[Samba] Re: Windows clients losing connection to Samba 3.0.27 PDC on FC7 i386

Rubin Bennett rbennett at thatitguy.com
Tue Nov 27 23:14:55 GMT 2007


On Wed, 2007-11-28 at 09:36 +1200, Patrick Rynhart wrote:
> Hi Rubin,
> 
> Do you have any trusted domains and (if so) are users logging into a 
> trusted domain ?  If this is the case, I would start smbd, nmbd normally 
> (i.e. as daemons) but then run a single winbindd process in interactive 
> mode, debug level 10.
> 
> i.e.
> 
> winbind -i -d 10
>
No domain trusts - this is the only DC in a 3 site WAN connected (routed) domain. 

> Check beforehand that no other winbindd processes are running (i.e. ps 
> aux |grep winbindd).  Then I would attempt to logon from a member 
> workstaion.  View the debug output to see if you can track any problems. 
>   Ctrl-Z (i.e. background) may help here ("fg" to resume) as there could 
> be a lot of output.
> 
> If you don't have any trusted domains (and therefore aren't running 
> winbindd) then the approach I take is very similar. Start nmbd normally 
> (i.e. as a background daemon) but then run smbd as an interactive 
> process, again in debug level 10 mode.
> 
> i.e.
> 
> smbd -i -d 10
> 
>  From what you're describing, there may be a problem with the machine 
> account for the affected machines.  Look for something like 
> NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE or some other NT STATUS code 
> (these are defined in source/include/nterr.h if you happen to have the 
> Samba source on your domain controller).
>
The problem is that exactly this is happening, but to different machines, and totally sporadically.
When it happens, I get lines like the following in my /var/log/messages:

Nov 24 19:39:01 server smbd[10339]:   _net_auth2: failed to get machine
password for account SYSTEM$: NT_STATUS_ACCESS_DENIED
 
> Regards,
> 
> Patrick


This, at least, is completely consistent - when a system gets 'locked
out' of the domain, it *always* shows lines like above in the logs.

I've Googled fairly extensively for errors as above, but turned up
nothing that seemed particularly applicable to my setup/ issue.

FWIW, I'm not running Winbind at all on the PDC or anywhere else on the network (AFAIK, anyway).

Thanks again,
Rubin

> 
> Rubin Bennett wrote:
> > Hello all...
> > 
> > I have a site of about 50 pcs connected to a Samba domain controller.
> > The domain has been running flawlessly for several years through several
> > upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> > Samba 3.0.27) seems to have caused something to come unglued.
> > 
> > The Workstations are periodically booting up in the morning and being
> > unable to contact the domain controller.  The Samba server is giving
> > failed authentication errors for the workstation itself (not the
> > username/ password) in log.{workstation}.
> > 
> > The upgrade was done nearly a month ago, and roughly 1/2 of the
> > workstations in the network were unable to connect the following
> > morning.  It happened again last week and about 10 more workstations
> > were affected.  And it happened again today, where 1 workstation and a
> > member server (Win2003r2) lost their credentials.  This time it was a
> > really bad deal because the member server runs an application that is
> > mission critical and therefore no one was able to work until it was
> > fixed.
> > 
> > In all cases, the users are able to log in by disconnecting their
> > network cable and rebooting, then logging in with the cached credentials
> > on the workstations.  Reconnecting the NIC after login allowed the users
> > to connect to network resources on the Samba PDC, and work until a
> > reboot.  A 'permanent' fix is to unjoin the PC from the domain and
> > rejoin again.
> > 
> > I had assumed that the issue was caused by the upgrade somehow, and that
> > once every system had been re-joined it would go away.  However, the
> > workstation from this morning had been unjoined and rejoined once before
> > and now I fear that the issue will keep cropping up all over the place.
> > 
> > Ideas, suggestions, flames?  I've copied my smb.conf below for your
> > review as well.
> > 
> > Thanks very much in advance,
> > Rubin
> > 
> > /etc/samba/smb.conf
> > [global]
> >   workgroup = WORKGROUP
> >   netbios name = Server
> >   server string = Network File Server
> >   printcap name = cups
> >   enable privileges = yes
> >   load printers = yes
> >   printcap cache time = 60
> >   printing = cups
> >   keepalive = 10000
> >   log file = /var/log/samba/log.%m
> >   max log size = 50
> > 
> >   log level = 3
> >   security = user
> >   encrypt passwords = Yes
> >   map to guest = bad user
> >   os level = 65
> >   domain master = yes
> >   preferred master = yes
> >   passdb backend = tdbsam
> > 
> >   pam password change = yes
> >   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
> >   add machine script = /usr/sbin/useradd -d /dev/null -g 200
> > -s /bin/false -M  %u
> > 
> >   oplocks = no
> >   level2 oplocks = no
> >   domain logons = Yes
> >   logon script = login%G.bat
> >   logon drive = Z:
> >   logon home = \\server\%U
> >   logon path = \\server\profiles\%U
> >   wins support = Yes
> >   name resolve order = wins hosts bcast
> >   hide unreadable = Yes
> > 
> > # Added in an attempt to fix broken tdbsam backend...
> >   idmap uid = 10000-20000
> >   idmap gid = 10000-20000
> > 
> >   dns proxy = yes
> > 
> > #============================ Share Definitions
> > ==============================
> > [homes]
> >   comment = Home Directories
> >   create mask = 0700
> >   directory mask = 0700
> >   browseable = No
> >   writable = yes
> > 
> >  [netlogon]
> >    comment = Netlogon Scripts
> >    path = /var/lib/samba/netlogon
> >    comment = Network Logon Service
> >    path = /var/lib/samba/netlogon
> >    guest ok = yes
> >    writable = no
> > 
> > [printers]
> >   comment = All Printers
> >   path = /var/spool/samba
> >   browseable = no
> >   guest ok = yes
> >   writable = no
> >   printable = yes
> >   create mode = 0700
> >   ;print command = lpr-cups -P %p -o raw %s -r
> >    use client driver = yes
> > 
> > [print$]
> >   path = /var/lib/samba/printers
> >   read only = yes
> >   browseable = yes
> >   force group = noyle
> >   write list = @noyle root
> >   guest ok = yes
> >   inherit permissions = yes
> > 
> > [profiles]
> >   path = /var/lib/samba/profiles
> >   browseable = no
> >   read only = No
> >   guest ok = yes
> >   writable = yes
> >   create mask = 0600
> >   directory mask = 0700
> >   root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
> > $PROFILE ]; \
> >                 then mkdir -pm700 $PROFILE; chown '%u':'%g' $PROFILE;fi
> > 
> > 
> 



More information about the samba mailing list