[Samba] Windows clients losing connection to Samba 3.0.27 PDC on FC7 i386

Rubin Bennett rbennett at thatitguy.com
Fri Nov 30 01:58:03 GMT 2007 

I've done that, and we'll wait and see I suppose... I *really* hate
waiting for the other shoe to drop though.

FWIW, I did some more digging and came up with a couple systems that
show the following when I run pdbedit -Lv:

Password must change: 0

Any idea as to why those show a 0 value and the rest either say "never"
or have some huge value for seconds since the epoch that the password in
theory will need to be changed?

Thanks again,
Rubin

On Thu, 2007-11-29 at 18:22 -0500, simo wrote:
> First of all update to 3.0.27a, 3.0.27 had a regression in the security
> fix that prompted that release.
> 
> Simo.
> 
> On Tue, 2007-11-27 at 12:46 -0500, Rubin Bennett wrote:
> > Hello all...
> > 
> > I have a site of about 50 pcs connected to a Samba domain controller.
> > The domain has been running flawlessly for several years through several
> > upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> > Samba 3.0.27) seems to have caused something to come unglued.
> > 
> > The Workstations are periodically booting up in the morning and being
> > unable to contact the domain controller.  The Samba server is giving
> > failed authentication errors for the workstation itself (not the
> > username/ password) in log.{workstation}.
> > 
> > The upgrade was done nearly a month ago, and roughly 1/2 of the
> > workstations in the network were unable to connect the following
> > morning.  It happened again last week and about 10 more workstations
> > were affected.  And it happened again today, where 1 workstation and a
> > member server (Win2003r2) lost their credentials.  This time it was a
> > really bad deal because the member server runs an application that is
> > mission critical and therefore no one was able to work until it was
> > fixed.
> > 
> > In all cases, the users are able to log in by disconnecting their
> > network cable and rebooting, then logging in with the cached credentials
> > on the workstations.  Reconnecting the NIC after login allowed the users
> > to connect to network resources on the Samba PDC, and work until a
> > reboot.  A 'permanent' fix is to unjoin the PC from the domain and
> > rejoin again.
> > 
> > I had assumed that the issue was caused by the upgrade somehow, and that
> > once every system had been re-joined it would go away.  However, the
> > workstation from this morning had been unjoined and rejoined once before
> > and now I fear that the issue will keep cropping up all over the place.
> > 
> > Ideas, suggestions, flames?  I've copied my smb.conf below for your
> > review as well.
> > 
> > Thanks very much in advance,
> > Rubin
> > 
> > /etc/samba/smb.conf
> > [global]
> >   workgroup = WORKGROUP
> >   netbios name = Server
> >   server string = Network File Server
> >   printcap name = cups
> >   enable privileges = yes
> >   load printers = yes
> >   printcap cache time = 60
> >   printing = cups
> >   keepalive = 10000
> >   log file = /var/log/samba/log.%m
> >   max log size = 50
> > 
> >   log level = 3
> >   security = user
> >   encrypt passwords = Yes
> >   map to guest = bad user
> >   os level = 65
> >   domain master = yes
> >   preferred master = yes
> >   passdb backend = tdbsam
> > 
> >   pam password change = yes
> >   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
> >   add machine script = /usr/sbin/useradd -d /dev/null -g 200
> > -s /bin/false -M  %u
> > 
> >   oplocks = no
> >   level2 oplocks = no
> >   domain logons = Yes
> >   logon script = login%G.bat
> >   logon drive = Z:
> >   logon home = \\server\%U
> >   logon path = \\server\profiles\%U
> >   wins support = Yes
> >   name resolve order = wins hosts bcast
> >   hide unreadable = Yes
> > 
> > # Added in an attempt to fix broken tdbsam backend...
> >   idmap uid = 10000-20000
> >   idmap gid = 10000-20000
> > 
> >   dns proxy = yes
> > 
> > #============================ Share Definitions
> > ==============================
> > [homes]
> >   comment = Home Directories
> >   create mask = 0700
> >   directory mask = 0700
> >   browseable = No
> >   writable = yes
> > 
> >  [netlogon]
> >    comment = Netlogon Scripts
> >    path = /var/lib/samba/netlogon
> >    comment = Network Logon Service
> >    path = /var/lib/samba/netlogon
> >    guest ok = yes
> >    writable = no
> > 
> > [printers]
> >   comment = All Printers
> >   path = /var/spool/samba
> >   browseable = no
> >   guest ok = yes
> >   writable = no
> >   printable = yes
> >   create mode = 0700
> >   ;print command = lpr-cups -P %p -o raw %s -r
> >    use client driver = yes
> > 
> > [print$]
> >   path = /var/lib/samba/printers
> >   read only = yes
> >   browseable = yes
> >   force group = noyle
> >   write list = @noyle root
> >   guest ok = yes
> >   inherit permissions = yes
> > 
> > [profiles]
> >   path = /var/lib/samba/profiles
> >   browseable = no
> >   read only = No
> >   guest ok = yes
> >   writable = yes
> >   create mask = 0600
> >   directory mask = 0700
> >   root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
> > $PROFILE ]; \
> >                 then mkdir -pm700 $PROFILE; chown '%u':'%g' $PROFILE;fi
> > 
> >

More information about the samba mailing list