samba - Feb 2007 - samba problems. accounts expire after a hour, but work after reset

Hello I'm having some strange problems with samba 3.0.23d (PDC) on my FC6

if i start samba, everything works fine, but after an hour orso(some 
times 2 hours if there is not mutch traffic)
machines and user accounts start expiring.

i don't know why, but it is ?! after i do a restart, samba comes up and 
works again.
i checked the mysql server (coz' i use pdb-sql as backend) but the sql 
query's get executed and value's are returned. (even if goes into
bug-mode)
so that part works ok!, all i can think of is that tdb files get 
corrupted ??

the funny part is that i also have a BDC running the same samba version 
and sql version, and that one has no prob's ad all
(only the smb.conf is differed and the netbios name)
but on the counter part, the bdc isn't really doing anything, ot's not 
serving shares or printers actively..

some input would be nice, coz' i really have no idea where to look... ???

Thx, Collen


I get error's like these:
---------------------------
[2007/02/27 09:48:26, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/02/27 09:48:26, 5] auth/auth_util.c:is_trusted_domain(2020)
  is_trusted_domain: Checking for domain trust with [JORDANET]
[2007/02/27 09:48:26, 5] 
passdb/secrets.c:secrets_fetch_trusted_domain_password(340)
  secrets_fetch failed!
[2007/02/27 09:48:26, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/02/27 09:48:26, 10] lib/gencache.c:gencache_get(329)
  Cache entry with key = TDOM/JORDANET couldn't be found
[2007/02/27 09:48:26, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain JORDANET found.
[2007/02/27 09:48:26, 5] auth/auth_util.c:make_user_info(75)
  attempting to make a user_info for  ()
[2007/02/27 09:48:26, 5] auth/auth_util.c:make_user_info(85)
  making strings for 's user_info struct
==================[2007/02/27 09:48:42, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2007/02/27 09:48:42, 0] rpc_server/srv_netlog_nt.c:get_md4pw(258)
  get_md4pw: Workstation C6-2$: account is not a trust account
[2007/02/27 09:48:42, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
  _net_auth2: failed to get machine password for account C6-2$: 
NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2007/02/27 09:48:42, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 net_io_r_auth_2
========================[2007/02/27 12:09:16, 3]
auth/auth.c:check_ntlm_password(221)
  check_ntlm_password:  Checking password for unmapped user 
[JORDANET]\[ralph]@[D8-1] with the new password interface
[2007/02/27 12:09:16, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [JORDANET]\[ralph]@[D8-1]
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/02/27 12:09:16, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/02/27 12:09:16, 2] pdb_mysql.c:mysqlsam_select_by_field(292)
  Executing query SELECT 
logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time,pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_drive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dial,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,logon_divs,hours_len,bad_password_count,logon_count,unknown_6,logon_hours,password_history
FROM user WHERE username = 'ralph'
[2007/02/27 12:09:16, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
  fetch gid from cache 1001 -> S-1-5-21-1968991162-2130249723-1959552931-513
[2007/02/27 12:09:16, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
  fetch gid from cache 1001 -> S-1-5-21-1968991162-2130249723-1959552931-513
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/02/27 12:09:16, 3] libsmb/ntlm_check.c:ntlm_password_check(344)
  ntlm_password_check: NT MD4 password check failed for user lldummanne
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/02/27 12:09:16, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/02/27 12:09:16, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/02/27 12:09:16, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/02/27 12:09:16, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [JORDANET] 
was for this SAM.
[2007/02/27 12:09:16, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [ralph] -> [ralph] 
FAILED with error NT_STATUS_WRONG_PASSWORD
[2007/02/27 12:09:16, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
------------------

smb.conf:
-----------
# Global parameters
[global]
    workgroup = Jordanet
    server string 
    netbios name = STATLER
    netbios aliases = HERMES
    interfaces = 192.168.2.2
    bind interfaces only = yes
   
#    socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
#    socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
    socket options = TCP_NODELAY
    name resolve order = wins host bcast

    security = user
    preferred master = yes
    domain master = yes
    domain logons = Yes
    local master = yes
    os level = 66
   
    map to guest = Never
    encrypt passwords = yes
    update encrypted = no
    obey pam restrictions = no
    pam password change = no
    unix password sync = no
    null passwords = no
    wins support = yes
    dns proxy = no
    host msdfs = NO
    msdfs root = NO

    syslog = 0
    log level = 3
    log file = /usr/local/samba/var/samba.log
    deadtime = 30
    kernel oplocks = no
    locking = no
    oplocks = no
    level2 oplocks = no
    posix locking = no
    strict locking = no
    time server = yes
    admin users = root, collen, admin
    utmp directory = /var/run
    wtmp directory = /var/log
    utmp = yes
#---------------------------------------------------------   
    guest account = nobody

    passdb backend = mysql:mysql
    mysql:mysql host = 192.168.2.2
    mysql:mysql user = samba
    mysql:mysql password = <NOT-HERE>
    mysql:mysql database = samba

    idmap uid = 10000-15000
    idmap gid = 10000-15000
#-----------------------------------------------------------------------------
    add user script = /usr/local/samba/scripts/user_add %u 1>> 
/usr/local/samba/scripts/debug.txt 2>> /usr/local/samba/scripts/debug.txt
    delete user script = /usr/local/samba/scripts/user_del %u
    add group script = /usr/local/samba/scripts/group_add %g %u %U
    delete group script = /usr/local/samba/scripts/group_del %g
    add user to group script = /usr/local/samba/scripts/member_add %u %g
    delete user from group script = /usr/local/samba/scripts/member_del 
%u %g 1>> /usr/local/samba/scripts/debug.txt 2>> 
/usr/local/samba/scripts/debug.txt
    set primary group script = /usr/local/samba/scripts/prim_mem %g %u %U
    add machine script = /usr/local/samba/scripts/machine_add %u 1>> 
/usr/local/samba/scripts/log/mach.txt 2>> 
/usr/local/samba/scripts/log/mach.txt

    shutdown script = /usr/local/samba/scripts/user
    abort shutdown script = /usr/local/samba/scripts/user
    dfree command = /usr/local/samba/scripts/dfree %U 1>> 
/usr/local/samba/var/debug.txt
#--------------- PRINTER ---------------------------------
    printing = bsd
    print command = /usr/local/samba/scripts/printcmd %p %s %u %m %c 1>> 
/usr/local/samba/var/print.txt 2>> /usr/local/samba/var/debug.txt
#------------------------------------------------
[admin]
    path = /Jordanet/homes/medewerkers/admin
    comment = "Home Directory Admin"
    read only = No
    browseable = No
    public = no
    admin users = root, collen,admin
   
[mlhj]
    path = /Jordanet/homes/medewerkers/mlhj
    comment = "Home Directory mlhj"
    read only = No
    browseable = No
    public = no
   inherit permissions = yes
    admin users = root, collen, admin, mlhj
#------------------------------------------------
[homes]
    comment = "Home Directory for %U"
    read only = No
    browseable = No
    public = no
    guest ok = no
    veto files = 
/*.exe/*.EXE/*.com/*.COM/*.bat/*.BAT/*.vbs/*.VBS/*.js/*.JS/*.pif/*.PIF/*.lnk/*.LNK/*.nfo/*.NFO/*.scr/*.SCR/*.msi/*.MSI/*.cmd/*.CMD/
    inherit permissions = yes
    inherit acls = yes

[netlogon]
    comment = "Netlogon Share"
    path = /Jordanet/NETLOGON
    Guest ok = yes
    writable = no
    share modes = no

[Jordanet]
    comment = "Admin"
    path = /Jordanet
    public = yes
    browseable = no
    writable = yes
    valid users = root, collen, admin
    nt acl support    = yes
    create mode = 0670
    directory mode = 0770
    inherit permissions = yes
    inherit acls = yes

[profiles]
    comment = "desktops"
    path = /Jordanet/profiles
    public = yes
    read only = no
    browseable = yes
    writable = yes
    csc policy = disable
    hide files = /*desktop.ini*/
    profile acls = yes
    inherit permissions = no
    inherit acls = no

[aurawin]
    comment = "aura share"
    path = /Jordanet/aurawin
    public = yes
    browseable = yes
    writable = yes
    hide files = /*aurawin*/
   
[updates]
    comment = "MLHJ Updates"
    path = /Jordanet/updates
    public = yes
    browseable = no
    writable = yes
  
[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    browseable = No

-- end

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/2007 10:11 AM, Collen Blijenberg wrote:
> Hello I'm having some strange problems with samba 3.0.23d
> (PDC) on my FC6
Hi Collen!


> if i start samba, everything works fine, but after an hour 
> orso(some times 2 hours if there is not mutch traffic)
> machines and user accounts start expiring.
> i don't know why, but it is ?! after i do a restart, samba 
> comes up and works again.
> i checked the mysql server (coz' i use pdb-sql as backend) 
> but the sql query's get executed and value's are returned.
> (even if goes into bug-mode) so that part works ok!, all i
> can think of is that tdb files get corrupted ??
	That's strange. Are you using Policy for you domain?
Like the length of the password, time before user can change
password and so on.

> the funny part is that i also have a BDC running the same 
> samba version and sql version, and that one has no prob's
> ad all (only the smb.conf is differed and the netbios name)
> but on the counter part, the bdc isn't really doing anything, 
> ot's not serving shares or printers actively..
> 
> some input would be nice, coz' i really have no idea where 
> to look... ???
	Can you provide logs when your server is working? That
could help diagnose the problem.


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF5usCCj65ZxU4gPQRAjF0AJ0bU9di1VckV0pmvKEj6b/ouEuRNwCfenYu
jz79l+zzDiTyYu6GRwpsxug=3R6i
-----END PGP SIGNATURE-----

Hi Edmundo, the main problem we have here, is that all out of the blue, 
the samba PDC and BDC
are giving error's.
like TRUST DOMAIN FAILED, or USER AUTH FAILED, MACHINE HAS NO ACCOUNT. 
things like that.
but the funny part is, there is no reason for the servers to do that, 
they run for a few hours (sometimes a day)
and then start spitting out these error's.

after resetting the PDC, all turns back to normal. and those error's go 
away, and samba function as it should be.
but then after a while, it's back to the error's again.

we do use however the pdb-sql backend for storing the usernames and all...
in that period, of error's the sql get queried. so the backend does work.
and i can't find anny error's generated from the sql backend. also the 
sql server is accessible in those error times.
(we use it for nss-mysql aswell)

so either the migration part went wrong (the sid <> uid part +1000), or 
samba has a serious bug in the passwd plugin backend ??
the winbindd part are for some other servers in the domain.

our domain is only accessible for domain accounts, so no guests or other 
accounts here. also all machines have registered to the domain
no anonymously accounts and all.
it's really driving me crazy this bug.  

cheers

Collen



Edmundo Valle Neto wrote:
> Collen Blijenberg escreveu:
>> Hmm.. just a few last questions.
>>
>> the bug came back the other day, after i fired up some machine that 
>> uses winbindd for apache authentication.
>> (no smb processes here). downside is that it's winbindd from samba 
>> 3.0.11.
>> winbindd from samba 3.0.24 has some strange issues with that machine, 
>> for every page it starts re authing again
>> resulting in asking username and password again, and again and again 
>> and .........
>> i think the problem might be there.
>
> Sorry, I don't use winbind.
>
>>
>> the part i don't get is the 'resolve unmapped account' ??
>> how can you have unmapped accounts ?? isn't it so that all
>> account that don't have entries in the user database (or machine)
>> are rejected ?? so don't need anny auth at all ?
>
> I ever used LDAP, so, for me the scripts ever creates all needed 
> stuff. But some parts of the documentation makes mention of the 
> algorithmic rid being used on groups that wasn't mapped by "net 
> groupmap" for example.
>
>>
>> so basically, i can leave the old sid's and posix uid alone, but
need
>> to monitor the sid and uid
>> when creating new users and machines, coz they can collide with the 
>> existing not standard uid and sid's .
>
> If you changed the ids as you said in the last e-mail that collisions 
> must not happens.
>
>> great, back to debuging again... thx for da input.
>>
>> Collen
>
> I didn't understood very well whats your problem, you said in the 
> first e-mail that accounts keep expiring. All them? Clients get some 
> estrange return error after some time? When that happens listing 
> shares in the server shell with an user "smbclient -L \\servername 
> -Usomeuser%password" or anonymously "smbclient -L localhost
-U%" at
> least works?
>
>
> Regards.
>
> Edmundo Valle Neto
>