Florian Scholz
2012-Aug-08 10:12 UTC
[Samba] password change problem and no logon servers available
Hi,
we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly)
and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend
and manage the users, groups and computer by using the smbldap-tools.
Currently we are experiencing the following problems:
1. changing the passwords takes longer than 30 seconds <- That's bad
because we are using a gigabit ethernet network!
2. sometimes windows tells us that the user can't change their passwords at
the current point of time
3. sometimes windows foces the users to change their passwords (we never
told samba to do it!)
4. sometimes windows tells us that there are no logon server available!
Are there any known bugs regarding to these problems? Do you need further
information to investigate this problem?
Florian Scholz
-------------- next part --------------
[global]
#!!! Authentifizierung des PDC in der Dom?ne
workgroup = ASTA
netbios name = samba
domain logons = yes
domain master = yes
local master = yes
server string = %h PDC (%v)
comment = %h PDC (%v)
#!!! Sichere, dass der PDC aufjedenfall von den Rechnern als praerer PDC verwend
et wird.
preferred master = yes
os level = 20
#!!! Zeitsynchronisation (Synchronisiere die Computerzeit mit dem SAMBA-PDC)
time server = yes
#!!! Einschr?nkung des Netzwerkzugriffs
interfaces = 192.168.100.253
bind interfaces only = yes
#!!! Authentifizierung von Benutzern und Rechnern gegen den PDC
security = user
#!!! Folgende zwei Einstellungen stehen in Konflikt zueinander
obey pam restrictions = yes
encrypt passwords = yes
admin users = root,admin
#!!! Konfiguration des LDAP-Zugriffs
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=asta,dc=lan
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap admin dn = cn=admin,dc=asta,dc=lan
ldap passwd sync = yes
ldap idmap suffix = ou=Idmap
ldap ssl = no
ldap delete dn = no
ldap passwd sync = yes
# Die IDMAP-Einstellungen sollten mit denen in Krefeld ?bereinstimmen, so dass
SAMBA funktioniert.
# Zweck der IDMAP-Einstellungen ist die Darstellung der Windows-SIDs als UNIX-ID
s
idmap uid = 10000-20000
idmap gid = 10000-20000
#!!! UNIX-Passw?rter ?ndern
unix password sync = yes
passwd program = /usr/bin/passwd %u
#!!! Default-Einstellungen f?r neue SAMBA-Benutzer
template shell = /bin/false
template homedir = /home/%U
#!!! Windows-Anmeldung
logon drive = h:
logon script = netlogon.bat
#!!! Tuning und systemspezifische Einstellungen
# socket options = TCP_NODELAY
#
# kernel oplocks = no
# posix locking = no
socket options = TCP_NODELAY
kernel oplocks = yes
posix locking = yes
# kernel oplocks = yes
# #WINS-Namen nicht via DNS aufl<F6>sen
# dns proxy = no
#Tuning aus Blog
getwd cache = yes
lpq cache = 30
oplocks = yes
#!!! Debug-Logging
# log level = 2 auth:3 smb:3
# log file = /var/log/samba/%U.log
# max log size = 1000
#!!! Sonstiges
hide files = /desktop.ini/profile.V2/$RECYCLE.BIN/
#!!! Zur Authentifizierung benoetigte Shares
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
browseable = no
public = yes
[profiles]
comment = User Profiles
create mask = 0700
directory mask = 0700
writeable = yes
browsable = no
[homes]
comment = Home Directory %U
create mask = 0755
directory mask = 0755
writeable = yes
browsable = no
#!!! Das AStA-Share aus Krefeld
[asta]
comment = asta
path = /home/samba/asta/
browsable = yes
writeable = yes
hide unreadable = yes
hide special files = yes
create mask = 0775
directory mask = 0775
#!!! Die Home-Verzeichnisse ausoenchengladbach
[gladbach]
comment = asta
path = /mnt/mg
browsable = yes
writeable = yes
hide unreadable = yes
hide special files = yes
create mask = 0775
directory mask = 0775
[backup]
comment = asta
path = /home/samba/backup
browsable = yes
writeable = yes
hide unreadable = yes
hide special files = yes
create mask = 0775
directory mask = 0775
guest ok = yes
guest only = yes
guest account = nobody
public = yes
#!!! Die Home-Verzecihnisse aus Krefeld zu Administrationszwecken?
[home]
path = /home
browsable = no
writeable = yes
create mask = 0775
directory mask = 0775
valid users = "@Domain Admins", at edv
admin users = @edv
[scan]
path = /home/samba/scan/
browsable = yes
writeable = yes
guest ok = yes
guest only = yes
guest account = nobody
create mask = 0775
directory mask = 0775
root preexec = /root/cron_recreate_information.sh
public = yes
John Drescher
2012-Aug-08 12:04 UTC
[Samba] password change problem and no logon servers available
> we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) > and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend > and manage the users, groups and computer by using the smbldap-tools. > > Currently we are experiencing the following problems: > > 1. changing the passwords takes longer than 30 seconds <- That's bad > because we are using a gigabit ethernet network! > 2. sometimes windows tells us that the user can't change their passwords at > the current point of time > 3. sometimes windows foces the users to change their passwords (we never > told samba to do it!) > 4. sometimes windows tells us that there are no logon server available! > > Are there any known bugs regarding to these problems? Do you need further > information to investigate this problem? >I do not have any of these bugs on my samba3 based network at work. I believe my PDC and BDCs are samba-3.5.X and I am using the last released openldap 2.3.X release on all 3 ldap servers. John
Gaiseric Vandal
2012-Aug-08 13:25 UTC
[Samba] password change problem and no logon servers available
Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. "pdbedit -Lv username" should show you if the "X" flag is set for the user- if the "X" flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote:> Hi, > > we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) > and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend > and manage the users, groups and computer by using the smbldap-tools. > > Currently we are experiencing the following problems: > > 1. changing the passwords takes longer than 30 seconds <- That's bad > because we are using a gigabit ethernet network! > 2. sometimes windows tells us that the user can't change their passwords at > the current point of time > 3. sometimes windows foces the users to change their passwords (we never > told samba to do it!) > 4. sometimes windows tells us that there are no logon server available! > > Are there any known bugs regarding to these problems? Do you need further > information to investigate this problem? > > Florian Scholz > >
Gaiseric Vandal
2012-Aug-08 18:54 UTC
[Samba] password change problem and no logon servers available
I would look at the windows event log. It may be of help. Also "nbtstat -a" should show you the IP addresses for the domain , DC's and master browser. I found with both Samba and NT4 domains that using WINS helped- it shouldn't cause new problems at least. On 08/08/12 12:17, Florian Scholz wrote:> I'm not using XP anymore.. and I meant that I applied the > http://wiki.samba.org/index.php/Windows7 stuff before adding the > computers to the domain > > 2012/8/8 Gaiseric Vandal <gaiseric.vandal at gmail.com > <mailto:gaiseric.vandal at gmail.com>> > > 3. If you were able to join domain and log in to your PC, then > your registry settings should not be an issue. I meant do you > have this problem with XP and Win 7 or only Win 7? > > > > On 08/08/12 12:05, Florian Scholz wrote: >> 1. Only one PDC per subnetwork (physically another town) >> 2. I don't know if I'm using WINS but I don't think so. >> 3. Yes, there are some registry settings you have to apply to >> Windows 7 to make it compatible with SAMBA 3.6 >> 4. Yes but I don't get the temporary session message :) >> 5. The X-flag isn't set. >> >> # ASTA, asta.lan >> dn: sambaDomainName=ASTA,dc=asta,dc=lan >> objectClass: top >> objectClass: sambaDomain >> objectClass: sambaUnixIdPool >> sambaDomainName: ASTA >> sambaSID: S-1-5-21-3963991337-2686100338-2601203207 >> sambaPwdHistoryLength: 0 >> sambaMaxPwdAge: -1 >> sambaLockoutThreshold: 0 >> sambaRefuseMachinePwdChange: 0 >> sambaLogonToChgPwd: 0 >> sambaMinPwdAge: 0 >> sambaForceLogoff: -1 >> sambaMinPwdLength: 4 >> sambaLockoutDuration: 30 >> sambaLockoutObservationWindow: 30 >> gidNumber: 1049 >> sambaNextRid: 1028 >> uidNumber: 1209 >> >> >> 2012/8/8 Gaiseric Vandal <gaiseric.vandal at gmail.com >> <mailto:gaiseric.vandal at gmail.com>> >> >> Is this a single domain controller environment (1 PDC) or do >> you also >> have one or more BDC's? >> >> Are you using WINS? that should help clients find domain >> controllers. >> >> Is there is difference between XP and Windows 7 clients? As you >> probably know, you can login to a windows machine with cached >> credentials even if it is not connected to the network. I >> found with >> Windows 7 machines sometimes you may have logged into the >> computer with >> your network account, the domain controller was not reached, >> you get >> authenticated with cached credentials and you don't know >> there is an >> issue until you try changing your password. This is more >> likely to >> happen with laptops that may get disconnected and reconnected >> from the >> network with out doing a complete shutdown 1st. >> >> >> "pdbedit -Lv username" should show you if the "X" flag is set >> for the >> user- if the "X" flag is set the user's password should >> never expire >> even if the domain policy sets a max password age. >> >> If you have an ldap browser, look at the top level >> sambaDomainObject. >> There may be a sambamaxpwdage (n seconds) param. >> >> >> On 08/08/12 06:12, Florian Scholz wrote: >> > Hi, >> > >> > we are using SAMBA 3.6.1-1 (updating this archlinux machine >> is tooo ugly) >> > and 3.6.6-1 on archlinux with the LDAP (Server version is >> 2.4.26-3) backend >> > and manage the users, groups and computer by using the >> smbldap-tools. >> > >> > Currently we are experiencing the following problems: >> > >> > 1. changing the passwords takes longer than 30 seconds <- >> That's bad >> > because we are using a gigabit ethernet network! >> > 2. sometimes windows tells us that the user can't change >> their passwords at >> > the current point of time >> > 3. sometimes windows foces the users to change their >> passwords (we never >> > told samba to do it!) >> > 4. sometimes windows tells us that there are no logon >> server available! >> > >> > Are there any known bugs regarding to these problems? Do >> you need further >> > information to investigate this problem? >> > >> > Florian Scholz >> > >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > >