[Samba] temporary problems with authorization in windows domain

Jakub.Turski at siemens.com Jakub.Turski at siemens.com
Tue Feb 10 13:23:46 GMT 2004 

Greetings,

I've been debugging the following scenario for some time now,
and I'm slowly runing out of ideas. If anyone would suggest 
anything helpful... I'd be grateful.

Anyway, here's the setup: 

windows 2003 AD domain running in 'windows 2003 native' mode 
+ a few Solaris 8 servers with Samba 3.0.0. All sambas have 
computer accounts in windows' domain, and have successfully 
joined the domain. However...

... once in few days, I have following behaviour: 
samba stops authorizing users at PDC, with  following:

[2004/02/06 09:36:19, 0] auth/auth_domain.c:(115)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine  WROS001A. Error was : NT_STATUS_ACCESS_DENIED.
[2004/02/06 09:36:19, 0] auth/auth_domain.c:(167)
  domain_client_validate: Domain password server not available.

After just a couple of minutes, it works fine:

[2004/02/06 09:41:17, 2] auth/auth.c:(302)
  check_ntlm_password:  authentication for user [WRO01713] -> [WRO01713] ->
[wro01713]  succeeded

I have a line in smb.conf, specyfing PDCs to use, with '*' at the 
end, but still - WROS001A  is the first one in line, and it tells 
samba that NT_STATUS_ACCESS is DENIED, so it doesn't  try at other 
PDCs. I've tried setting password server to * but still I've 
noticed such  behaviour.

What's more funny, if I specify 'password server = [any other PDC 
besides wros001a] during  such incident, samba authorizes itself 
correctly on any other single PDC.

It looks like if password for computer's account have been changed, 
and current PDC (wros001a) had not been notified about this fact 
yet. But is this possible? I've been  fiddling around this way: 
issue 'net rpc changetrustpw' and then look at samba's log (after  
setting debug level high enough) -> after such move samba is authorizing 
users at the same  PDC that was used to change the password.

How often does smbd try password change? Maybe I should put 
'net rpc changetrustpw' in my  crontab, at some midnight hour 
(to make sure nobody is working at the moment, and potential 
fluxes will not affect him/her)?

I have very limited access to PDCs, and I do not have any 
possibility to change anything  there. 

Any hints about potential causes of such behaviour or ways to 
debug this (-d 10 is good for  samba developers I guess :) 
would be greatly appreciated :)

Regards,

KT.
-- 
Jakub Turski
Siemens Sp. z o. o.
Information and Communication Mobile
Software Development Center
54A Strzegomska St.
PL 53-611 Wrocław
phone: +48 71 799 2421

More information about the samba mailing list