Re: [Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients
Hi Peter, thanks for your detailed instructions for a workaround! Just to get you right: Your proposals include changes for the win7- clients _and_ the samba domain itself, correct? If it is possible, I would like to change only settings within the win7-clients (or server 2008 R2 systems) and not the domain itself, because all other systems (XP, 2003, 2008) operate quite well for over one year now. Besides, I also see the "DisablePasswordChange-Option" on Windows server- systems (2003, 2008, 2008 R2) but I do not see a "RefusePasswordChange- Option". According to MS knowledgebase (http://support.microsoft.com/? scid=kb%3Ben-us%3B154501&x=7&y=6) it seems to me, that the "RefusePasswordChange-Option" was only intended to be used on older systems (NT4, 2000). Thus, I think it will be ineffective on "modern" systems. I would like to here your comments. Greetings, Stefan Peter Rindfuss wrote in news:4c600628.2010...@wzb.eu: > On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote: >> >> We are observing the following phenomenon: After 30 days our Windows >> 7 clients lose their trust relationship with the samba domain. We >> think, that the automatic machine password change on these clients >> fails. > > I posted a message about the very same problem on July 15. > > I think it does not always happen after 30 days (or whatever the > change interval is set to), but only occurs when the machine password > change time has arrived and the computer is on, but not no one is > logged on (i.e. the login box is shown). > > Since we are only starting to deploy Windows 7, we simply turned the > machine password change off in the registry of our imaged installation > and the few real installations. We had no more problems afterwards. > > > There are three ways to change the machine password behavior: > > Client-Registry: > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > DisablePasswordChange = dword:1 > > or > > Client-Registry: > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > MaximumPasswordAge = dword:100 > > or > > Server-Registry (if you have a Windows server) > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > RefusePasswordChange = dword:1 > > With Samba + OpenLDAP, set > sambaRefuseMachinePwdChange = 1 > in the sambaDomainName= entry. > > Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients
Hello! We are observing the following phenomenon: After 30 days our Windows 7 clients lose their trust relationship with the samba domain. We think, that the automatic machine password change on these clients fails. As a result of this, the trust relationship is broken and the machine has to be re- joined. The default value for this password change is 30 days - the value can be modified with the local group policy (German system: Computerkonfiguration -> Windows-Einstellungen -> Sicherheitseinstellungen -> Lokale Richtlinien -> Sicherheitsoptionen -> Domänenmitglied: Maximalalter von Computerkontenkennwörtern). It should be able to raise this value, but that would just be workaround and no solution for the cause. We have many client running different versions of Windows (XP,2003,2008) which change their machine passwords on a regualar basis. They manage to do this without any registry/GPO tweaks. Some more details on the involved software components: The Windows 7 clients only have the two registry changes mentioned in the samba wiki (http://wiki.samba.org/index.php/Windows7). The initial join and the re- join always succeeds. We are running Sernet Samba 3.5.2-27 on Debian 5.0, LDAP-based PDC/BDC scenario. When the problem occurs, we are watching log line like "_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client NAME machine account NAME$" - but messages like these also occure regularly in combination with some machines, which do not have any problems. Can anybody confirm this behaviour or provide suggestions for a solution/explanation? Thanks and greetings, Stefan Oberwahrenbrock -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Samba PDC autolocking domain administrator account
Stefan Oberwahrenbrock wrote in news:xns9c26809018cb9oberwahrenbrocktr...@80.91.229.13: Hello! It turned out, that after all there were differences in the setup of the test and production system - I just was not aware of them at first: The test system was built installing a plain default NT PDC. The default NT PDC installation does not make use of a "lockout after bad login attempts" policy at all - if you want to use such policy, you have to enable and configure it. The production system was configurered to use this policy with defaults (LogoutThreshold 5). During migration of both systems thesettings were also correctly migrated... Thus, with e. g. disabed account policy "bad lockout attempt" (pdbedit), the domain-administrator does not get locked any more. Nevertheless, Samba locking down the administrator is unexpected and unwanted - in my eyes. With NT the administrator account is not affected by the automatic locking mechanism. I think especially for users with migration background (NT 4.0 -> Samba), it would be nice, to have the same behaviour with Samba PDC. In our case, the problem ist not, that the admins do not remember the password of the domain-admin. Instead, some users have the password for the local administrator on their local PC. If they logon as local administrator and try to connect to a share on some other machine, the Samba PDC obviously tries to authenticate the password(hash) of the local-admin-session against the domain-administrator account. With "bad lockout attempt" set to 5, the result is a lockeddown domain- administrator account (Password of local and domain administrator differ of course!). The only workaround I know, is do disable "bad lockout attempt" completely or to set it the a relativ high value (e. g. 15). With these settings, the local-admin-users users trying to connect to a share do get a new window where they can provide a correct login, after windows noticed, that the first "automatical" connect attempts did not work. Does anyone know, if the special handling of the domain-administrator- account is a topic for future releases of Samba? Is there someone else, who sees the problem like I do (Or am I still just to NT4.0-affected ;-)) Greetings, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC autolocking domain administrator account
Hello! Some days ago we migrated our production domain from Windows NT 4.0 to Samba 3.3.4 (Yes - such migrations still happen these days :-)). After migration we noticed, that from time to time the domain adminstrator account gets locked - pdbedit shows the flags [UXL]. It is easy to activated the account again, but nevertheless it unexpected and unwanted. To my knowledge, the domain administrator is not affected by the automatic locking mechanism which comes into effect following repeated login attempts using an incorrect password. In addition, the behaviour is not reproduceable in a seperated test-network, that was cleanly built up from scratch and uses the same software versions (Operating system, smbldap- tools, slapd from Debian 5.0.1, Sernet-Samba-3.3.4). Since production and test network are both LDAP-based I compared the ldifs of both accounts. Differences found so far: The account in the test system has the attributes sambaBadPasswordCount and sambaBadPasswordTime unset while in production system they have a value of 0. Adopting the values does not change the behaviour. Does anyone know, what other criteria/attributes/circumstances might dispose Samba to autolock the account? Thanks and greetings from Biefeld, Stefan Oberwahrenbrock -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Vista SP1, Server 2008 joining NT4/Samba Domain
Volker Lendecke <[EMAIL PROTECTED]> wrote in news:[EMAIL PROTECTED]: > Did you test with recent Samba or only with 3.0.24? Only 3.0.24 - until now :-) Meantime I have set up virtual machines for testing. The testing system acting as PDC is basically running Debian 4.0 and packages from the correspondig Debian archives (slapd, smbldap-tools, ...) - except for the Samba package. That I took from the SerNet archives. I tested versions 3.0.28 and 3.0.30 - Vista SP1 and Server 2008 could be joined both times successfully without modifications to the operating system! Thus it seems with Samba >= 3.0.28 everything is fine concerning the described problems. Thanks to you/SerNet for providing up-to-date packages! Greetings, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Vista SP1, Server 2008 joining NT4/Samba Domain
Hello! It seems, that Vista SP1 and Server 2008 cannot join an NT4/Samba-domain. Vista once could join before SP1, if one did some modifications to the system (LAN Manager authentication level, Encryption of secure channel). But these workarounds do not seem to work with SP1 anymore. Microsoft points out that joining NT4-domains with Vista SP1 and Server 2008 is not supported/tested (Article ID 940268, http://support.microsoft.com/?scid=kb%3Ben-us%3B940268&x=8&y=11). To my knowledge Samba 3.0.x - acting as an PDC/BDC - basically provides NT4-domain functions/services. We tried to join Vista SP1 and Server 2008 to a Microsoft NT4-domain (PDC running NT4.0 SP6a) as well as to a Samba- domain (Samba 3.0.24 [Debian] with LDAP Backend slpapd 2.3.30 [Debian]). Both tries failed, symptoms as mentioned in der MS articel. Other systems (2000, XP, 2003) join without problems. Conclusion: As Vista SP1 and Server 2008 do not "cooperate" with NT4- domains, you cannot join these systems in Samba 3.0.x domains, which basically "emulate" NT4-domains. Can someone confirm the conclusion/scenario or confute it by providing empiric values of working samba domains containing Vista SP1 and Server 2008 sytems? The latter ist more appreciated ... ;-) Greetings, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
