samba - Dec 2002 - RE: Machine accounts are no longer recognized in SAMBA 3.0-20-4

After verifying my smb.conf file, the only thing that changed was this
"panic action" command was added.  My smb.conf is attached.

All our workstations stopped working.  If I change the computer name,
switch to workgroup, then try to re-join the domain under a different
computer name, it works.  Do you know what .tdb file machine information
is stored in.

Also I exported all information from the pdbedit backend using pdbedit
-e to an smbpasswd format and everything looked fine.  All machine
accounts were listed.  So I don't think it's the passdb.tdb.

I'm really puzzled by this one.

Thanks!
IRV

-----Original Message-----
From: samba-technical-admin@lists.samba.org
[mailto:samba-technical-admin@lists.samba.org] On Behalf Of Steve
Langasek
Sent: Tuesday, December 03, 2002 5:13 PM
To: Irving Carrion
Cc: samba-technical@lists.samba.org; Eloy Paris
Subject: Re: Machine accounts are no longer recognized in SAMBA 3.0-20-4

Hi Irving,

On Tue, Dec 03, 2002 at 04:20:45PM -0500, Irving Carrion
wrote:
> Yesterday we upgraded Samba to version 2.999+3.0.alpha20-4 and this
> morning NO-ONE was able to log in to the Samba PDC.  I upgraded from
> 20-3.  Nothing has changed in the smb.conf file.
> We are using the unstable version of Samba because this is the only
> version of SAMBA that works with our SNAP server.  (Damn SNAP!.  We
> should have built our own fileserver!!! ;(   )
> The error message on Win2k is something to the effect of "Your
computer
> account is invalid or the password is incorrect"  
> I verified (using pdbedit -lv) that the computer account is there and
> that they were not expired.
> I have a debug 10 log ready for anyone who can help me.   
> Would really APPRECIATE ANY HELP anyone out there can give me!
> MORE INFORMATION:
> I reverted back to 20-3 with no success.  I also restored all the old
> .tdb's with no success.
Do you also have an old copy of smb.conf you could restore, or are you
eyeballing the smb.conf to confirm that nothing has changed?  Your
experience with switching back to -3 suggests that some change in the
packaging caused your smb.conf to be reconfigured incorrectly, but it's
not obvious to me what this change might have been.  Can you forward
your
smb.conf file (either to this list or to the Debian BTS) for inspection?

How many workstations exhibited the "account is invalid" error?  Are
you
able to try re-joining the domain from one of these workstations, to see
if this corrects the error?  If so, there's a question of whether your
passdb was somehow overwritten with old information (i.e., old versions
of the workstation shared secrets).
> Is there a way to disable samba looking for valid machine accounts
> temporarily so that users can log in while I try to fix this problem?
No, this is fundamental to domain logins; without a valid machine
account, there's no trust relationship between the workstation and the
PDC, and no way to securely verify the login credentials.

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
# Global parameters
[global]

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d
        workgroup = DOMAIN1
        netbios name = SAMBA
        server string = %h server (Samba %v)
        security = user
        encrypt passwords = true
        passdb backend = smbpasswd
        #passdb backend = smbpasswd unixsam
        #passdb backend = smbpasswd tdbsam unixsam
        guest ok = yes
        null passwords = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat debug = yes
        debug level = 3
        log level = 3
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *passwd:\spassword\supdated* .

        non unix account range = 10000-20000
        add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false
-M %u

        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        name cache timeout = 0

        #add user script = /usr/local/samba/bin/add_user %u
        add user to group script = /usr/sbin/useradd %u %g
        delete user from group script = /usr/sbin/userdel %u %g
        delete group script = /usr/sbin/groupdel %g
        delete user script = /etc/samba/scripts/del_user %u
        add user script = /usr/sbin/useradd -g %u %u

        logon script = logonscript.bat
        logon path         logon home         logon drive         domain logons
= Yes
        local master = yes
        os level = 64
        preferred master = True
        domain master = True
        #dns proxy = No
        enhanced browsing = yes
        wins support = Yes
        printcap name = lpstat
        printing = cups
        use client driver = Yes
        print command = lp -d%p -oraw %s; rm %s
        lpq command = lpstat -o%p
        lprm command = cancel %p-%j
        queuepause command = disable %p
        queueresume command = enable %p
        show add printer wizard = yes

[netlogon]
        comment = Network Logon Service
        path = /home/samba/netlogon
        guest ok = Yes
        share modes = No

Irving,

On Tue, Dec 03, 2002 at 05:26:42PM -0500, Irving Carrion
wrote:
> After verifying my smb.conf file, the only thing that changed was this
> "panic action" command was added.  My smb.conf is attached.
> All our workstations stopped working.  If I change the computer name,
> switch to workgroup, then try to re-join the domain under a different
> computer name, it works.  Do you know what .tdb file machine information
> is stored in.
> Also I exported all information from the pdbedit backend using pdbedit
> -e to an smbpasswd format and everything looked fine.  All machine
> accounts were listed.  So I don't think it's the passdb.tdb.
This smb.conf snippet looks telling:
>         passdb backend = smbpasswd
>         #passdb backend = smbpasswd unixsam
>         #passdb backend = smbpasswd tdbsam unixsam
You said you "exported all information [...] to an smbpasswd format",
but
your comments suggest that you are actually expecting samba to read its
passdb from passdb.tdb.  The above snippet clearly shows that Samba is
configured to look *only* at /etc/samba/smbpasswd, and not at
/etc/samba/passdb.tdb.  Could this be the source of the trouble?  Can you
confirm that *this* section of your smb.conf was the same before and
after the upgrade to -4 -- in which case, I would suggest that an
ill-fated config change took effect when smbd restarted at the time of
the upgrade?

Cheers,
-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20021203/0a3da597/attachment.bin