[Samba] Login not possible / machine account issues

Samba Maile dominik.mailinglist at gmail.com
Tue Mar 31 05:17:32 MDT 2015


Hi guys,

about a one or two weeks ago I've updated my samba to v4.1.7 which
might or might not relate to the problem at hand.
However lately we've seen some issues with users not able to login to
workstations (win 7). Windows servers (2008 r2 and newer) were also
affected.
Sometimes one or two reboots would solve this problems, on few
occasions I had to rejoin the computer account to the domain.

On the workstations and servers I can see this event log entry when
login problem occour:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      workstation.sub.domain.tld
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
server "workstation$". The target name used was "WORKSTATION$". This
indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target
service is using. Ensure that the target SPN is only registered on the
account used by the server. This error can also happen if the target
service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that
the service on the server and the KDC are both configured to use the
same password. If the server name is not fully qualified, and the
target domain (SUB.DOMAIN.TLD) is different from the client domain
(SUB.DOMAIN.TLD), check if there are identically named server accounts
in these two domains, or use the fully-qualified name to identify the
server.

Checking samba logs revealed this entry:
log.samba-[2015/03/28 14:48:58.156066,  2]
../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
log.samba:  auth_check_password_recv: sam_ignoredomain authentication
for user [DOMAIN\workstation$] FAILED with error
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
log.samba-[2015/03/28 14:48:58.160911,  2]
../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
log.samba:  auth_check_password_recv: sam_ignoredomain authentication
for user [DOMAIN\workstation$] FAILED with error
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
log.samba-[2015/03/28 14:48:58.298127,  2]
../source4/auth/ntlm/auth.c:420(auth_check_password_recv)

I'm not sure where to start debugging.

Setup:
DC-01 (Ubuntu 12.04 LTS)
DC-02 (Ubuntu 12.04 LTS)

Samba Version 4.1.17 (build from sources)
using BIND_DLZ 9.9.5 (Extended Support Version)

the domain was migrated from samba3 with classic upgrade.

I'd love to hear any ideas or suggestions.

Thanks in advance.

Regards,

Dominik




## smb.conf
root at XXX-DC-01:~# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = DOMAIN
        realm = sub.domain.tld
        netbios name = XXX-DC-01
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        kccsrv:samba_kcc = false
        tls enabled = yes
        tls certfile = /usr/local/samba/private/tls/XXX-dc-01.pem
        tls keyfile = /usr/local/samba/private/tls/XXX-dc-01-key_nopas.pem
        tls cafile = /usr/local/samba/private/tls/cacert.pem
        tls crlfile = /usr/local/samba/private/tls/domain-samba.crl
        tls dhparams file = /usr/local/samba/private/tls/dcdhparams.pem
        host msdfs = yes
        log level = 2
        syslog = 2
        eventlog list = Application System Security SyslogLinux

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/biochem.dshs-koeln.de/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


More information about the samba mailing list