Hello all,
I've got Samba 3.0.24-6etch4 (Debian revision) running on a production
server
which acts as a PDC for a network of some Windows XP clients (around 250).
Since sometime (I am not able to determine exactly when) I get a strange
problem arising : some clients are banned from my domain. The only solution I
found is to reintroduced the clients into the domain. Once hosts have rejoined
the domain, everything seems fine except that some weeks later, the same
problem arise again and again.
After having reread the fantastic manual I did not find any explanation. I
have googled a lot (try googling the sentence "_net_auth2:
creds_server_check
failed. Rejecting auth request from client" for instance) and see I am not
the
only one to get this kind of trouble but no solution seems to be available, or
at least stored on the net.
I do not understand where the problem come from, and what is the solution (I
did not find anything useful into the documentation). Could you direct me
into the good directions ?
My current solution, which consist of reintregate the machines into the
domain, is not very funny since I get more than 250 differents XP boxes :-(
I attach you my smb.conf file as well as a log entry which seems to appear
when the problem begins, in case it can help.
Thank's for any help ...
------------------------------------------------------------------------------
[2007/11/05 09:48:35, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from client
XPCOMPLET machine account XPCOMPLET$
------------------------------------------------------------------------------
##############################################################################
#
# Les conventions utilisees :
#
# * On utilise :
# * 'read only' et pas 'writeable'
# * 'browseable' et pas 'browsable'
#
# * Tous les partages doivent explicitement avoir des valeurs, dans l'ordre,
# pour les options :
# * 'comment'
# * 'path'
# * 'read only'
# * 'browseable'
#
##############################################################################
##############################################################################
#
# Variables globales
#
##############################################################################
[global]
security = user
#
# Identification
#
netbios name = ORANGER
workgroup = IUT_INFO_ENS
server string = Controleur du domaine IUT_INFO_ENS
#
# Nommage NetBios
#
os level = 254
preferred master = yes
domain master = yes
local master = yes
wins support = yes
#
# Temps
#
time server = yes
#
# Gestion des mots de passes
#
enable privileges = yes
encrypt passwords = true
passdb backend = tdbsam:/srv/samba/passdb.tdb
#OFF# unix password sync = yes
#OFF# passwd program = /srv/sbin/nispasswd --user %u
passwd chat ="New password:" %n\n
#OFF# add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u
# On change les mots de passe des machines tous les 50 ans (pour la
machine locale)
machine password timeout = 1572480000
#OFF# min password length = 4
#
# Logging
#
debug level = 1
syslog = 0
max log size = 500000
panic action = /usr/share/samba/panic-action %d
#
# Support du logon de domaine
#
domain logons = yes
logon drive = z:
# TODO: verifier que ce logon path fonctionne
logon path = \\oranger\profiles
#OFF# logon script =
##############################################################################
#
# Logon et profiles windows
#
##############################################################################
[netlogon]
comment = Connexion SMB
path = /srv/samba/netlogon
read only = yes
browseable = yes
write list = @sysadmin
[profiles]
comment = Stockage des profiles
path = /baie/home/%G/%U/.windows
read only = no
browseable = no
create mask = 0600
directory mask = 0700
##############################################################################
#
# Les repertoires des utilisateurs
#
##############################################################################
[homes]
comment = Donnees de %U
path = /baie/home/%G/%U
read only = no
browseable = yes
##############################################################################
#
# Les autres partages
#
##############################################################################
[public]
comment = Espace de partage
path = /baie/home/public
read only = no
browseable = yes
guest ok = yes
write list = @sysadmin, @infoens, @infoext
[logiciels]
comment = Installations des logiciels
path = /baie/admin/logiciels
read only = no
browseable = yes
guest ok = no
write list = @sysadmin
force create mode = 0770
force directory mode = 02770
[pilotes]
comment = Pilotes de p?riph?riques
path = /baie/admin/logiciels/pilotes
read only = yes
browseable = yes
guest ok = no
##############################################################################
------------------------------------------------------------------------------
--
Dr Bruno Beaufils
bruno.beaufils@lifl.fr - http://www.lifl.fr/~beaufils
Universite des Sciences et Technologies de Lille
LIFL - UMR CNRS/USTL 8022 - Tel +33 3 20 43 45 04 - Fax +33 3 28 77 85 37
IUT "A" - Dpt Informatique
------------------------------------------------------------------------------
CNRS CA : http://igc.services.cnrs.fr/Doc/General/trust.html
CRU CA : http://igc.cru.fr/trust.html
=============================================================================--------------
next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2676 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20071105/ab8fa5a1/smime.bin
Bruno BEAUFILS
2008-Apr-09 10:08 UTC
{Filename?} Re: [Samba] Hosts leaving domain without reasons...
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2676 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080409/611e92d0/smime.bin
On Tue, Apr 08, 2008 at 02:18:56PM -0500, Ivan Arteaga wrote:> Hello Bruno, > > Unfortunately i am not writing you to tell you how to get ride of this > problem, in fact i am having the same problem and i was wondering if you > already fix it. I have search every possible forum in the net and no > fix. In the list i see no one answer your query. > > I will appreciate your comments.We changed the value of some keys in the register of ours Windows XP Pro clients. Just for information these clients are just VMware images, it is thus easy for us to change that, after modifying the image, on all hosts quickly with the help of udpcast [1]. Here are the keys before our modification... HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage: 0x0000001E (30 days) ...and after : HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage: 0x0000003E7 (999 days) I copy the content of a reg file into this mail (our mailserver do not want to send *.reg file) which you just have to merge with your registre on your clients to fix that keys. --8<-------------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "DisablePasswordChange"=dword:00000001 "maximumpasswordage"=dword:000003e7 "requiresignorseal"=dword:00000001 "requirestrongkey"=dword:00000000 "sealsecurechannel"=dword:00000001 "signsecurechannel"=dword:00000001 "Update"="no" -->8-------------------------------------------------------------------------- Hope it well help you. [1] http://udpcast.linux.lu/ -- Bruno Beaufils -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2676 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080409/e0e5f3f3/smime.bin