[Samba] Problem joining 3.6.22 domain when a service connects to a share before logon

Bill Arlofski waa-samba at revpol.com
Wed Mar 12 17:29:27 MDT 2014 

Hi everyone.

We have recently come across an interesting issue after upgrading from
3.6.16 to 3.6.22.

Since we can't currently upgrade to 4.x and we have Win7 machines on
site, we implemented a 3rd party product called "Nitrobit Group Policy"
which has been working very well since last Summer.

On startup, before the login prompt it connects to a share to read in
the machine policies. After login, it checks same share for user-based
policies. All works well. But wait there's more :)

We are using FOG (Free Open Source Ghost) to image machines. One of the
features of the FOG service is that on first startup, it will rename the
machine, and also join the domain. This was all working fine - up until
we upgraded to Samba 3.6.22 in February.

The error in the FOG log we are getting now when the FOG service tries
to join the domain now is:

ERROR_SESSION_CREDENTIAL_CONFLICT
1219 (0x4C3)
Multiple connections to a server or shared resource by the same user,
using more than one user name, are not allowed. Disconnect all previous
connections to the server or shared resource and try again.

So, I am thinking that something changed recently in Samba where it is
holding open share connections longer than previously when the Nitrobit
client reads its policy file. So when the FOG service tries to join
domain, it is not allowed to.  This is only a guess at this point.

Removing the Nitrobit client fixes this problem, and and the FOG service
is able to join the domain once again, error free.

We can not go back to an earlier Samba version due to critical security
patches in the .22 release running now.   (I see 3.6.23 is also an
important security patch we will need to install shortly :)

I read all the changelogs from 3.6.16 to 3.6.22 and can not decipher if
any of those changes relate to this issue.

Any thoughts?  Can anyone correlate a specific changelog entry with the
issue I described?

Any help would be appreciated.


--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/
-- Not responsible for anything below this line --

More information about the samba mailing list