[Samba] windows netlogon error 3224: Manual join works, automatic renew of machine account not, probably unrelated error netlogon_creds_server_check falied.

Marco Gaiarin gaio at sv.lnf.it
Tue Jan 28 10:54:39 MST 2014 

[[ I've sent that email on list some days ago, with a different subject.
   No one reply. I was not clear? Please, help me, or give me at least
   some hint... ]]
[ I'm not subscribed to that list, so please put me on CC; i will read
  reply on the web interface, but please... ]

Setup: a domain (PASIAN) that is using samba3 (2:3.5.6~dfsg-3squeeze11)
across two routed network, eg, a main network on 10.27.0.0/16 that have
the PDC and the BDC, and a slave network on 10.99.0.0/16 that have
another BDC.
All ?DC use ldap (openldap) as the backend, and every server have a
local ldap instance, correctly syncronized.
Also, i've setup WINS on both network, adding statically the records
from other one (at least, for the servers).

Client, mostly Windows XPsp3, but we are migrating to Win 7.

All client (on main and slave network) works as expected: i can join
workstation without trouble, and users change password flawlessy.


Some week ago, for other reason, i've addedd an 'event to syslog' daemon
on one win xp box, and start to catch:

 Jan 14 10:00:19 slimer netlogon[error] 3224 Cambiamento della password del computer per l'accountSLIMER$ non riuscito con il seguente errore: %31 (Una periferica collegata al sistema non \350 in funzione.)

(damned microsoft and the translation of errors, google say me that the
error would be in english: 'A device attached to the system is not
functioning.' Useful as usual. ;-).
After poking with that box, i've realized that ALL the windows machine
on the slave network was not able to update their machine account.

I've treid to remove the box from the domain, and do a new join, and
worked flawlessy.


Some other note:

1) name resolution seems to work, eg, from the slave BDC kaa:
 root at kaa:~# nmblookup -U 10.99.1.1 -R 'PASIAN#1b'
 querying PASIAN on 10.99.1.1
 10.27.1.5 PASIAN<1b>

2) the PDC on the master network have nothing useful (at least to me)
in the log. The local BDC have:

 [2014/01/20 16:13:50.766661,  0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client SLIMER machine account SLIMER$

3) the BDC on the slave network seems joined OK:

 root at kaa:~# net rpc testjoin
 Join to 'PASIAN' is OK


Someone can help me? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                    http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
	   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list