Samba Member Servers dropping out of the domain
Hemanth Thummala
hemanth.thummala at gmail.com
Tue Dec 16 15:15:14 MST 2014
All the password changes should be updated to secrets.tdb after changing at
DC. And yes if we failed to update the secrets.tdb we are not reverting the
password at DC. I did not find any reason other than "TDB corruptions" that
can cause this situation. Looks like TBD file state is good as you were
able to dump the secrets.
Also it could a case where there are multiple DCs in the same site(or
domain) and Samba server just updated one of them. If secrets check against
different DC whose database is not yet synced with peers. But clearly this
looks like password mismatch for machine account in DC.
Thanks,
Hemanth.
On Tue, Dec 16, 2014 at 1:19 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:
>
> On Tue, Dec 16, 2014 at 10:04 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> > On Tue, Dec 16, 2014 at 8:33 AM, Richard Sharpe
> > <realrichardsharpe at gmail.com> wrote:
> >> Hi folks,
> >>
> >> I have seen quite a number of instances of Samba member servers
> >> dropping out of the domain.
> >>
> >> This has all been with Samba 3.6.x.
> >>
> >> Typical symptoms is that people cannot log in and when you use wbinfo
> >> -t you see:
> >>
> >> wbinfo -t
> >> checking the trust secret for domain blahblah via RPC calls failed
> >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> >> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> >> Could not check secret
> >>
> >> After that you have to rejoin the domain.
> >>
> >> Is this a problem that is fixed in later versions of Samba?
> >
> > OK, the logs show the following:
> >
> > [2014/12/16 15:21:52.971839, 4]
> > winbindd/winbindd_cm.c:991(cm_prepare_connection)
> > authenticated session setup failed with Logon failure
> >
> > ...
> >
> > [2014/12/16 15:21:52.972014, 10]
> > winbindd/winbindd_cm.c:1042(cm_prepare_connection)
> > cm_prepare_connection: falling back to anonymous connection for DC
> > blah-blag-blae-blah
>
> using net ads search we have determined that the machine account
> password was last changed on Dec-11, but the secrets file seems not to
> have changed (time stamps are further back.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
More information about the samba-technical
mailing list