domain_client_validate: unable to validate password

Sergey Kleyman Sergey.Kleyman at exanet.com
Tue Dec 9 14:12:41 GMT 2008 

Hi Everybody,

 

I would like to ask for your help with the following problem.
Background: we're trying to Samba 3.0.33 on clustered file system to
provide CIFS access.  In two nodes cluster smbd processes run on both
nodes while winbindd runs only on one of the nodes. For that we changed
smbd - winbindd communication to TCP sockets instead of UNIX.  Now to
the actual problem: during very high loads we see the following messages
in syslog:

 

2008 Dec  8 19:13:42 node0 MAJOR: smbd[14803]: [2008/12/08 19:13:42, 0,
pid=14803] libsmb/credentials.c:creds_client_check(324)

2008 Dec  8 19:13:42 node0 MAJOR: smbd[14803]:   creds_client_check:
credentials check failed.

2008 Dec  8 19:13:42 node0 MAJOR: smbd[14803]: [2008/12/08 19:13:42, 0,
pid=14803]
rpc_client/cli_netlogon.c:rpccli_netlogon_sam_network_logon(1030)

2008 Dec  8 19:13:42 node0 MAJOR: smbd[14803]:
rpccli_netlogon_sam_network_logon: credentials chain check failed

2008 Dec  8 19:13:42 node0 MAJOR: smbd[14803]: [2008/12/08 19:13:42, 0,
pid=14803] auth/auth_domain.c:domain_client_validate(260)

2008 Dec  8 19:13:42 node0 MAJOR: smbd[14803]:   domain_client_validate:
unable to validate password for user test_user in domain DOMAIN-QA to
Domain controller DC-LAB1.DOMAIN-QA. Error was NT_STATUS_ACCESS_DENIED.

 

I did tcpdump on domain controller DC-LAB1.DOMAIN-QA and I see that
domain controller responds with STATUS_ACCESS_DENIED when 2 requests
from 2 nodes interleave (that is the second request arrives before
response to the first). This is because we keep secrets.tdb on local
file system thus only smbds on each node serialize on it but not between
nodes. Both nodes have the same NETBIOS name so that is what confuses
the domain controller. My question is why doesn't smbd use winbind for
authentication? In our smb.conf we don't have "auth methods" and
security = ads. If I understand correctly that would've solved the
problem since we have winbind running on only one of the nodes.

 

Thank you in advance, Sergey

More information about the samba-technical mailing list