[Samba] _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request
Harry Jede
walk2sun at arcor.de
Mon Aug 1 11:38:26 MDT 2011
On 19:17:01 wrote Paul Tietjens:
> I am getting errors in my samba logs like "_netr_ServerAuthenticate3:
> netlogon_creds_server_check failed. Rejecting auth request from
> client XXX machine account XXX$" (Host
> log: http://pastebin.com/QXhbngN5).
>
> So far, machines do seem to join the domain (Machine account is
> created in LDAP, user can log in, etc), but I am concerned that when
> Windows 7 machines reach their 30 days they will begin issuing "trust
> account has expired or is incorrect" messages.
>
> Since we have a couple thousand machines, I wish to avoid that. I
> have followed the instructions at
> http://wiki.samba.org/index.php/Windows7 and tried a few other thnigs
> (but have not touch the sign/seal regkeys) and still get these errors
> in the logs when a machine boots and auths any user. I have updated
> the samba bins from debian backports to run version 3.5.8.
>
> I have made sure that our DNS server registers the machine account
> with hostname.DOMAIN, have tried turning off/on ntlmv2 on the server
> and using gpedit on the client, have made sure that time is
> synchronous on the server/client, have removed and re-added the
> machine account many times, and have tried some registry hacks like:
> HKLM\System\CCS\Services\TcpIp\Parameters
> Domain: XXX.com
> NV Domain: XXX.com
>
> Where should I look next?
From your log:
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-1048866067-1567326443-2860397223-515] count=0
[2011/07/26 12:04:02.543539, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
So find this group by hand:
ldapsearch -x -LLL sambasid=S-1-5-21-1048866067-1567326443-2860397223-515
Should look like this:
# ldapsearch -x -LLL sambasid=S-1-5-21-2895420538-1884802692-219078741-515
dn: cn=Domain Computers,ou=groups,dc=xx,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-2895420538-1884802692-219078741-515
sambaGroupType: 2
displayName: Domain Computers
And you are using debian with winbind?
check the status of winbind:
smbcontrol winbind ping
PONG from pid 11761
if you dont get a pong, you are not running winwindd, or you have a broken deb.
cd /var/run/samba
ln -s winbindd-winbindd.conf.pid winbindd.pid
and winbind works :-) .
If you have fixed this two possible issues and things still dont work, check
your ldap acls. To do this set the loglevel of slapd to 384 (ACL + FILTER).
--
Regards
Harry Jede
More information about the samba
mailing list