[Samba] Switching Ldap Servers
mcauble at lufkin.com
Tue May 9 22:15:18 GMT 2006
I recently did the same thing, here is what I found:
First the message "net_auth2: creds_server_check failed" I see this
when a machine changes it's sambaNTPassword, while this appears to be an
error message my machines go ahead and change their password.
Your comment " one person was getting this error and I believe was able
to remove the machine and then rejoin the domain" tells me the new ldap
doesn't have some things that the old ldap has regarding machine accounts.
When I migrated my ldap, some machines couldn't connect even thought
they had an account on the domain. Here are some of the reasons
"sambaPwdLastSet" must have a valid value (ie. 1146061069) I can't
remember but all the date fields ( sambaPwdMustChange,
sambaPwdCanChange) may have to have a valid value
check your old ldap machine entries against the new ldap entries
sambaSID, sambaNTPassword must match, make sure sambaAcctFlags has a [W]
objectClass: sambaSamAccount - I have seen this discussed as something
that has changed you might want to check this
You might remove and re-add a machine then look at it's ldap entry and
compare with another machine account's old ldap entry.
It should work, it most probably an ldap problem.
Jim Summers wrote:
> I am in the final throws of migrating our ldap servers. I have been
> running samba as a pdc and using the ldap as the backend for over a
> year, and all is well.
> I was testing the samba pdc against the new ldap servers and got the
> following errors in the log file for the machine attempting to connect:
> net_auth2: creds_server_check failed
> and the machine (xp) will not successfully connect/bind.
> - I am running samba-3.0.22
> - I have changed the password stored in the secrets file to match the
> new ldap admin DN, but that didn't help.
> - All of the ldap entries were simply migrated over from the existing
> ldap to the new ldap.
> - I can use smbclient and successfully get to a share.
> I did see where one person was getting this error and I believe was
> able to remove the machine and then rejoin the domain. Which led me
> to believe that possibly a SID or some descriptor has changed when I
> changed the password in the secrets file for the ldap manager DN.
> I also have some standalone machines that simply map a share. Will
> those continue to work? My guess was yes since the smbclient is
> working and this seems to be machine bind issue.
> I only have a small window each day to test and was hoping to be close
> to figuring this out before my next attempt.
> Any tips / suggestions?
More information about the samba