samba - Jan 2002 - W2kPro SR2 Client, samba 2.2.1a, machine accounts, PC-Angel

Hi there,
we had 45 clients working fine with the above configuration for 
nearly one month. Now the WS complain about invalid machine accounts 
at login time. We tried the solution on the WS from M$:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Paramet
ers]
"DisablePasswordChange"=dword:00000001
"MaximumPasswordAge"=dword:000F4240
but it didn't work. Every day after reinstallation of the machine 
accounts into the domain the machine accounts seem to be invalid. Is 
there a known solution from samba side or are there any other 
suggestions?
Jens

Hi there,
we had 45 clients working fine with this configuration
W2kPro SR2 Client, samba 2.2.1a, machine accounts, PC-Angel
for nearly one month. Now the WS complain about invalid machine 
accounts 
at login time. We tried the solution on the WS from M$:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Paramet
ers]
"DisablePasswordChange"=dword:00000001
"MaximumPasswordAge"=dword:000F4240
but it didn't work. Every day after reinstallation of the machine 
accounts into the domain the machine accounts seem to be invalid. Is 
there a known solution from samba side or are there any other 
suggestions?
Jens

Not sure if this is related to your problem, but when I recently set Samba
2.2.2 (precompiled binaries provided by SCO/Caldera) up here, we were
seemingly having this same problem.  What I found helped was to not do
Domain Authentication to multiple Win2K DC's.  

Our network here has 2 Win2K (SP2) DC's per domain and I was seeing
situations where our Sco Open Server 5.0.5 Unix Servers were getting hit
with many map requests per second so the same (multiprocessor) machine could
attempt to map drives and authenticate to both DC's almost simultaneously.
Seems as though the DC's may not be replicating the changed password quickly
enough so the password gets out of sync on one DC or the other and it can't
authenticate the Servers machine account on any subsequent attempts.  (I've
connected up to the Active Directory on both the DC's, deleted a machine
account on 1 and sat there doing refreshes on both for over 15 seconds
before the deletion propogated to the second DC...)

Simply using the following authentication scheme seems to have helped:

        security = DOMAIN
        password server = dc01

Rather than 

        security = DOMAIN
        password server = dc01 dc02

I know this could cause problems if the DC I'm using gets rebooted, but I
didn't find a different option before trying this.  (I haven't tried the
following Reg Hack yet because I'm not the NT Admin and don't like the
implication that NO machine account passwords will be getting changed...)
And this seems to have resolved our problem.  (It's now been about a week
since that change without a machine account problem.)

Additionally, I was unable to get 

        security = DOMAIN
        password server = *

as suggested by the docs, to work at all.  (The logs indicated that no
server responded on the broadcast address even though I'm in the same local
LAN and subnet.)

Hope this helps.  But if I'm wrong, I hope someone can enlighten me as well.
:-)

> Original Message
> From: "Jens Leilich" <jens.leilich@t1.bbslu.de>
> To: samba@lists.samba.org
> Date: Mon, 28 Jan 2002 15:42:18 +0100
> Subject: W2kPro SR2 Client, samba 2.2.1a, machine accounts, PC-Angel
> Reply-To: jens@leilich.de
> 
> Hi there,
> we had 45 clients working fine with this configuration
> W2kPro SR2 Client, samba 2.2.1a, machine accounts, PC-Angel
> for nearly one month. Now the WS complain about invalid machine 
> accounts 
> at login time. We tried the solution on the WS from M$:
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
> "DisablePasswordChange"=dword:00000001
> "MaximumPasswordAge"=dword:000F4240
> but it didn't work. Every day after reinstallation of the machine 
> accounts into the domain the machine accounts seem to be invalid. Is 
> there a known solution from samba side or are there any other 
> suggestions?
> Jens