windows 7 machine account fails to authenticate against samba PDC
in [Samba]
|
Prev: [Samba] windows 7 machine account fails to authenticate against samba PDC
Next: [Samba] WG: Problem with Excel
From: Gaiseric Vandal on 3 Feb 2010 12:30 What samba version? After you login from Win 7 can you actually open and save files? It does seem like it is trying to reauthenticate as an active directory client. Maybe config samba to only listen on port 139 and not 445 ("smb ports" in smb.conf.) That might force the Win 7 client to treat the samba server as a "NT4" server. I believe port 445 is for Smb-over-tcp while 139 is for smb-over-netbios-over-tcp. On 02/03/10 12:09, graham wrote: > Hello all, > > I've added my windows7 client to the domain (samba running as pdc), > having applied the registry changes identified here > (http://wiki.samba.org/index.php/Windows7). > > Partial success - domain users can login and see shares etc, BUT: > > 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am > I right in thinking that windows 7 ignores this policy? > And if so I therefore need to put the appropriate registry settings > into a logon script? > > > 2 - every time a domain user logs in to the windows7 host smbd reports > an error: > > [2010/02/02 19:07:51, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client WIN7HOST machine account WIN7HOST$ > [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > > This only occurs for the windows7 client (not XP clients). > What does this mean, is it a problem, and how do I fix it?! > > > 3 - periodic errors reported by nmbd: > Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted > > That's the ipaddress of the windows7 client. > Actually, looking back in the logs I see this has occasionally > happened for all but one of the xp clients too. > Again, what does this error mean, is it a problem, how would I fix it? > > > 4 - windows7 client bombards the server on port 389 (ldap) > No idea why, no other (xp) clients do this. I'm guessing it /might/ be > part of question 2 above ,ie. maybe the win7 client is trying to > authenticate against ldap?? > > rgds all, > graham. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: graham on 3 Feb 2010 12:50 Gaiseric Vandal wrote on 03/02/2010 17:27: > What samba version? version 3.4.5 > After you login from Win 7 can you actually open > and save files? yes. I'm not familiar enough with smb etc. to understand why the machine itself is trying to authenticate in addition to the user, and whether it matters. > It does seem like it is trying to reauthenticate as an > active directory client. > > Maybe config samba to only listen on port 139 and not 445 ("smb ports" > in smb.conf.) That might force the Win 7 client to treat the samba > server as a "NT4" server. I believe port 445 is for Smb-over-tcp while > 139 is for smb-over-netbios-over-tcp. I do have that set. For completeness, the [global] config is: workgroup = SMBDOMAIN netbios name = SAMBASERVER server string = map to guest = Bad User username map = /etc/samba/username-map restrict anonymous = 1 log level = 1 smb ports = 139 name resolve order = wins lmhosts time server = Yes printcap name = cups add machine script = /usr/sbin/useradd -d /dev/null -g sambausers -c Machine -s /bin/false %u logon script = logon.bat logon path = logon home = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes > On 02/03/10 12:09, graham wrote: >> Hello all, >> >> I've added my windows7 client to the domain (samba running as pdc), >> having applied the registry changes identified here >> (http://wiki.samba.org/index.php/Windows7). >> >> Partial success - domain users can login and see shares etc, BUT: >> >> 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am >> I right in thinking that windows 7 ignores this policy? >> And if so I therefore need to put the appropriate registry settings >> into a logon script? >> >> >> 2 - every time a domain user logs in to the windows7 host smbd reports >> an error: >> >> [2010/02/02 19:07:51, 0] >> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) >> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. >> Rejecting auth request from client WIN7HOST machine account WIN7HOST$ >> [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security) >> check_sam_security: make_server_info_sam() failed with >> 'NT_STATUS_NO_SUCH_USER' >> >> This only occurs for the windows7 client (not XP clients). >> What does this mean, is it a problem, and how do I fix it?! >> >> >> 3 - periodic errors reported by nmbd: >> Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted >> >> That's the ipaddress of the windows7 client. >> Actually, looking back in the logs I see this has occasionally >> happened for all but one of the xp clients too. >> Again, what does this error mean, is it a problem, how would I fix it? >> >> >> 4 - windows7 client bombards the server on port 389 (ldap) >> No idea why, no other (xp) clients do this. I'm guessing it /might/ be >> part of question 2 above ,ie. maybe the win7 client is trying to >> authenticate against ldap?? >> >> rgds all, >> graham. >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 3 Feb 2010 14:20 it looks like from the log entries that the samba can't find an account for the machine. The machine- if it is a domain member- does need to have an account. Were you able to join the machine to the domain? if so there should be both a samba (windows) account (verify with "pdbedit -Lv") and a unix account (verify with "getent passwd.") On 02/03/10 12:42, graham wrote: > Gaiseric Vandal wrote on 03/02/2010 17:27: >> What samba version? > > version 3.4.5 > > > > After you login from Win 7 can you actually open >> and save files? > > yes. I'm not familiar enough with smb etc. to understand why the > machine itself is trying to authenticate in addition to the user, and > whether it matters. > > >> It does seem like it is trying to reauthenticate as an >> active directory client. >> >> Maybe config samba to only listen on port 139 and not 445 ("smb ports" >> in smb.conf.) That might force the Win 7 client to treat the samba >> server as a "NT4" server. I believe port 445 is for Smb-over-tcp while >> 139 is for smb-over-netbios-over-tcp. > > I do have that set. > For completeness, the [global] config is: > workgroup = SMBDOMAIN > netbios name = SAMBASERVER > server string = > map to guest = Bad User > username map = /etc/samba/username-map > restrict anonymous = 1 > log level = 1 > smb ports = 139 > name resolve order = wins lmhosts > time server = Yes > printcap name = cups > add machine script = /usr/sbin/useradd -d /dev/null -g sambausers > -c Machine -s /bin/false %u > logon script = logon.bat > logon path = > logon home = > domain logons = Yes > os level = 65 > preferred master = Yes > domain master = Yes > wins support = Yes > > > > >> On 02/03/10 12:09, graham wrote: >>> Hello all, >>> >>> I've added my windows7 client to the domain (samba running as pdc), >>> having applied the registry changes identified here >>> (http://wiki.samba.org/index.php/Windows7). >>> >>> Partial success - domain users can login and see shares etc, BUT: >>> >>> 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am >>> I right in thinking that windows 7 ignores this policy? >>> And if so I therefore need to put the appropriate registry settings >>> into a logon script? >>> >>> >>> 2 - every time a domain user logs in to the windows7 host smbd reports >>> an error: >>> >>> [2010/02/02 19:07:51, 0] >>> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) >>> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. >>> Rejecting auth request from client WIN7HOST machine account WIN7HOST$ >>> [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security) >>> check_sam_security: make_server_info_sam() failed with >>> 'NT_STATUS_NO_SUCH_USER' >>> >>> This only occurs for the windows7 client (not XP clients). >>> What does this mean, is it a problem, and how do I fix it?! >>> >>> >>> 3 - periodic errors reported by nmbd: >>> Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted >>> >>> That's the ipaddress of the windows7 client. >>> Actually, looking back in the logs I see this has occasionally >>> happened for all but one of the xp clients too. >>> Again, what does this error mean, is it a problem, how would I fix it? >>> >>> >>> 4 - windows7 client bombards the server on port 389 (ldap) >>> No idea why, no other (xp) clients do this. I'm guessing it /might/ be >>> part of question 2 above ,ie. maybe the win7 client is trying to >>> authenticate against ldap?? >>> >>> rgds all, >>> graham. >>> >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: graham on 3 Feb 2010 17:20 Gaiseric Vandal wrote on 03/02/2010 19:15: > it looks like from the log entries that the samba can't find an account > for the machine. The machine- if it is a domain member- does need to > have an account. Were you able to join the machine to the domain? if so > there should be both a samba (windows) account (verify with "pdbedit > -Lv") and a unix account (verify with "getent passwd.") Hi Gaiseric , thanks for getting back to me. Yes, it appeared to join the domain correctly. There is an appropriate machine account and entry in/etc/passwd, and it looks identical to a working xp client's: pdbedit -Lv: Unix username: XPHOST$ NT username: Account Flags: [W ] User SID: S-1-5-21-764034647-1846980996-1928349337-1028 Primary Group SID: S-1-5-21-764034647-1846980996-1928349337-513 Full Name: XPHOST$ Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: Domain: SMBDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Tue, 19 Jan 2010 12:21:19 GMT Password can change: Tue, 19 Jan 2010 12:21:19 GMT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: WIN7HOST$ NT username: Account Flags: [W ] User SID: S-1-5-21-764034647-1846980996-1928349337-1031 Primary Group SID: S-1-5-21-764034647-1846980996-1928349337-513 Full Name: WIN7HOST$ Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: Domain: SMBDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Tue, 02 Feb 2010 19:04:05 GMT Password can change: Tue, 02 Feb 2010 19:04:05 GMT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF getent passwd: XPHOST$:x:1011:102:Machine:/dev/null:/bin/false WIN7HOST$:x:1012:102:Machine:/dev/null:/bin/false > > > > > On 02/03/10 12:42, graham wrote: >> Gaiseric Vandal wrote on 03/02/2010 17:27: >>> What samba version? >> >> version 3.4.5 >> >> >> > After you login from Win 7 can you actually open >>> and save files? >> >> yes. I'm not familiar enough with smb etc. to understand why the >> machine itself is trying to authenticate in addition to the user, and >> whether it matters. >> >> >>> It does seem like it is trying to reauthenticate as an >>> active directory client. >>> >>> Maybe config samba to only listen on port 139 and not 445 ("smb ports" >>> in smb.conf.) That might force the Win 7 client to treat the samba >>> server as a "NT4" server. I believe port 445 is for Smb-over-tcp while >>> 139 is for smb-over-netbios-over-tcp. >> >> I do have that set. >> For completeness, the [global] config is: >> workgroup = SMBDOMAIN >> netbios name = SAMBASERVER >> server string = >> map to guest = Bad User >> username map = /etc/samba/username-map >> restrict anonymous = 1 >> log level = 1 >> smb ports = 139 >> name resolve order = wins lmhosts >> time server = Yes >> printcap name = cups >> add machine script = /usr/sbin/useradd -d /dev/null -g sambausers -c >> Machine -s /bin/false %u >> logon script = logon.bat >> logon path = >> logon home = >> domain logons = Yes >> os level = 65 >> preferred master = Yes >> domain master = Yes >> wins support = Yes >> >> >> >> >>> On 02/03/10 12:09, graham wrote: >>>> Hello all, >>>> >>>> I've added my windows7 client to the domain (samba running as pdc), >>>> having applied the registry changes identified here >>>> (http://wiki.samba.org/index.php/Windows7). >>>> >>>> Partial success - domain users can login and see shares etc, BUT: >>>> >>>> 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am >>>> I right in thinking that windows 7 ignores this policy? >>>> And if so I therefore need to put the appropriate registry settings >>>> into a logon script? >>>> >>>> >>>> 2 - every time a domain user logs in to the windows7 host smbd reports >>>> an error: >>>> >>>> [2010/02/02 19:07:51, 0] >>>> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) >>>> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. >>>> Rejecting auth request from client WIN7HOST machine account WIN7HOST$ >>>> [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security) >>>> check_sam_security: make_server_info_sam() failed with >>>> 'NT_STATUS_NO_SUCH_USER' >>>> >>>> This only occurs for the windows7 client (not XP clients). >>>> What does this mean, is it a problem, and how do I fix it?! >>>> >>>> >>>> 3 - periodic errors reported by nmbd: >>>> Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted >>>> >>>> That's the ipaddress of the windows7 client. >>>> Actually, looking back in the logs I see this has occasionally >>>> happened for all but one of the xp clients too. >>>> Again, what does this error mean, is it a problem, how would I fix it? >>>> >>>> >>>> 4 - windows7 client bombards the server on port 389 (ldap) >>>> No idea why, no other (xp) clients do this. I'm guessing it /might/ be >>>> part of question 2 above ,ie. maybe the win7 client is trying to >>>> authenticate against ldap?? >>>> >>>> rgds all, >>>> graham. >>>> >>> >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: graham on 5 Feb 2010 12:50 a slight change in the log entries now, as below. I don't know why (I don't think I've changed anything), but there is an extra log entry showing the host is in the passdb, but getpwnam() is failing. However, the machine name is definitely in /etc/passwd. Can anyone cast any light on this apparent inconsistency, or what I might do to diagnose the problem further? [2010/02/05 17:19:16, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WIN7HOST machine account WIN7HOST$ *[2010/02/05 17:19:23, 1] auth/auth_util.c:577(make_server_info_sam) User WIN7HOST$ in passdb, but getpwnam() fails!* [2010/02/05 17:19:23, 0] auth/auth_sam.c:355(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' graham wrote on 03/02/2010 17:09: > Hello all, > > I've added my windows7 client to the domain (samba running as pdc), > having applied the registry changes identified here > (http://wiki.samba.org/index.php/Windows7). > > Partial success - domain users can login and see shares etc, BUT: > > 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am I > right in thinking that windows 7 ignores this policy? > And if so I therefore need to put the appropriate registry settings into > a logon script? > > > 2 - every time a domain user logs in to the windows7 host smbd reports > an error: > > [2010/02/02 19:07:51, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client WIN7HOST machine account WIN7HOST$ > [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > > This only occurs for the windows7 client (not XP clients). > What does this mean, is it a problem, and how do I fix it?! > > > 3 - periodic errors reported by nmbd: > Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted > > That's the ipaddress of the windows7 client. > Actually, looking back in the logs I see this has occasionally happened > for all but one of the xp clients too. > Again, what does this error mean, is it a problem, how would I fix it? > > > 4 - windows7 client bombards the server on port 389 (ldap) > No idea why, no other (xp) clients do this. I'm guessing it /might/ be > part of question 2 above ,ie. maybe the win7 client is trying to > authenticate against ldap?? > > rgds all, > graham. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Next
|
Last
Pages: 1 2 Prev: [Samba] windows 7 machine account fails to authenticate against samba PDC Next: [Samba] WG: Problem with Excel |