[Samba] Intresting problem with AD domains and Samba

Robert Bannocks R.Bannocks at nhm.ac.uk
Wed Feb 21 16:07:57 GMT 2007

I have been moving machines to AD integrated samba.  To this end I have
created machine account and compiled samba with Kerberos openldap and
samba 3.0.23d/24.  this has been working fine. 

The Samba version that has previously been in use is 3.0.10.  This was
not compiled with AD integration and was using Unix passwords (via
nsswitch.conf)  This morning in preparation to move a production server
to the new Samba+AD arrangement I installed the samba (3.0.24) in a
different location to the earlier version and use the new version to
join the domain.  I wanted to wait until this evening before stopping
the old and working samba and turning on the new one.  

However about midday we stared hitting major problems with clients not
being able to connect to the still running old samba.  The error
produced was "The client is not authorized to login from this station".
There had been no changes to the old samba installation.  After some
investigation we deleted the machine account created for the new version
of samba and things after AD replicated the deletion, started working

Connecting from a Samba client worked fine with no problems

So we concluded that the windows machines look up the machine in AD
*before* connecting and changes its behaviour/credentials on the basis
of whether or not there is a machine account in the domain.

I find this behaviour somewhat odd.  Has anyone else experienced this
behaviour?  Is this documented anywhere?  Why might Windows do this?
Any other assistance appreciated.

 A gif of the error is attached.

More information about the samba mailing list