[Samba] Machine account reject - additional troubleshooting

Martin Hochreiter linuxbox at wavenet.at
Sun Sep 12 10:53:08 MDT 2010

  knows more about that windows 7 - samba 3.5.4 - ldap problem

> than pleaaassse state something...
> Hi Martin,
> I'm afraid that I don't any information to offer you.  But I want to add
> that our setup is very similar to yours.  Samba DC with an OpenLDAP
> backend (except our version of Samba is 3.4.8).  Client machines are a mix
> of Windows XP and Windows 7.  And we are seeing the same error messages in
> the logs.  Your comment regarding changing the domain admin username and
> password is troubling.  I'll have to see if we have the same issue on
> Monday.
> -Bryan
Hello Brian!

Thats one of my big problems with that issue of windows7 and samba - no 
one has really at least a good explanation
whats happening here ..

(Unfortunately it is not the the only problem with win 7 - roaming 
profile behaviour makes me cracy ... but that is another story)

I don't really know the consequences of the machine recjects - the users 
can work normally, what
I do see is that sometimes domain admin password changes are not 
propagated to that machines
and that the windows 7 firewall is not recognizing the net as "Domain 
I think that the machine password change (the automatic change) failure 
- clients loose there trustship
- can have to do with that problem.
But thats "all" impactes, beside the fact that the machine is not in the 
domain because the controller refuses it.

I will try to play around with the "LAN Manager authentication level" 
and "Minium session security for NTLM SSP"
tomorrow (http://www.tomshardware.com/forum/75-63-windows-samba-issue) - 
maybe these two GP settings
have an impact on that.
(My last suspision is, that win7 is doing the machine authentication in 
a different [encryption)] way as the XP machine are doing
that as XP machines do not have that problem)

The other thing is, that I had a little conversation with Greg Dickie 
who is running obviously the same setting as I do
and he solved the problems by simply making the ldap client entries 
visible to the linux system as normal users
(getent passwd) ... but I do have this settings since I am using samba-ldap.
Second story is that I read a few times on some boards in the net, that 
this issue maybe related to samba-ldap
combinations only  - what make me think that something is wrong about 
the way passwords are stored in ldap.

So, enough of my thoughts to that problem - maybe my ideas to that could 
help someone leading us to
solve that problem


More information about the samba mailing list