[Samba] Samba rejecting Machine account auth requests

"David González Herrera - [DGHVoIP]" info at dghvoip.com
Sat Jun 22 12:02:47 MDT 2013


Hey Marc/List,

Happy to announce that problem is fixed, it was more of my ignorance of 
some points, but after  some reading and tests I can see this on dig:

root at pve1:~# dig  @10.10.10.9 example.local

; <<>> DiG 9.7.3 <<>> @10.10.10.9 example.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57914
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;example.local.                        IN      A

;; ANSWER SECTION:
example.local.         900     IN      A       2xx.xxx.xxx.xxx
example.local.         900     IN      A       10.10.10.5
example.local.         900     IN      A       10.10.10.15
example.local.         900     IN      A       10.10.10.20
example.local.         900     IN      A       192.168.5.5

;; AUTHORITY SECTION:
example.local.         900     IN      NS samba.example.local.

;; ADDITIONAL SECTION:
samba.example.local.   900     IN      A       10.10.10.5
samba.example.local.   900     IN      A       2xx.xxx.xxx.xxx

;; Query time: 1 msec
;; SERVER: 10.10.10.9#53(10.10.10.9)
;; WHEN: Sat Jun 22 19:53:51 2013
;; MSG SIZE  rcvd: 164

root at pve1:~# dig  @10.10.10.9 example.local

; <<>> DiG 9.7.3 <<>> @10.10.10.9 example.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61873
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;example.local.                        IN      A

;; ANSWER SECTION:
example.local.         900     IN      A       192.168.5.5
example.local.         900     IN      A       2xx.xxx.xxx.xxx
example.local.         900     IN      A       10.10.10.5
example.local.         900     IN      A       10.10.10.15
example.local.         900     IN      A       10.10.10.20

;; AUTHORITY SECTION:
example.local.         900     IN      NS samba.example.local.

;; ADDITIONAL SECTION:
samba.example.local.   900     IN      A       2xx.xxx.xxx.xxx
samba.example.local.   900     IN      A       10.10.10.5

;; Query time: 1 msec
;; SERVER: 10.10.10.9#53(10.10.10.9)
;; WHEN: Sat Jun 22 19:57:02 2013
;; MSG SIZE  rcvd: 164

root at pve1:~# dig  @10.10.10.9 example.local

; <<>> DiG 9.7.3 <<>> @10.10.10.9 example.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28667
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;example.local.                        IN      A

;; ANSWER SECTION:
example.local.         900     IN      A       10.10.10.20
example.local.         900     IN      A       192.168.5.5
example.local.         900     IN      A       2xx.xxx.xxx.xxx
example.local.         900     IN      A       10.10.10.5
example.local.         900     IN      A       10.10.10.15

;; AUTHORITY SECTION:
example.local.         900     IN      NS samba.example.local.

;; ADDITIONAL SECTION:
samba.example.local.   900     IN      A       10.10.10.5
samba.example.local.   900     IN      A       2xx.xxx.xxx.xxx

;; Query time: 0 msec
;; SERVER: 10.10.10.9#53(10.10.10.9)
;; WHEN: Sat Jun 22 19:57:19 2013
;; MSG SIZE  rcvd: 164

My other issue the inability to add/delete records from the 
example.local zone persists.

Thanks I hope this can be fixed in the future.

Cheers.

On 6/21/2013 9:08 PM, Julien Savoie wrote:
> On 13/06/13 12:37 AM, Julien Savoie wrote:
>> On 21/08/12 11:46 AM, John Drescher wrote:
>>>> I have a samba domain with over 100 machines in it. For some reason every
>>>> 30-35
>>>> days, 2 of the machines fail the trust relationship at login and need to be
>>>> removed from the domain and rejoined.
>>>>
>>>> In the logs I see the following:
>>>>
>>>> [2012/08/21 07:55:52.981302,  0]
>>>> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
>>>>    _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
>>>> auth request from client RED-TEAM machine account RED-TEAM$
>>>>
>>>> I am running samba 3.6.6 on a Centos-5 machine.
>>>>
>>>> Does anyone have any suggestions on what could cause this or how to
>>>> troubleshoot this problem?
>>>>
>>> I believe the problem is caused when the machine changes the password
>>> and no user is logged in at that time. To avoid this issue I have
>>> disabled the machines from changing their passwords via the registry.
>>>
>> I'm also experiencing this issue in production here.  It appears to be a
>> "new" problem and didn't happen with my older version of Samba (3.5.6 on
>> Debian squeeze)
>>
>> Jun 13 00:23:49 ldap smbd[5241]: [2013/06/13 00:23:49.807899,  0]
>> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
>> Jun 13 00:23:49 ldap smbd[5241]:   _netr_ServerAuthenticate3:
>> netlogon_creds_server_check failed. Rejecting auth request from client
>> HFX-B0253 machine account HFX-B0253$
>>
>> I'm on Debian wheezy running Samba 3.6.6
>>
>> # pdbedit -u HFX-B0253$ -v
>> Unix username:        hfx-b0253$
>> NT username:          hfx-b0253$
>> Account desc:         Computer
>> Password last set:    Thu, 02 May 2013 18:03:19 ADT
>> Password can change:  Thu, 02 May 2013 18:03:19 ADT
>> Password must change: never
>>
>> It's as if machine account password changes stopped functioning.
> Rejoined machines to the domain, 7 days later this is reoccurring.
>
> #  pdbedit -u acct$ -v
> Unix username:        acct$
> NT username:          acct$
> Password last set:    Wed, 12 Jun 2013 22:35:21 ADT
> Password can change:  Wed, 12 Jun 2013 22:35:21 ADT
> Password must change: never
>
>
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
>    _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client ACCT machine account ACCT$
> [2013/06/12 22:35:21.461137,  0]
> rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3)
>
> Anyone have any idea why this might not be working?  I haven't changed anything in the configuration files between Samba 3.5.6 and 3.6.6.
>
>
>
>


-- 
David Gonzalez
DGHVoIP
USA:
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +57.4.247.0985
URL: www.dghvoip.com
Skype: davidgonzalezh


More information about the samba mailing list