Irving Carrion
2002-Dec-03 22:31 UTC
[Samba] RE: Machine accounts are no longer recognized in SAMBA 3.0-20-4
After verifying my smb.conf file, the only thing that changed was this "panic action" command was added. My smb.conf is attached. All our workstations stopped working. If I change the computer name, switch to workgroup, then try to re-join the domain under a different computer name, it works. Do you know what .tdb file machine information is stored in. Also I exported all information from the pdbedit backend using pdbedit -e to an smbpasswd format and everything looked fine. All machine accounts were listed. So I don't think it's the passdb.tdb. I'm really puzzled by this one. Thanks! IRV -----Original Message----- From: samba-technical-admin@lists.samba.org [mailto:samba-technical-admin@lists.samba.org] On Behalf Of Steve Langasek Sent: Tuesday, December 03, 2002 5:13 PM To: Irving Carrion Cc: samba-technical@lists.samba.org; Eloy Paris Subject: Re: Machine accounts are no longer recognized in SAMBA 3.0-20-4 Hi Irving, On Tue, Dec 03, 2002 at 04:20:45PM -0500, Irving Carrion wrote:> Yesterday we upgraded Samba to version 2.999+3.0.alpha20-4 and this > morning NO-ONE was able to log in to the Samba PDC. I upgraded from > 20-3. Nothing has changed in the smb.conf file.> We are using the unstable version of Samba because this is the only > version of SAMBA that works with our SNAP server. (Damn SNAP!. We > should have built our own fileserver!!! ;( )> The error message on Win2k is something to the effect of "Yourcomputer> account is invalid or the password is incorrect"> I verified (using pdbedit -lv) that the computer account is there and > that they were not expired.> I have a debug 10 log ready for anyone who can help me.> Would really APPRECIATE ANY HELP anyone out there can give me!> MORE INFORMATION: > I reverted back to 20-3 with no success. I also restored all the old > .tdb's with no success.Do you also have an old copy of smb.conf you could restore, or are you eyeballing the smb.conf to confirm that nothing has changed? Your experience with switching back to -3 suggests that some change in the packaging caused your smb.conf to be reconfigured incorrectly, but it's not obvious to me what this change might have been. Can you forward your smb.conf file (either to this list or to the Debian BTS) for inspection? How many workstations exhibited the "account is invalid" error? Are you able to try re-joining the domain from one of these workstations, to see if this corrects the error? If so, there's a question of whether your passdb was somehow overwritten with old information (i.e., old versions of the workstation shared secrets).> Is there a way to disable samba looking for valid machine accounts > temporarily so that users can log in while I try to fix this problem?No, this is fundamental to domain logins; without a valid machine account, there's no trust relationship between the workstation and the PDC, and no way to securely verify the login credentials. -- Steve Langasek postmodern programmer -------------- next part -------------- # Global parameters [global] # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d workgroup = DOMAIN1 netbios name = SAMBA server string = %h server (Samba %v) security = user encrypt passwords = true passdb backend = smbpasswd #passdb backend = smbpasswd unixsam #passdb backend = smbpasswd tdbsam unixsam guest ok = yes null passwords = Yes passwd program = /usr/bin/passwd %u passwd chat debug = yes debug level = 3 log level = 3 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *passwd:\spassword\supdated* . non unix account range = 10000-20000 add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 name cache timeout = 0 #add user script = /usr/local/samba/bin/add_user %u add user to group script = /usr/sbin/useradd %u %g delete user from group script = /usr/sbin/userdel %u %g delete group script = /usr/sbin/groupdel %g delete user script = /etc/samba/scripts/del_user %u add user script = /usr/sbin/useradd -g %u %u logon script = logonscript.bat logon path logon home logon drive domain logons = Yes local master = yes os level = 64 preferred master = True domain master = True #dns proxy = No enhanced browsing = yes wins support = Yes printcap name = lpstat printing = cups use client driver = Yes print command = lp -d%p -oraw %s; rm %s lpq command = lpstat -o%p lprm command = cancel %p-%j queuepause command = disable %p queueresume command = enable %p show add printer wizard = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes share modes = No
Steve Langasek
2002-Dec-03 22:36 UTC
[Samba] Re: Machine accounts are no longer recognized in SAMBA 3.0-20-4
Irving, On Tue, Dec 03, 2002 at 05:26:42PM -0500, Irving Carrion wrote:> After verifying my smb.conf file, the only thing that changed was this > "panic action" command was added. My smb.conf is attached.> All our workstations stopped working. If I change the computer name, > switch to workgroup, then try to re-join the domain under a different > computer name, it works. Do you know what .tdb file machine information > is stored in.> Also I exported all information from the pdbedit backend using pdbedit > -e to an smbpasswd format and everything looked fine. All machine > accounts were listed. So I don't think it's the passdb.tdb.This smb.conf snippet looks telling:> passdb backend = smbpasswd > #passdb backend = smbpasswd unixsam > #passdb backend = smbpasswd tdbsam unixsamYou said you "exported all information [...] to an smbpasswd format", but your comments suggest that you are actually expecting samba to read its passdb from passdb.tdb. The above snippet clearly shows that Samba is configured to look *only* at /etc/samba/smbpasswd, and not at /etc/samba/passdb.tdb. Could this be the source of the trouble? Can you confirm that *this* section of your smb.conf was the same before and after the upgrade to -4 -- in which case, I would suggest that an ill-fated config change took effect when smbd restarted at the time of the upgrade? Cheers, -- Steve Langasek postmodern programmer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20021203/0a3da597/attachment.bin