Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request

310 views
Skip to first unread message

Paul Tietjens

unread,
Jul 26, 2011, 3:20:01 PM7/26/11
to
I am getting errors in my samba logs like "_netr_ServerAuthenticate3:
netlogon_creds_server_check failed. Rejecting auth request from client
XXX machine account XXX$" (Host log: http://pastebin.com/QXhbngN5).

So far, machines do seem to join the domain (Machine account is
created in LDAP, user can log in, etc), but I am concerned that when
Windows 7 machines reach their 30 days they will begin issuing "trust
account has expired or is incorrect" messages.

Since we have a couple thousand machines, I wish to avoid that.  I
have followed the instructions at
http://wiki.samba.org/index.php/Windows7 and tried a few other thnigs
(but have not touch the sign/seal regkeys) and still get these errors
in the logs when a machine boots and auths any user.  I have updated
the samba bins from debian backports to run version  3.5.8.

I have made sure that our DNS server registers the machine account
with hostname.DOMAIN, have tried turning off/on ntlmv2 on the server
and using gpedit on the client, have made sure that time is
synchronous on the server/client, have removed and re-added the
machine account many times, and have tried some registry hacks like:
HKLM\System\CCS\Services\TcpIp\Parameters
Domain: XXX.com
NV Domain: XXX.com

Where should I look next?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Harry Jede

unread,
Aug 1, 2011, 1:40:02 PM8/1/11
to
On 19:17:01 wrote Paul Tietjens:
From your log:
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-1048866067-1567326443-2860397223-515] count=0
[2011/07/26 12:04:02.543539, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap)


So find this group by hand:
ldapsearch -x -LLL sambasid=S-1-5-21-1048866067-1567326443-2860397223-515

Should look like this:
# ldapsearch -x -LLL sambasid=S-1-5-21-2895420538-1884802692-219078741-515
dn: cn=Domain Computers,ou=groups,dc=xx,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-2895420538-1884802692-219078741-515
sambaGroupType: 2
displayName: Domain Computers


And you are using debian with winbind?
check the status of winbind:


smbcontrol winbind ping
PONG from pid 11761

if you dont get a pong, you are not running winwindd, or you have a broken deb.

cd /var/run/samba
ln -s winbindd-winbindd.conf.pid winbindd.pid

and winbind works :-) .


If you have fixed this two possible issues and things still dont work, check
your ldap acls. To do this set the loglevel of slapd to 384 (ACL + FILTER).

--

Regards
Harry Jede

0 new messages