[Samba] Server Upgrade

Grahame Jordan gbj at theforce.com.au
Wed Jun 10 23:26:54 GMT 2009 

Hi,

I have just upgraded our server.
Ubuntu 9.04
Samba 2:3.3.2-1ubuntu3

I gave samba a few tests and it seemed to work OK so I went ahead.

Next day Users lost there roaming profile and were logged into a local
profile.
So I rejoined them to the domain. This worked OK - sort of.

I am using smbpasswd file and noticed that suddenly the passwords were
getting changed by something and became the Unix password.
Didn't ask for this as I have in some cases a better passwords for email
accounts and weak passwords for Windows users.
I think that I have tracked it down to /etc/pam.d/common-auth
Commented out: auth  optional                        pam_smbpass.so migrate
However the passwords are no longer changing but something is still
updating the smbpasswd file which did not happen before the upgrade.
Question:. What is modifying smbpasswd and why, is it required?

Probably caused myself lots of trouble by creaming /var/lib/samba/*tdb
and changing parameters in /etc/samba/smb.conf as part of the process of
putting out fires.

OK so now things are working OK for many users but some machines keep on
dropping off the domain.
I can tell which ones as I see by:
tail -n1 -f /var/log/samba/* | grep netlogon_creds_server_check

_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting
auth request from client GRINDING-3 machine account GRINDING-3$
_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting
auth request from client GB-SUPERVISOR machine account GB-SUPERVISOR$
_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting
auth request from client GLASSBLOWING4 machine account GLASSBLOWING4$
_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting
auth request from client QC3 machine account QC3$

It seems to be a few machines but not all that are repeat offenders.
This may coincide with when I commented out: auth
optional                        pam_smbpass.so migrate


This is obviously driving me nuts because it is embarrassing after an
upgrade to have instability and it takes time to rejoin the domain for
each offending machine.

Help is much appreciated

Thanks

Grahame Jordan

More information about the samba mailing list