[Samba] _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request

Harry Jede walk2sun at arcor.de
Mon Aug 1 11:38:26 MDT 2011

On 19:17:01 wrote Paul Tietjens:
> I am getting errors in my samba logs like "_netr_ServerAuthenticate3:
> netlogon_creds_server_check failed. Rejecting auth request from
> client XXX machine account XXX$" (Host
> log: http://pastebin.com/QXhbngN5).
> So far, machines do seem to join the domain (Machine account is
> created in LDAP, user can log in, etc), but I am concerned that when
> Windows 7 machines reach their 30 days they will begin issuing "trust
> account has expired or is incorrect" messages.
> Since we have a couple thousand machines, I wish to avoid that.  I
> have followed the instructions at
> http://wiki.samba.org/index.php/Windows7 and tried a few other thnigs
> (but have not touch the sign/seal regkeys) and still get these errors
> in the logs when a machine boots and auths any user.  I have updated
> the samba bins from debian backports to run version  3.5.8.
> I have made sure that our DNS server registers the machine account
> with hostname.DOMAIN, have tried turning off/on ntlmv2 on the server
> and using gpedit on the client, have made sure that time is
> synchronous on the server/client, have removed and re-added the
> machine account many times, and have tried some registry hacks like:
> HKLM\System\CCS\Services\TcpIp\Parameters
> Domain: XXX.com
> NV Domain: XXX.com
> Where should I look next?
From your log:
  ldapsam_getsampwsid: Unable to locate SID 
[S-1-5-21-1048866067-1567326443-2860397223-515] count=0
[2011/07/26 12:04:02.543539,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)

So find this group by hand:
ldapsearch -x -LLL sambasid=S-1-5-21-1048866067-1567326443-2860397223-515

Should look like this:
# ldapsearch -x -LLL sambasid=S-1-5-21-2895420538-1884802692-219078741-515
dn: cn=Domain Computers,ou=groups,dc=xx,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-2895420538-1884802692-219078741-515
sambaGroupType: 2
displayName: Domain Computers

And you are using debian with winbind?
check the status of winbind:

smbcontrol winbind ping
PONG from pid 11761

if you dont get a pong, you are not running winwindd, or you have a broken deb.

cd /var/run/samba
ln -s winbindd-winbindd.conf.pid winbindd.pid

and winbind works :-) .

If you have fixed this two possible issues and things still dont work, check 
your ldap acls. To do this set the loglevel of slapd to 384 (ACL + FILTER).


	Harry Jede

More information about the samba mailing list