Hello all, I've got Samba 3.0.24-6etch4 (Debian revision) running on a production server which acts as a PDC for a network of some Windows XP clients (around 250). Since sometime (I am not able to determine exactly when) I get a strange problem arising : some clients are banned from my domain. The only solution I found is to reintroduced the clients into the domain. Once hosts have rejoined the domain, everything seems fine except that some weeks later, the same problem arise again and again. After having reread the fantastic manual I did not find any explanation. I have googled a lot (try googling the sentence "_net_auth2: creds_server_check failed. Rejecting auth request from client" for instance) and see I am not the only one to get this kind of trouble but no solution seems to be available, or at least stored on the net. I do not understand where the problem come from, and what is the solution (I did not find anything useful into the documentation). Could you direct me into the good directions ? My current solution, which consist of reintregate the machines into the domain, is not very funny since I get more than 250 differents XP boxes :-( I attach you my smb.conf file as well as a log entry which seems to appear when the problem begins, in case it can help. Thank's for any help ... ------------------------------------------------------------------------------ [2007/11/05 09:48:35, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client XPCOMPLET machine account XPCOMPLET$ ------------------------------------------------------------------------------ ############################################################################## # # Les conventions utilisees : # # * On utilise : # * 'read only' et pas 'writeable' # * 'browseable' et pas 'browsable' # # * Tous les partages doivent explicitement avoir des valeurs, dans l'ordre, # pour les options : # * 'comment' # * 'path' # * 'read only' # * 'browseable' # ############################################################################## ############################################################################## # # Variables globales # ############################################################################## [global] security = user # # Identification # netbios name = ORANGER workgroup = IUT_INFO_ENS server string = Controleur du domaine IUT_INFO_ENS # # Nommage NetBios # os level = 254 preferred master = yes domain master = yes local master = yes wins support = yes # # Temps # time server = yes # # Gestion des mots de passes # enable privileges = yes encrypt passwords = true passdb backend = tdbsam:/srv/samba/passdb.tdb #OFF# unix password sync = yes #OFF# passwd program = /srv/sbin/nispasswd --user %u passwd chat ="New password:" %n\n #OFF# add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u # On change les mots de passe des machines tous les 50 ans (pour la machine locale) machine password timeout = 1572480000 #OFF# min password length = 4 # # Logging # debug level = 1 syslog = 0 max log size = 500000 panic action = /usr/share/samba/panic-action %d # # Support du logon de domaine # domain logons = yes logon drive = z: # TODO: verifier que ce logon path fonctionne logon path = \\oranger\profiles #OFF# logon script = ############################################################################## # # Logon et profiles windows # ############################################################################## [netlogon] comment = Connexion SMB path = /srv/samba/netlogon read only = yes browseable = yes write list = @sysadmin [profiles] comment = Stockage des profiles path = /baie/home/%G/%U/.windows read only = no browseable = no create mask = 0600 directory mask = 0700 ############################################################################## # # Les repertoires des utilisateurs # ############################################################################## [homes] comment = Donnees de %U path = /baie/home/%G/%U read only = no browseable = yes ############################################################################## # # Les autres partages # ############################################################################## [public] comment = Espace de partage path = /baie/home/public read only = no browseable = yes guest ok = yes write list = @sysadmin, @infoens, @infoext [logiciels] comment = Installations des logiciels path = /baie/admin/logiciels read only = no browseable = yes guest ok = no write list = @sysadmin force create mode = 0770 force directory mode = 02770 [pilotes] comment = Pilotes de p?riph?riques path = /baie/admin/logiciels/pilotes read only = yes browseable = yes guest ok = no ############################################################################## ------------------------------------------------------------------------------ -- Dr Bruno Beaufils bruno.beaufils@lifl.fr - http://www.lifl.fr/~beaufils Universite des Sciences et Technologies de Lille LIFL - UMR CNRS/USTL 8022 - Tel +33 3 20 43 45 04 - Fax +33 3 28 77 85 37 IUT "A" - Dpt Informatique ------------------------------------------------------------------------------ CNRS CA : http://igc.services.cnrs.fr/Doc/General/trust.html CRU CA : http://igc.cru.fr/trust.html =============================================================================-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2676 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20071105/ab8fa5a1/smime.bin
Bruno BEAUFILS
2008-Apr-09 10:08 UTC
{Filename?} Re: [Samba] Hosts leaving domain without reasons...
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2676 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080409/611e92d0/smime.bin
On Tue, Apr 08, 2008 at 02:18:56PM -0500, Ivan Arteaga wrote:> Hello Bruno, > > Unfortunately i am not writing you to tell you how to get ride of this > problem, in fact i am having the same problem and i was wondering if you > already fix it. I have search every possible forum in the net and no > fix. In the list i see no one answer your query. > > I will appreciate your comments.We changed the value of some keys in the register of ours Windows XP Pro clients. Just for information these clients are just VMware images, it is thus easy for us to change that, after modifying the image, on all hosts quickly with the help of udpcast [1]. Here are the keys before our modification... HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage: 0x0000001E (30 days) ...and after : HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage: 0x0000003E7 (999 days) I copy the content of a reg file into this mail (our mailserver do not want to send *.reg file) which you just have to merge with your registre on your clients to fix that keys. --8<-------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "DisablePasswordChange"=dword:00000001 "maximumpasswordage"=dword:000003e7 "requiresignorseal"=dword:00000001 "requirestrongkey"=dword:00000000 "sealsecurechannel"=dword:00000001 "signsecurechannel"=dword:00000001 "Update"="no" -->8-------------------------------------------------------------------------- Hope it well help you. [1] http://udpcast.linux.lu/ -- Bruno Beaufils -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2676 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080409/e0e5f3f3/smime.bin