[Samba] Switching Ldap Servers

Mike Cauble mcauble at lufkin.com
Tue May 9 22:15:18 GMT 2006 

Jim,

I recently did the same thing, here is what I found:

First the message  "net_auth2: creds_server_check failed"  I see this 
when a machine changes it's sambaNTPassword, while this appears to be an 
error message my machines go ahead and change their password.

Your comment " one person was getting this error and I believe was able 
to remove the machine and then rejoin the domain" tells me the new ldap 
doesn't have some things that the old ldap has regarding machine accounts.

When I migrated my ldap, some machines couldn't connect even thought 
they had an account on the domain. Here are some of the reasons

"sambaPwdLastSet"  must have a valid value (ie. 1146061069) I can't 
remember but all the date fields ( sambaPwdMustChange, 
sambaPwdCanChange) may have to have a valid value

check your old ldap machine entries against the new ldap entries
sambaSID, sambaNTPassword must match, make sure sambaAcctFlags  has a [W]

objectClass: sambaSamAccount - I have seen this discussed as something 
that has changed you might want to check this

You might remove and re-add a machine then look at it's ldap entry and 
compare with another machine account's old ldap entry.

It should work, it most probably an ldap problem.

                                                       Mike

Jim Summers wrote:
Hello List,

>
> I am in the final throws of migrating our ldap servers.  I have been 
> running samba as a pdc and using the ldap as the backend for over a 
> year, and all is well.
>
> I was testing the samba pdc against the new ldap servers and got the 
> following errors in the log file for the machine attempting to connect:
>
> net_auth2: creds_server_check failed
>
> and the machine (xp) will not successfully connect/bind.
>
> - I am running samba-3.0.22
> - I have changed the password stored in the secrets file to match the 
> new ldap admin DN, but that didn't help.
> - All of the ldap entries were simply migrated over from the existing 
> ldap to the new ldap.
> - I can use smbclient and successfully get to a share.
>
> I did see where one person was getting this error and I believe was 
> able to remove the machine and then rejoin the domain.  Which led me 
> to believe that possibly a SID or some descriptor has changed when I 
> changed the password in the secrets file for the ldap manager DN.
>
> I also have some standalone machines that simply map a share.  Will 
> those continue to work?  My guess was yes since the smbclient is 
> working and this seems to be machine bind issue.
>
> I only have a small window each day to test and was hoping to be close 
> to figuring this out before my next attempt.
>
> Any tips / suggestions?
>
> TIA

More information about the samba mailing list