[Samba] Windows 7 machine trust accounts expiring

Alex Ferrara · External Since: Dec 16, 2009 Posts: 1

I think I have narrowed this down even further.

I have been working through getting rid of error messages in the logs, and I have updated Samba to 3.4.3. This might have fixed the issue, and I won't know for some time, but I can still see the following error appearing in the logs, which seems to line up with the core issue of machine trust accounts expiring.

rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$

I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account

dn: uid=ac-2150$,ou=computers,dc=domain,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: ac-2150$
uid: ac-2150$
uidNumber: 1111
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaDomainName: DOMAIN
sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515
sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222
sambaNTPassword: DABA25E3910551C63347D399520C123D
sambaAcctFlags: [WX ]
sambaPwdLastSet: 1260776037

Any help would be appreciated.

aF
--
To unsubscribe from this list go to the following URL and read the
instructions: " target="_blank">https://lists.samba.org/mailman/options/samba

Thomas Gutzler · External Since: Jan 18, 2010 Posts: 1

Hi,

I'm having the same problem with my Windows 7 machines (64 bit
Enterprise) but not Vista. After exactly one month they complain that
"The trust relationship between this workstation and the primary domain
failed." and I have to rejoin the domain, which fixes it for another
month. This happens with and without the "X" account flag set.

I'm running samba 3.4.0-3ubuntu5 on ubuntu jaunty with tdbsam.
When the trust relationship expires, the samba log says:
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client IX machine account IX$

Interestingly, even after rejoining the domain, when I log on as a
domain user for the first time, it shows the above error once more and
then logs on happily.

I also found this line several times:
smbd/service.c:1009(make_connection_snum) '/path/to/IX_' does not exist
or permission denied when connecting to [tom] Error was No such file or
directory
I'm logging on to the machine "ix" as user "tom" and none of the
machine accounts have home directories and so far none of them
complained about it missing; except the Windows7 ones. If I create the
directory and log in it says:
smbd/service.c:1047(make_connection_snum) ix (130.95.136.139) connect to
service tom initially as user tom (uid=1050, gid=1050) (pid 6387)
smbd/service.c:1047(make_connection_snum) ix (130.95.136.139) connect to
service tom initially as user IX$ (uid=1214, gid=200) (pid 6387)
smbd/nttrans.c:2076(call_nt_transact_ioctl)
call_nt_transact_ioctl(0x1401c4): Currently not implemented.
and logs in happily. There are no files in the newly created directories.

Alex: You mentioned that you wouldn't know until early this month if the
update to 3.4.3 solve this problem; did it?

Tom

On Wed, Dec 16, 2009 at 13:06, Alex Ferrara wrote:
> I think I have narrowed this down even further.
>
> I have been working through getting rid of error messages in the
> logs, and I have updated Samba to 3.4.3. This might have fixed the
> issue, and I won't know for some time, but I can still see the
> following error appearing in the logs, which seems to line up with
> the core issue of machine trust accounts expiring.
>
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client AC-2150 machine account AC-2150$
>
> I have noticed that the new Windows 7 machines say the password has
> expired on the same date that is in "sambaPwdLastSet". I added the
> "X" attribute in sambaAcctFlags in an attempt to stop the accounts
> from expiring.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Roel van Meer · External Since: May 19, 2010 Posts: 1

Predrag Gavrilovic writes:

> Windows 7 joins domain but trust relation fails after month or so with
> "netlogon_creds_server_check failed" error. Needless to say, XP and
> Vista work ok.
>
> Can anyone (please) confirm possibility of windows 7 joining samba
> domain and staying joined for more than a month.
> If so, what version of samba is working? Is samba 3.5 required, or other
> registry patches mentioned (as not needed) in wiki?

We have been using samba 3.5.[12] and with those the Windows 7 trust
relation stays intact.

Regards,

roel

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba