samba - Oct 2009 - Computers leaving samba domain

I am not sure if this is where I need to ask this or not, but I am lost to
where to start even.

I had 7 computers in one lab that would not login.  It gave the standard
"computer account password bad or domain not found".  I had another 9
computer in my other lab do the same thing.  It seems that they have
suddenly started losing the domain.  I can add them to a workgroup and
then re-add them back to the domain and they are fine.

I am just scared that they are going to lose the domain again.  I cannot
spend all of my time going around removing computers and adding them back
to the domain each day.  Any ideas of what could cause this?  Client
issue?  Samba issue?  ldap issue?

The clients are all Windows XP service pack 3 and the server is a Fedora
10 server running samba and ldap.

Usually the only time that I have this happen is if I accidentally add
another computer to the domain with the same name.  I understand that, but
I have not done that on any of these.

One lab has brand new computers.  The other lab just got imaged day before
yesterday.  I'll go ahead and get them all added back in, but I need to
find what to be looking for if they keep doing this.  Thanks.

-- 
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669  FA: 573-568-4565

Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?

sgmayo at mail.bloomfield.k12.mo.us wrote:
> I am not sure if this is where I need to ask this or not, but I am lost to
> where to start even.
>
> I had 7 computers in one lab that would not login.  It gave the standard
> "computer account password bad or domain not found".  I had
another 9
> computer in my other lab do the same thing.  It seems that they have
> suddenly started losing the domain.  I can add them to a workgroup and
> then re-add them back to the domain and they are fine.
>
> I am just scared that they are going to lose the domain again.  I cannot
> spend all of my time going around removing computers and adding them back
> to the domain each day.  Any ideas of what could cause this?  Client
> issue?  Samba issue?  ldap issue?
>
> The clients are all Windows XP service pack 3 and the server is a Fedora
> 10 server running samba and ldap.
>
> Usually the only time that I have this happen is if I accidentally add
> another computer to the domain with the same name.  I understand that, but
> I have not done that on any of these.
>
> One lab has brand new computers.  The other lab just got imaged day before
> yesterday.  I'll go ahead and get them all added back in, but I need to
> find what to be looking for if they keep doing this.  Thanks.
>
This may be an ldap question.  I was looking at the machines info and I
checked on about 5 of them.  For some reason it is showing that the
sambaPwdLastSet has changed in the last couple of days.  Is this supposed
to ever change for machines if you do not remove them from a domain and
then add them back in?  I would think it would always stay the same.

Machines are added by samba with smbldap-useradd -w "%u".

Thanks.

-- 
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669  FA: 573-568-4565

Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?

On Donnerstag, 1. Oktober 2009 wrote sgmayo at
mail.bloomfield.k12.mo.us:
> Harry Jede wrote:
> >> I was looking at the machines info and
> >> I checked on about 5 of them.  For some reason it is showing that
> >> the sambaPwdLastSet has changed in the last couple of days.  Is
> >> this supposed to ever change for machines if you do not remove
> >> them from a domain and then add them back in?  I would think it
> >> would always stay the same.
> >
> > No, Windows machines will change their password on a regulare time
> > interval. I do not remember the exact days.
> >
> > You must allow them to change the password field an one other.
> > Search this list or look into the good samba documentation :-)
>
> That is strange then.  I have software on my XP clients that will not
> let anything get changed.  If there are changes made then once you
> reboot the computer, it will be back to the way it was when you
> started.  If the client is recording this change also then it would
> not be saved on a reboot.
>
> I would think that was the problem, but I have had this software
> running for a few years now and I have not had this problem before.
You may apply a registry patch, so that the client will NOT change the 
machine password :-) , before you lock the client image.

>
> Thanks for the info.
>
> --
> Scott Mayo - System Administrator
> Bloomfield Schools
> PH: 573-568-5669  FA: 573-568-4565
>
> Question: Because it reverses the logical flow of conversation.
> Answer: Why is putting a reply at the top of the message frowned
> upon?


-- 

Gruss
	Harry Jede

Harry Jede wrote:
> On Donnerstag, 1. Oktober 2009 wrote sgmayo at mail.bloomfield.k12.mo.us:
>> Harry Jede wrote:
>> >> I was looking at the machines info and
>> >> I checked on about 5 of them.  For some reason it is showing
that
>> >> the sambaPwdLastSet has changed in the last couple of days. 
Is
>> >> this supposed to ever change for machines if you do not remove
>> >> them from a domain and then add them back in?  I would think
it
>> >> would always stay the same.
>> >
>> > No, Windows machines will change their password on a regulare time
>> > interval. I do not remember the exact days.
>> >
>> > You must allow them to change the password field an one other.
>> > Search this list or look into the good samba documentation :-)
>>
>> That is strange then.  I have software on my XP clients that will not
>> let anything get changed.  If there are changes made then once you
>> reboot the computer, it will be back to the way it was when you
>> started.  If the client is recording this change also then it would
>> not be saved on a reboot.
>>
>> I would think that was the problem, but I have had this software
>> running for a few years now and I have not had this problem before.
> You may apply a registry patch, so that the client will NOT change the
> machine password :-) , before you lock the client image.
>
Yes, that is what another pointed out to me.  I actually thought that I
had that patch applied (and did on all my other machines), but when I
started imaging this summer, I must have grabbed one of my old images that
did not have the patch.  I should have caught that, but did not.  I am
just thankful that someone pointed that out.

In case anyone sees this thread and is having an issue like this, here is
the registry entry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
add this new entry : DisablePasswordChange type boolean true

Thanks for the replies.

-- 
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669  FA: 573-568-4565

Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?