Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] samba 4 classicupgrade w7 clients errors
9 views
Skip to first unread message
Andreas Calvo
Apr 27, 2013, 8:40:01 AM4/27/13
to
I had a test environment with a few hundreds of users using Windows 7 under
a samba 3 domain.
They had the registry tweaks required to join a samba 3 domain.
I followed the classicupgrade migration to samba 4 and everything seemed to
be ok.
In my scenario I have a DNS server different from the samba server, and the
DNS server forwards all queries to my samba domain to the samba server.
The samba server is also acting as a NTP server, and the option ntp-servers
on DHCP is specified.
Some users see a pop-up requesting to log off and log in again - with a
"windows need your credentials" message.
Moreover, they seem to not have any kerberos ticket - running a klist
shows no active tickets; and they do not have the time synchronized and
sometimes they see a message regarding the time mismatch.
We tried to set up a NTP time using GPOs without luck.
Looking at the samba logs doesn't give a clue - just some errors which may
be normal.
Any hint to look at or any configuration/misconfiguration?
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
a samba 3 domain.
They had the registry tweaks required to join a samba 3 domain.
I followed the classicupgrade migration to samba 4 and everything seemed to
be ok.
In my scenario I have a DNS server different from the samba server, and the
DNS server forwards all queries to my samba domain to the samba server.
The samba server is also acting as a NTP server, and the option ntp-servers
on DHCP is specified.
Some users see a pop-up requesting to log off and log in again - with a
"windows need your credentials" message.
Moreover, they seem to not have any kerberos ticket - running a klist
shows no active tickets; and they do not have the time synchronized and
sometimes they see a message regarding the time mismatch.
We tried to set up a NTP time using GPOs without luck.
Looking at the samba logs doesn't give a clue - just some errors which may
be normal.
Any hint to look at or any configuration/misconfiguration?
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Apr 28, 2013, 2:50:02 AM4/28/13
to
On Sat, 2013-04-27 at 14:31 +0200, Andreas Calvo wrote:
> I had a test environment with a few hundreds of users using Windows 7 under
> a samba 3 domain.
> They had the registry tweaks required to join a samba 3 domain.
> I followed the classicupgrade migration to samba 4 and everything seemed to
> be ok.
>
> In my scenario I have a DNS server different from the samba server, and the
> DNS server forwards all queries to my samba domain to the samba server.
> The samba server is also acting as a NTP server, and the option ntp-servers
> on DHCP is specified.
>
> Some users see a pop-up requesting to log off and log in again - with a
> "windows need your credentials" message.
> Moreover, they seem to not have any kerberos ticket - running a klist
> shows no active tickets; and they do not have the time synchronized and
> sometimes they see a message regarding the time mismatch.
> We tried to set up a NTP time using GPOs without luck.
>
> Looking at the samba logs doesn't give a clue - just some errors which may
> be normal.
>
> Any hint to look at or any configuration/misconfiguration?
Have the passwords expired (incorrectly)? I just saw the same message
> I had a test environment with a few hundreds of users using Windows 7 under
> a samba 3 domain.
> They had the registry tweaks required to join a samba 3 domain.
> I followed the classicupgrade migration to samba 4 and everything seemed to
> be ok.
>
> In my scenario I have a DNS server different from the samba server, and the
> DNS server forwards all queries to my samba domain to the samba server.
> The samba server is also acting as a NTP server, and the option ntp-servers
> on DHCP is specified.
>
> Some users see a pop-up requesting to log off and log in again - with a
> "windows need your credentials" message.
> Moreover, they seem to not have any kerberos ticket - running a klist
> shows no active tickets; and they do not have the time synchronized and
> sometimes they see a message regarding the time mismatch.
> We tried to set up a NTP time using GPOs without luck.
>
> Looking at the samba logs doesn't give a clue - just some errors which may
> be normal.
>
> Any hint to look at or any configuration/misconfiguration?
with my test domain (not upgraded), and it then asked me to change the
password which had expired.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andreas Calvo
Apr 28, 2013, 8:40:01 AM4/28/13
to
I've changed some of my test users passwords, just to renew the password
expiration date.
I may check if they are still expired or if I have to set a new expiration
policy.
Is it set as a GPO or using the samba-tools?
Atentamente,
Andreas Calvo
expiration date.
I may check if they are still expired or if I have to set a new expiration
policy.
Is it set as a GPO or using the samba-tools?
Andreas Calvo
Andrew Bartlett
Apr 28, 2013, 9:20:01 PM4/28/13
to
On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote:
> I've changed some of my test users passwords, just to renew the password
> expiration date.
> I may check if they are still expired or if I have to set a new expiration
> policy.
> Is it set as a GPO or using the samba-tools?
Password expiry for the domain is applied using samba-tool:
> I've changed some of my test users passwords, just to renew the password
> expiration date.
> I may check if they are still expired or if I have to set a new expiration
> policy.
> Is it set as a GPO or using the samba-tools?
samba-tool domain passwordsettings
As Samba can't read GPO files (but can serve them to clients), we don't
follow anything from the GPO. The only exception is that if a windows
DC shares the domain, and it has the GPO files, it will 'fix' the
directory to match the GPO.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
Andreas Calvo
Apr 30, 2013, 4:10:02 AM4/30/13
to
These are the current settings for the password expiration policy in the
domain:
Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0
Is it necessary to set a value?
A lot of users are seeing the pop-up "windows needs your credentials. Log
off and on again".
On Mon, Apr 29, 2013 at 3:11 AM, Andrew Bartlett <abar...@samba.org> wrote:
> On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote:
> > I've changed some of my test users passwords, just to renew the password
> > expiration date.
> > I may check if they are still expired or if I have to set a new
> expiration
> > policy.
> > Is it set as a GPO or using the samba-tools?
>
> Password expiry for the domain is applied using samba-tool:
>
> samba-tool domain passwordsettings
>
> As Samba can't read GPO files (but can serve them to clients), we don't
> follow anything from the GPO. The only exception is that if a windows
> DC shares the domain, and it has the GPO files, it will 'fix' the
> directory to match the GPO.
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
>
--
Atentamente,
Andreas Calvo
domain:
Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0
Is it necessary to set a value?
A lot of users are seeing the pop-up "windows needs your credentials. Log
off and on again".
On Mon, Apr 29, 2013 at 3:11 AM, Andrew Bartlett <abar...@samba.org> wrote:
> On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote:
> > I've changed some of my test users passwords, just to renew the password
> > expiration date.
> > I may check if they are still expired or if I have to set a new
> expiration
> > policy.
> > Is it set as a GPO or using the samba-tools?
>
> Password expiry for the domain is applied using samba-tool:
>
> samba-tool domain passwordsettings
>
> As Samba can't read GPO files (but can serve them to clients), we don't
> follow anything from the GPO. The only exception is that if a windows
> DC shares the domain, and it has the GPO files, it will 'fix' the
> directory to match the GPO.
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
>
--
Andreas Calvo
Andreas Calvo
Apr 30, 2013, 5:20:03 AM4/30/13
to
We faced the following error while testing a Kerberos login on a linux
machine joined in the domain by likewise-open:
root@test:/etc# kinit test
Password for te...@MYDOMAIN.LOCAL <miquel@SCYTL_INT.LOCAL>:
Warning: Your password will expire in less than one hour on Thu Jan 1
01:00:00 1970
What do actually mean:
had any reference to the password expiration date - they did have a value
for the last time they changed the password though.
It seems that it is really important to set a password expiration date
after a classic upgrade, isn't it?
machine joined in the domain by likewise-open:
root@test:/etc# kinit test
Password for te...@MYDOMAIN.LOCAL <miquel@SCYTL_INT.LOCAL>:
Warning: Your password will expire in less than one hour on Thu Jan 1
01:00:00 1970
What do actually mean:
Minimum password age (days): 0
Maximum password age (days): 0
I've dumped all users from the builtin LDAP in Samba v4, and none of them
Maximum password age (days): 0
had any reference to the password expiration date - they did have a value
for the last time they changed the password though.
It seems that it is really important to set a password expiration date
after a classic upgrade, isn't it?
0 new messages