Hi all,
In my system, samba (3.0.34) is configured as PDC with an LDAP backend and
has some user and machine accounts, and it all works fine. But recently I've
found out that if I remove one machine account from the LDAP server user
logins into the domain from that machine are still possible, even if the
machine login verification fails:
"...
[2009/05/05 19:34:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
init_sam_from_ldap: Entry found for user: test
[2009/05/05 19:34:47, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [test] -> [test] -> [test]
succeeded
[2009/05/05 19:34:52, 1] smbd/service.c:make_connection_snum(1033)
vmvista (192.168.100.198) connect to service netlogon initially as user
test (uid=1507, gid=1000) (pid 27646)
[2009/05/05 19:35:00, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
get_md4pw: Workstation VMVISTA$: no account in domain
[2009/05/05 19:35:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
_net_auth2: failed to get machine password for account VMVISTA$:
NT_STATUS_ACCESS_DENIED
[2009/05/05 19:35:06, 1] smbd/service.c:close_cnum(1230)
vmvista (192.168.100.198) closed connection to service netlogon
[2009/05/05 19:36:40, 2] smbd/sesssetup.c:setup_new_vc_session(1214)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2009/05/05 19:36:40, 2] smbd/sesssetup.c:setup_new_vc_session(1214)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2009/05/05 19:36:40, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2009/05/05 19:36:41, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
get_md4pw: Workstation VMVISTA$: no account in domain
[2009/05/05 19:36:41, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
..."
Is there a way to prevent users logins from machines that have been removed
from system?
Nelson Vale
