[Samba] windows 7 machine account fails to authenticate against samba PDC

graham graham8499 at ymail.com
Wed Feb 3 15:12:33 MST 2010 

Gaiseric Vandal wrote on 03/02/2010 19:15:
> it looks like from the log entries that the samba can't find an account
> for the machine. The machine- if it is a domain member- does need to
> have an account. Were you able to join the machine to the domain? if so
> there should be both a samba (windows) account (verify with "pdbedit
> -Lv") and a unix account (verify with "getent passwd.")

Hi Gaiseric , thanks for getting back to me.

Yes, it appeared to join the domain correctly.
There is an appropriate machine account and entry in/etc/passwd, and it 
looks identical to a working xp client's:


pdbedit -Lv:

Unix username:        XPHOST$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-764034647-1846980996-1928349337-1028
Primary Group SID:    S-1-5-21-764034647-1846980996-1928349337-513
Full Name:            XPHOST$
Home Directory:
HomeDir Drive:
Logon Script:         logon.bat
Profile Path:
Domain:               SMBDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Tue, 19 Jan 2010 12:21:19 GMT
Password can change:  Tue, 19 Jan 2010 12:21:19 GMT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        WIN7HOST$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-764034647-1846980996-1928349337-1031
Primary Group SID:    S-1-5-21-764034647-1846980996-1928349337-513
Full Name:            WIN7HOST$
Home Directory:
HomeDir Drive:
Logon Script:         logon.bat
Profile Path:
Domain:               SMBDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Tue, 02 Feb 2010 19:04:05 GMT
Password can change:  Tue, 02 Feb 2010 19:04:05 GMT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

getent passwd:
XPHOST$:x:1011:102:Machine:/dev/null:/bin/false
WIN7HOST$:x:1012:102:Machine:/dev/null:/bin/false


>
>
>
>
> On 02/03/10 12:42, graham wrote:
>> Gaiseric Vandal wrote on 03/02/2010 17:27:
>>> What samba version?
>>
>> version 3.4.5
>>
>>
>> > After you login from Win 7 can you actually open
>>> and save files?
>>
>> yes. I'm not familiar enough with smb etc. to understand why the
>> machine itself is trying to authenticate in addition to the user, and
>> whether it matters.
>>
>>
>>> It does seem like it is trying to reauthenticate as an
>>> active directory client.
>>>
>>> Maybe config samba to only listen on port 139 and not 445 ("smb ports"
>>> in smb.conf.) That might force the Win 7 client to treat the samba
>>> server as a "NT4" server. I believe port 445 is for Smb-over-tcp while
>>> 139 is for smb-over-netbios-over-tcp.
>>
>> I do have that set.
>> For completeness, the [global] config is:
>> workgroup = SMBDOMAIN
>> netbios name = SAMBASERVER
>> server string =
>> map to guest = Bad User
>> username map = /etc/samba/username-map
>> restrict anonymous = 1
>> log level = 1
>> smb ports = 139
>> name resolve order = wins lmhosts
>> time server = Yes
>> printcap name = cups
>> add machine script = /usr/sbin/useradd -d /dev/null -g sambausers -c
>> Machine -s /bin/false %u
>> logon script = logon.bat
>> logon path =
>> logon home =
>> domain logons = Yes
>> os level = 65
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>>
>>
>>
>>
>>> On 02/03/10 12:09, graham wrote:
>>>> Hello all,
>>>>
>>>> I've added my windows7 client to the domain (samba running as pdc),
>>>> having applied the registry changes identified here
>>>> (http://wiki.samba.org/index.php/Windows7).
>>>>
>>>> Partial success - domain users can login and see shares etc, BUT:
>>>>
>>>> 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am
>>>> I right in thinking that windows 7 ignores this policy?
>>>> And if so I therefore need to put the appropriate registry settings
>>>> into a logon script?
>>>>
>>>>
>>>> 2 - every time a domain user logs in to the windows7 host smbd reports
>>>> an error:
>>>>
>>>> [2010/02/02 19:07:51, 0]
>>>> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
>>>> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
>>>> Rejecting auth request from client WIN7HOST machine account WIN7HOST$
>>>> [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security)
>>>> check_sam_security: make_server_info_sam() failed with
>>>> 'NT_STATUS_NO_SUCH_USER'
>>>>
>>>> This only occurs for the windows7 client (not XP clients).
>>>> What does this mean, is it a problem, and how do I fix it?!
>>>>
>>>>
>>>> 3 - periodic errors reported by nmbd:
>>>> Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted
>>>>
>>>> That's the ipaddress of the windows7 client.
>>>> Actually, looking back in the logs I see this has occasionally
>>>> happened for all but one of the xp clients too.
>>>> Again, what does this error mean, is it a problem, how would I fix it?
>>>>
>>>>
>>>> 4 - windows7 client bombards the server on port 389 (ldap)
>>>> No idea why, no other (xp) clients do this. I'm guessing it /might/ be
>>>> part of question 2 above ,ie. maybe the win7 client is trying to
>>>> authenticate against ldap??
>>>>
>>>> rgds all,
>>>> graham.
>>>>
>>>
>>
>>
>

More information about the samba mailing list