[Samba] Machine auth request rejected
samba1 at nym.hush.com
samba1 at nym.hush.com
Fri Dec 6 05:04:38 MST 2013
I thought I had this working when I tested it a few months ago with
a different test server, but I’ve tried everything from my previous
notes, and can’t get it to work now.
I’m replacing a Samba 3.0.10 Unix server with a SerNet Samba 4.1.2
Debian Wheezy server. The new server has to look exactly the same
to the existing workstations. The workstations are all running
Windows XP Pro.
I’ve set up the new server, and on a separate test network
configured it so that it has the same IP address, name and domain
etc as the old server. I set SAMBA_START_MODE “classic” in
/etc/default/sernet-samba. My smb.conf seems fine.
On the server I’ve created unix users, groups and machines with the
same passwords, UIDs and GIDs as on the old server, and added users
and machines to the relevant groups. I’ve created samba passwords
for the users and machines.
The server has the same local and domain SIDs as the existing
I’ve mapped NT groups to Unix groups:
net groupmap add rid=512 unixgroup=d-admin ntgroup=”Domain Admins”
net groupmap add rid=513 unixgroup=d-user ntgroup=”Domain Users”
net groupmap add rid=514 unixgroup=nobody ntgroup=”Domain Guests”
net groupmap add rid=515 unixgroup=xp-name ntgroup=”Domain
On my test PC which had been logging in to the existing server, I
checked the user SID, and also ran ‘pdbedit –L –v’ on the existing
server to verify. I issued the following command to set the user
SIDs to be the same on the new server:
pdbedit –r –U 1252 –u carol
pdbedit –r –U 1396 –u xppc072$
pdbedit –L –v –u xppc072$ returns the same on both servers.
However, when I try to login from the test PC to the new server,
the Samba log file for the machine says
‘netlogon_creds_server_check failed. Reject auth request from
client XPPC072 machine account XPPC072$’.
On another test machine I was able to login after taking the
machine off the domain (setting it to a workgroup) then adding it
back to the domain. However, the system has more than 60
computers, and in the past I’ve found that dabbling with a PC's
domain membership can muck up a user’s local profile, needing quite
a bit of work to resolve. I can’t risk this sort of thing when
switching to the new server.
I had a look at the Microsoft XP Support Tool called netdom.exe
thinking that might let me more easily reregister a computer on the
domain if that might be required, but I can’t get it to work. I’ve
also seen a product called ForensIT User Profile Wizard, but I’m
not sure if that would be of use in this situation.
In any event, I’d prefer to get the new server configured so that
no intervention is needed on any of the workstations.
I’d appreciate some help with this. I’m (hopefully) probably
missing something obvious!
More information about the samba