[Samba] Samba rejecting Machine account auth requests

Julien Savoie julien.savoie at usainteanne.ca
Fri Jun 21 20:08:41 MDT 2013 

On 13/06/13 12:37 AM, Julien Savoie wrote:
> On 21/08/12 11:46 AM, John Drescher wrote:
>>> I have a samba domain with over 100 machines in it. For some reason every
>>> 30-35
>>> days, 2 of the machines fail the trust relationship at login and need to be
>>> removed from the domain and rejoined.
>>>
>>> In the logs I see the following:
>>>
>>> [2012/08/21 07:55:52.981302,  0]
>>> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
>>>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
>>> auth request from client RED-TEAM machine account RED-TEAM$
>>>
>>> I am running samba 3.6.6 on a Centos-5 machine.
>>>
>>> Does anyone have any suggestions on what could cause this or how to
>>> troubleshoot this problem?
>>>
>> I believe the problem is caused when the machine changes the password
>> and no user is logged in at that time. To avoid this issue I have
>> disabled the machines from changing their passwords via the registry.
>>
> I'm also experiencing this issue in production here.  It appears to be a
> "new" problem and didn't happen with my older version of Samba (3.5.6 on
> Debian squeeze)
>
> Jun 13 00:23:49 ldap smbd[5241]: [2013/06/13 00:23:49.807899,  0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> Jun 13 00:23:49 ldap smbd[5241]:   _netr_ServerAuthenticate3:
> netlogon_creds_server_check failed. Rejecting auth request from client
> HFX-B0253 machine account HFX-B0253$
>
> I'm on Debian wheezy running Samba 3.6.6
>
> # pdbedit -u HFX-B0253$ -v
> Unix username:        hfx-b0253$
> NT username:          hfx-b0253$
> Account desc:         Computer
> Password last set:    Thu, 02 May 2013 18:03:19 ADT
> Password can change:  Thu, 02 May 2013 18:03:19 ADT
> Password must change: never
>
> It's as if machine account password changes stopped functioning.
Rejoined machines to the domain, 7 days later this is reoccurring.

#  pdbedit -u acct$ -v
Unix username:        acct$
NT username:          acct$
Password last set:    Wed, 12 Jun 2013 22:35:21 ADT
Password can change:  Wed, 12 Jun 2013 22:35:21 ADT
Password must change: never


rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client ACCT machine account ACCT$
[2013/06/12 22:35:21.461137,  0]
rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3)

Anyone have any idea why this might not be working?  I haven't changed anything in the configuration files between Samba 3.5.6 and 3.6.6.

More information about the samba mailing list