[Samba] samba rejecting machine accounts
Ulrich Ferenc
wakwak at freemail.hu
Mon Jun 26 10:59:29 GMT 2006
Hi!
I use Debian Sarge + Samba 3.0.22 + OpenLDAP 2.2.23 Server for a
domain controller. Once a month i have to rejoin windows XP clients to
the domain, because samba thinks they're not in the domain(users
cannot log in).
The error message found in each machine log:
_net_auth2: creds_server_check failed. Rejecting auth request from
client T2906 machine account T2906$
What's wrong?
Thanks!
Ferenc Ulrich
IT Manager
Here's a copy of my smb.conf:
[global]
workgroup = DOMAIN
netbios name = SZERVER
enable privileges = yes
interfaces = 10.0.****
server string = Szerver
security = user
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing password for*\nNew password*" %
n\n "*Retype new password*" %n\n"
ldap passwd sync = Yes
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
Dos charset = 852
Unix charset = ISO8859-2
logon script = startup.bat
logon drive = J:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=CSETE,dc=SULINET,dc=HU
ldap suffix = dc=CSETE,dc=SULINET,dc=HU
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add machine script = /usr/sbin/smbldap-useradd -w -i "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%
u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%
u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%
u"
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 700
directory mask = 0700
browseable = No
[netlogon]
path = /etc/samba/netlogon/%a/
browseable = No
read only = yes
[profiles]
path = /etc/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"
hide files = /desktop.ini/
[vb]
path = /vb
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0775
[tanarok]
path = /tanarok
browseable = No
guest ok = No
read only = No
directory mask = 0770
create mask = 0770
valid users = %U @"Domain Admins"
invalid users = virusbuster
[feladat]
path = /feladat
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0775
read list = virusbuster
[vizsga]
path = /vizsga
browseable = Yes
directory mask = 755
create mask = 755
write list = root
_________________________________________________________________
711 állásajánlat között biztosan találsz olyat, ami Neked is megfelel!
http://ad.adverticum.net/b/cl,1,6022,105302,170442/click.prm
More information about the samba
mailing list