Every 12. day or so domain members changes passwords in the NT domain, and after a while (5 minutes normally) the NT PDC starts to sync against the BDCs in the domain. Before this syncing is done the authentication of new connections usually fails. We have a pretty large NT domain with 40.000+ users and the syncing process can take up to one hour, causing samba authentication to fail during this period. When samba changes the trust account password, this shows up in the logfile: [xxxxxxxxxx, 0] rpc_client/cli_netlogon.c:(656) xxxxxxxxxx : change_trust_account_password: Changed password for domain YYY. Then the authentication fails if: *** you are using password server = "list of DCs" and pdc is not the first one in the DC list. This shows up in the log file: Then: [1999/11/16 16:16:41, 0] rpc_client/cli_pipe.c:(346) cli_pipe: return critical error. Error was ERRDOS - ERRbadfid (Invalid file handle.) [1999/11/16 16:16:41, 0] smbd/password.c:(1429) domain_client_validate: unable to validate password for user xxxx in domain YYY to Domain controller BDC. Error was ERRDOS - ERRbadfid (Invalid file handle.). *** you are using password server = *, you have more than one DC and the PDC and the samba is on different subnets. This shows up in the log file: [1999/11/16 15:10:00, 0] rpc_client/cli_netlogon.c:(160) cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [1999/11/16 15:10:00, 0] rpc_client/cli_login.c:(72) cli_nt_setup_creds: auth2 challenge failed [1999/11/16 15:10:00, 0] smbd/password.c:(1413) domain_client_validate: unable to setup the PDC credentials to machine *. Error was : NT_STATUS_ACCESS_DENIED. The attached patch is fixes this problem if you are using password server *, but something similar should be done with the password server serverlist code. -------------- next part -------------- A non-text attachment was scrubbed... Name: pass.diff Type: application/octet-stream Size: 3597 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/19991116/0848a461/pass.obj
Jeremy Allison
1999-Dec-10 02:30 UTC
Problems with security = domain/server and samba 2.0.6
Bjart Kvarme wrote:> > Every 12. day or so domain members changes passwords in the NT domain, and > after a while (5 minutes normally) the NT PDC starts to sync against the > BDCs in the domain. Before this syncing is done the authentication of new > connections usually fails. We have a pretty large NT domain with 40.000+ > users and the syncing process can take up to one hour, causing samba > authentication to fail during this period. > > When samba changes the trust account password, this shows up in the logfile: > > [xxxxxxxxxx, 0] rpc_client/cli_netlogon.c:(656) > xxxxxxxxxx : change_trust_account_password: Changed password for domain > YYY. > > Then the authentication fails if: > > *** you are using password server = "list of DCs" and pdc is not the first > one in the DC list. This shows up in the log file: > > Then: > [1999/11/16 16:16:41, 0] rpc_client/cli_pipe.c:(346) > cli_pipe: return critical error. Error was ERRDOS - ERRbadfid (Invalid > file handle.) > [1999/11/16 16:16:41, 0] smbd/password.c:(1429) > domain_client_validate: unable to validate password for user xxxx in > domain YYY to Domain controller BDC. Error was ERRDOS - ERRbadfid (Invalid > file handle.). > > *** you are using password server = *, you have more than one DC and the PDC > and the samba is on different subnets. This shows up in the log file: > > [1999/11/16 15:10:00, 0] rpc_client/cli_netlogon.c:(160) > cli_net_auth2: Error NT_STATUS_ACCESS_DENIED > [1999/11/16 15:10:00, 0] rpc_client/cli_login.c:(72) > cli_nt_setup_creds: auth2 challenge failed > [1999/11/16 15:10:00, 0] smbd/password.c:(1413) > domain_client_validate: unable to setup the PDC credentials to machine *. > Error was : NT_STATUS_ACCESS_DENIED. > > The attached patch is fixes this problem if you are using password server > *, but something similar should be done with the password server > serverlist code.Good patch, thanks. I have fixed it up (for the serverlist code case you mentioned) and have commited it to the master sources. It'll be in the next stable Samba release. Thanks a lot, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------