13:19:59 UTC
Wait, are you seeing the failure just in the logs (which is normal, as win7 asks for AES keys in the first place, we deny, client retries with different flags) OR is there a real failure in win7 domain membership ?
Comment 10 olaf 2011-05-20 11:41:52 UTC
(In reply to comment #9)
> Wait, are you seeing the failure just in the logs (which is normal, as win7
> asks for AES keys in the first place, we deny, client retries with different
> flags) OR is there a real failure in win7 domain membership ?

In my case, I think it is the former. I was not testing it much.
Anyway, I think I'll have to move to samba 4 :)

Regards,

Olaf
Comment 11 Martin Hochreiter 2011-05-20 11:53:13 UTC
(In reply to comment #9)
> Wait, are you seeing the failure just in the logs (which is normal, as win7
> asks for AES keys in the first place, we deny, client retries with different
> flags) OR is there a real failure in win7 domain membership ?

Hi Günther!

As I said in my first description only windows 7 machines are affected.
It makes no troubles except that win7 machines are not able to change their machine password with samba 3.5.xx

regards
Comment 12 sascha 2012-02-07 10:51:26 UTC
Hi,

it´s an old bug but i thought it might help others to say that in my case
there was a corrupted tdb in /var/cache/samba. we had a server crash so i guess
one of them got corrupted. 
i moved: login_cache.tdb, netsamlogon_cache.tdb and winbindd_cache.tdb restarted
samba and winbind and was able to login with my win7 x64 latest patches as of 
feb. 07 2012. i did not invesigate further, but the first file that was created
upon login was login_cache.tdb so maybe it´s sufficient to delete or move only
this one. but the logs say "netlogon_creds_server_check failed. Rejecting auth request from client xxx machine account xxx$" so netsamlogon_cache.tdb could be
the problem as well.

cheers,
sascha

ps: specs: ubuntu 10.4 with 3.4.7~dfsg-1ubuntu3.8 and ldap backend. windows
7 x64 was able to join domain but not to login with any domain-account.