[Samba] users cannot change their passwords in domain

Dmitry Sukhodoev

unread,

Apr 13, 2003, 7:40:09 AM4/13/03

to

hello, samba.

i have running samba 2.2.8a from the ports on the system:
FreeBSD bingo.ru 4.7-STABLE FreeBSD 4.7-STABLE #2: Tue Mar 25 20:30:51 YEKT
2003 ro...@bingo.ru:/usr/obj/usr/src/sys/bingo i386

with config:
=== cut ===
[global]
workgroup = bingo
netbios name = emily
server string = bingo samba daemon
hosts allow = 192.168.2. 127.
hosts deny = 192.168.1.
interfaces = xl2
bind interfaces only = yes
map archive = no
inherit permissions = yes
logon drive = z:

domain logons = yes
domain admin group = raven vova root toor

logon path = \\%L\profiles\%U

guest account = guest
map to guest = bad user
security = domain

log file = /var/log/samba/%m.log
max log size = 512
pid directory = /var/run
lock directory = /var/lock

encrypt passwords = yes
socket options = TCP_NODELAY

local master = yes
os level = 64
domain master = yes
preferred master = yes

client code page = 866
character set = KOI8-R
syslog = 0
hide local users = yes

include = /usr/local/etc/samba/office_%U.conf

[profiles]
path = /usr/local/samba/profiles
browseable = no
writeable = yes
guest ok = no
create mode = 600
directory mode = 700
map archive = yes
inherit permissions = no

[homes]
comment = home directories
browsable = no
guest ok = no
read only = no
create mode = 644
root preexec = /usr/local/raven/samba/exec/root_exec.pl %u %S %I open
root postexec = /usr/local/raven/samba/exec/root_exec.pl %u %S %I close
=== cut ===

my samba is primary domain controller for my microsoft network with windowzes.
all was well, but from some time my users cannot change their passwords in
domain. windows reports about domain is not available and the smbd writes to
log:

=== cut ===
[2003/04/13 16:39:39, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
[2003/04/13 16:39:39, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:39:39, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
[2003/04/13 16:39:39, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
[2003/04/13 16:39:39, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:39:39, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
[2003/04/13 16:39:39, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:39:39, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
[2003/04/13 16:39:40, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
[2003/04/13 16:39:40, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:39:40, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
[2003/04/13 16:39:40, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
[2003/04/13 16:39:40, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:39:40, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
[2003/04/13 16:39:40, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
[2003/04/13 16:39:40, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:39:40, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:40:06, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:40:06, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
PANIC: failed to set gid

[2003/04/13 16:40:06, 0] smbd/password.c:domain_client_validate(1558)
domain_client_validate: could not fetch trust account password for domain BINGO
=== cut ===

what happen? where is solution? please help - i don't want use native windoze
domain controlle, cause windows servers sucks.

--
Dmitry Sukhodoev, network administrator of bingo.ru, icq#550315

--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba

Dmitry Sukhodoev

unread,

Apr 14, 2003, 5:50:09 AM4/14/03

to

hello, richard.

you wrote 14 апреля 2003 г., 13:24:57:

r> you cannot use "security=domain" and "domain master=yes"
now i setup "security=user" and "domain master=yes", but password changing from
windows 2k/xp on the my samba PDC still not works. errors the same: windows
says "domain is not available" and samba writes those lines in log... what i
must change more?

richard

unread,

Apr 14, 2003, 10:40:08 PM4/14/03

to

your log says......

>domain_client_validate: could not fetch trust account password for
domain BINGO

looks like you don't have a "machine account" for your client pc on your
samba server.
you will also have to add "root" as an smb user to use to join the
domain...as per the docs. (if you haven't already.)
regards,
Richard Coates.

Dmitry Sukhodoev

unread,

Apr 15, 2003, 4:20:10 AM4/15/03

to

hello, richard.

you wrote 15 апреля 2003 г., 8:35:24:

r> your log says......

>>domain_client_validate: could not fetch trust account password for

r> domain BINGO
r> looks like you don't have a "machine account" for your client pc on your
r> samba server.
r> you will also have to add "root" as an smb user to use to join the
r> domain...as per the docs. (if you haven't already.)
i have "root" as an smb user and with this account i have added all machines
with windows 2k/xp in my samba domain. also, i have a machine account, created
by "useradd machine$" and "smbpasswd -a -m machine". without this samba will
not join any machine to domain. why log says "could not fetch trust account
password for domain BINGO"?

with old samba 2.2.3a, one year ago it works normally :(

--