Problems with security = domain/server and samba 2.0.6

Jeremy Allison jeremy at valinux.com
Fri Dec 10 02:30:45 GMT 1999


Bjart Kvarme wrote:
> 
> Every 12. day or so domain members changes passwords in the NT domain, and
> after a while (5 minutes normally) the NT PDC starts to sync against the
> BDCs in the domain. Before this syncing is done the authentication of new
> connections usually fails. We have a pretty large NT domain with 40.000+
> users and the syncing process can take up to one hour, causing samba
> authentication to fail during this period.
> 
> When samba changes the trust account password, this shows up in the logfile:
> 
> [xxxxxxxxxx, 0] rpc_client/cli_netlogon.c:(656)
>   xxxxxxxxxx : change_trust_account_password: Changed password for domain
> YYY.
> 
> Then the authentication fails if:
> 
> *** you are using password server = "list of DCs" and pdc is not the first
> one in the DC list. This shows up in the log file:
> 
> Then:
> [1999/11/16 16:16:41, 0] rpc_client/cli_pipe.c:(346)
>   cli_pipe: return critical error. Error was ERRDOS - ERRbadfid (Invalid
> file handle.)
> [1999/11/16 16:16:41, 0] smbd/password.c:(1429)
>   domain_client_validate: unable to validate password for user xxxx in
> domain YYY to Domain controller BDC. Error was ERRDOS - ERRbadfid (Invalid
> file handle.).
> 
> *** you are using password server = *, you have more than one DC and the PDC
> and the samba is on different subnets. This shows up in the log file:
> 
> [1999/11/16 15:10:00, 0] rpc_client/cli_netlogon.c:(160)
>   cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> [1999/11/16 15:10:00, 0] rpc_client/cli_login.c:(72)
>   cli_nt_setup_creds: auth2 challenge failed
> [1999/11/16 15:10:00, 0] smbd/password.c:(1413)
>   domain_client_validate: unable to setup the PDC credentials to machine *.
> Error was : NT_STATUS_ACCESS_DENIED.
> 
> The attached patch is fixes this problem if you are using password server =
> *, but something similar should be done with the password server =
> serverlist code.

Good patch, thanks. I have fixed it up (for the serverlist
code case you mentioned) and have commited it to the master
sources. It'll be in the next stable Samba release.

Thanks a lot,

	Jeremy Allison,
	Samba Team.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------


More information about the samba mailing list