[Samba] samba problems. accounts expire after a hour, but work after reset

Collen Blijenberg collen at hermanjordan.nl
Mon Mar 12 14:01:11 GMT 2007 

Hi Edmundo, the main problem we have here, is that all out of the blue, 
the samba PDC and BDC
are giving error's.
like TRUST DOMAIN FAILED, or USER AUTH FAILED, MACHINE HAS NO ACCOUNT. 
things like that.
but the funny part is, there is no reason for the servers to do that, 
they run for a few hours (sometimes a day)
and then start spitting out these error's.

after resetting the PDC, all turns back to normal. and those error's go 
away, and samba function as it should be.
but then after a while, it's back to the error's again.

we do use however the pdb-sql backend for storing the usernames and all...
in that period, of error's the sql get queried. so the backend does work.
and i can't find anny error's generated from the sql backend. also the 
sql server is accessible in those error times.
(we use it for nss-mysql aswell)

so either the migration part went wrong (the sid <> uid part +1000), or 
samba has a serious bug in the passwd plugin backend ??
the winbindd part are for some other servers in the domain.

our domain is only accessible for domain accounts, so no guests or other 
accounts here. also all machines have registered to the domain
no anonymously accounts and all.
it's really driving me crazy this bug.  

cheers

Collen



Edmundo Valle Neto wrote:
> Collen Blijenberg escreveu:
>> Hmm.. just a few last questions.
>>
>> the bug came back the other day, after i fired up some machine that 
>> uses winbindd for apache authentication.
>> (no smb processes here). downside is that it's winbindd from samba 
>> 3.0.11.
>> winbindd from samba 3.0.24 has some strange issues with that machine, 
>> for every page it starts re authing again
>> resulting in asking username and password again, and again and again 
>> and .........
>> i think the problem might be there.
>
> Sorry, I don't use winbind.
>
>>
>> the part i don't get is the 'resolve unmapped account' ??
>> how can you have unmapped accounts ?? isn't it so that all
>> account that don't have entries in the user database (or machine)
>> are rejected ?? so don't need anny auth at all ?
>
> I ever used LDAP, so, for me the scripts ever creates all needed 
> stuff. But some parts of the documentation makes mention of the 
> algorithmic rid being used on groups that wasn't mapped by "net 
> groupmap" for example.
>
>>
>> so basically, i can leave the old sid's and posix uid alone, but need 
>> to monitor the sid and uid
>> when creating new users and machines, coz they can collide with the 
>> existing not standard uid and sid's .
>
> If you changed the ids as you said in the last e-mail that collisions 
> must not happens.
>
>> great, back to debuging again... thx for da input.
>>
>> Collen
>
> I didn't understood very well whats your problem, you said in the 
> first e-mail that accounts keep expiring. All them? Clients get some 
> estrange return error after some time? When that happens listing 
> shares in the server shell with an user "smbclient -L \\servername 
> -Usomeuser%password" or anonymously "smbclient -L localhost -U%" at 
> least works?
>
>
> Regards.
>
> Edmundo Valle Neto
>

More information about the samba mailing list