[Samba] NT4 machine trust breaks on a Samba-BDC

Wed Nov 20 10:44:00 GMT 2002

I checked with tdbtool that the domain SIDs are the same on all of the
domain controllers. Also the machine trust account passwords are the
same, and they don't change.

It is enough that I change a user's password with "smbpasswd <user>",
and afterwards I won't be able to log in to the domain with an NT 4
machine.

(The problem was that an NT4 host in the subnet of a samba backup domain
controller complains that either the machine trust account is missing
from the domain or the trust account password is wrong, after there is a
change in smbpasswd. The PDC is in a different subnet, and there's no
such problem there.)

I ran a level 10 debug when the machine was starting up. Right after I
had joined the domain I found that lines saying "challenge: XYZ" and
"calculated: XYZ" had the same value. It was also possible to log in to
the domain. But after a simple password change with "smbpasswd
<username>" and copying smbpasswd to the BDC with rsync, the same lines
in the log file had different values, and after them there was a line
saying "status: NT_STATUS_ACCESS_DENIED". Logging in to the domain was
not possible.

Earlier in the log there were complaints about null passwords not being
valid, I don't know if that has anything to do with this.

Is there something I should check in the log file, something that should
be the same in both situations?

Would somebody look at my log files if I post them here? (And is there
some information in the log files that would be insecure to post here?)

-Mikko-

Gerald (Jerry) Carter wrote:
> 
> >> We have Samba (2.2.5) running on three servers, each in a different
> >> subnet.  One of them is a PDC (domain master = yes). The Samba PDC
is
> 
> >> also the NIS master. The smbpasswd is replicated using rsync to the
> >> other machines that act as Samba BDCs (domain master = no). They
are
> >> also NIS slave servers. The smbpasswd synchronization takes place
> >> automatically every time smbpasswd is updated, and the NIS maps are
> >> updated and pushed automatically to the slaves whenever a machine
> >> joins the domain.
> 
> >> Anybody have any ideas or suggestions? Where should I start
> debugging?
> 
> > Check that the domain SID is the same.  Sync secrets.tdb, or use the
> > new smbpasswd option (2.2.6) to 'suck' the SID from PDC to each BDC.
> 
> I understood that you can't just copy the secrets.tdb to the BDCs,
> because it contains some host specific information. I've ran
"smbpasswd
> -S <domain>" on both BDCs before starting smbd on them (It seems that
if
> you start smbd on the local host with option "workgroup = <the domain,
> the sid of which you're trying to retrieve>" in smb.conf, and run
> smbpasswd -S after that, it will retrieve the sid from the local smbd.
> At least in my configuration where the PDC is in a different
subnet...?)

certainly in HEAD's varient of this command, you can specify the host -
try the -r option.

> Anyhow, I checked the secrets.tdb databases, and the 48 bytes
following
> the string "SECRETS/SID/<domain>" match on every host (and more,
there's
> a lot of zeroes). I'm not sure it that's the right place to look? Is
> there a way of printing out the domain SID in cleartext?

tdbtool can help there.

> Plus, shouldn't the other OSes complain also, if my domain SIDs were
> wrong? But it's just the NT4. What does it do differently than W2k and
> WXP...?

Hmm, that's werid - it should affect any host that contacts the 'wrong'
DC.