[Samba] Re: Windows clients losing connection to Samba 3.0.27 PDC
on FC7 i386
Rubin Bennett
rbennett at thatitguy.com
Tue Nov 27 23:14:55 GMT 2007
On Wed, 2007-11-28 at 09:36 +1200, Patrick Rynhart wrote:
> Hi Rubin,
>
> Do you have any trusted domains and (if so) are users logging into a
> trusted domain ? If this is the case, I would start smbd, nmbd normally
> (i.e. as daemons) but then run a single winbindd process in interactive
> mode, debug level 10.
>
> i.e.
>
> winbind -i -d 10
>
No domain trusts - this is the only DC in a 3 site WAN connected (routed) domain.
> Check beforehand that no other winbindd processes are running (i.e. ps
> aux |grep winbindd). Then I would attempt to logon from a member
> workstaion. View the debug output to see if you can track any problems.
> Ctrl-Z (i.e. background) may help here ("fg" to resume) as there could
> be a lot of output.
>
> If you don't have any trusted domains (and therefore aren't running
> winbindd) then the approach I take is very similar. Start nmbd normally
> (i.e. as a background daemon) but then run smbd as an interactive
> process, again in debug level 10 mode.
>
> i.e.
>
> smbd -i -d 10
>
> From what you're describing, there may be a problem with the machine
> account for the affected machines. Look for something like
> NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE or some other NT STATUS code
> (these are defined in source/include/nterr.h if you happen to have the
> Samba source on your domain controller).
>
The problem is that exactly this is happening, but to different machines, and totally sporadically.
When it happens, I get lines like the following in my /var/log/messages:
Nov 24 19:39:01 server smbd[10339]: _net_auth2: failed to get machine
password for account SYSTEM$: NT_STATUS_ACCESS_DENIED
> Regards,
>
> Patrick
This, at least, is completely consistent - when a system gets 'locked
out' of the domain, it *always* shows lines like above in the logs.
I've Googled fairly extensively for errors as above, but turned up
nothing that seemed particularly applicable to my setup/ issue.
FWIW, I'm not running Winbind at all on the PDC or anywhere else on the network (AFAIK, anyway).
Thanks again,
Rubin
>
> Rubin Bennett wrote:
> > Hello all...
> >
> > I have a site of about 50 pcs connected to a Samba domain controller.
> > The domain has been running flawlessly for several years through several
> > upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> > Samba 3.0.27) seems to have caused something to come unglued.
> >
> > The Workstations are periodically booting up in the morning and being
> > unable to contact the domain controller. The Samba server is giving
> > failed authentication errors for the workstation itself (not the
> > username/ password) in log.{workstation}.
> >
> > The upgrade was done nearly a month ago, and roughly 1/2 of the
> > workstations in the network were unable to connect the following
> > morning. It happened again last week and about 10 more workstations
> > were affected. And it happened again today, where 1 workstation and a
> > member server (Win2003r2) lost their credentials. This time it was a
> > really bad deal because the member server runs an application that is
> > mission critical and therefore no one was able to work until it was
> > fixed.
> >
> > In all cases, the users are able to log in by disconnecting their
> > network cable and rebooting, then logging in with the cached credentials
> > on the workstations. Reconnecting the NIC after login allowed the users
> > to connect to network resources on the Samba PDC, and work until a
> > reboot. A 'permanent' fix is to unjoin the PC from the domain and
> > rejoin again.
> >
> > I had assumed that the issue was caused by the upgrade somehow, and that
> > once every system had been re-joined it would go away. However, the
> > workstation from this morning had been unjoined and rejoined once before
> > and now I fear that the issue will keep cropping up all over the place.
> >
> > Ideas, suggestions, flames? I've copied my smb.conf below for your
> > review as well.
> >
> > Thanks very much in advance,
> > Rubin
> >
> > /etc/samba/smb.conf
> > [global]
> > workgroup = WORKGROUP
> > netbios name = Server
> > server string = Network File Server
> > printcap name = cups
> > enable privileges = yes
> > load printers = yes
> > printcap cache time = 60
> > printing = cups
> > keepalive = 10000
> > log file = /var/log/samba/log.%m
> > max log size = 50
> >
> > log level = 3
> > security = user
> > encrypt passwords = Yes
> > map to guest = bad user
> > os level = 65
> > domain master = yes
> > preferred master = yes
> > passdb backend = tdbsam
> >
> > pam password change = yes
> > socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
> > add machine script = /usr/sbin/useradd -d /dev/null -g 200
> > -s /bin/false -M %u
> >
> > oplocks = no
> > level2 oplocks = no
> > domain logons = Yes
> > logon script = login%G.bat
> > logon drive = Z:
> > logon home = \\server\%U
> > logon path = \\server\profiles\%U
> > wins support = Yes
> > name resolve order = wins hosts bcast
> > hide unreadable = Yes
> >
> > # Added in an attempt to fix broken tdbsam backend...
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> >
> > dns proxy = yes
> >
> > #============================ Share Definitions
> > ==============================
> > [homes]
> > comment = Home Directories
> > create mask = 0700
> > directory mask = 0700
> > browseable = No
> > writable = yes
> >
> > [netlogon]
> > comment = Netlogon Scripts
> > path = /var/lib/samba/netlogon
> > comment = Network Logon Service
> > path = /var/lib/samba/netlogon
> > guest ok = yes
> > writable = no
> >
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > browseable = no
> > guest ok = yes
> > writable = no
> > printable = yes
> > create mode = 0700
> > ;print command = lpr-cups -P %p -o raw %s -r
> > use client driver = yes
> >
> > [print$]
> > path = /var/lib/samba/printers
> > read only = yes
> > browseable = yes
> > force group = noyle
> > write list = @noyle root
> > guest ok = yes
> > inherit permissions = yes
> >
> > [profiles]
> > path = /var/lib/samba/profiles
> > browseable = no
> > read only = No
> > guest ok = yes
> > writable = yes
> > create mask = 0600
> > directory mask = 0700
> > root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
> > $PROFILE ]; \
> > then mkdir -pm700 $PROFILE; chown '%u':'%g' $PROFILE;fi
> >
> >
>
More information about the samba
mailing list