Problems with security = domain/server and samba 2.0.6

Bjart Kvarme bjart.kvarme at usit.uio.no
Tue Nov 16 15:59:26 GMT 1999 

Every 12. day or so domain members changes passwords in the NT domain, and
after a while (5 minutes normally) the NT PDC starts to sync against the
BDCs in the domain. Before this syncing is done the authentication of new
connections usually fails. We have a pretty large NT domain with 40.000+
users and the syncing process can take up to one hour, causing samba
authentication to fail during this period.

When samba changes the trust account password, this shows up in the logfile:

[xxxxxxxxxx, 0] rpc_client/cli_netlogon.c:(656)
  xxxxxxxxxx : change_trust_account_password: Changed password for domain
YYY.


Then the authentication fails if:

*** you are using password server = "list of DCs" and pdc is not the first
one in the DC list. This shows up in the log file:

Then:
[1999/11/16 16:16:41, 0] rpc_client/cli_pipe.c:(346)
  cli_pipe: return critical error. Error was ERRDOS - ERRbadfid (Invalid
file handle.)
[1999/11/16 16:16:41, 0] smbd/password.c:(1429)
  domain_client_validate: unable to validate password for user xxxx in
domain YYY to Domain controller BDC. Error was ERRDOS - ERRbadfid (Invalid
file handle.).


*** you are using password server = *, you have more than one DC and the PDC
and the samba is on different subnets. This shows up in the log file:

[1999/11/16 15:10:00, 0] rpc_client/cli_netlogon.c:(160)
  cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[1999/11/16 15:10:00, 0] rpc_client/cli_login.c:(72)
  cli_nt_setup_creds: auth2 challenge failed
[1999/11/16 15:10:00, 0] smbd/password.c:(1413)
  domain_client_validate: unable to setup the PDC credentials to machine *.
Error was : NT_STATUS_ACCESS_DENIED.

The attached patch is fixes this problem if you are using password server =
*, but something similar should be done with the password server =
serverlist code.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pass.diff
Type: application/octet-stream
Size: 3597 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/19991116/0848a461/pass.obj

More information about the samba mailing list