Re: [Samba] Windows 7 machine trust accounts expiring
On Mon, Oct 4, 2010 at 12:58 PM, Martin Hochreiter wrote: > Am 04.10.2010 16:23 schrieb John Drescher: >> >> On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfuss wrote: >>> >>> There was an earlier thread about failing trust relationships between >>> Windows 7 and Samba. Since we occasionally experience the same problem >>> with >>> Win 7 clients against a Samba 3.5.4 server, I investigated this a bit >>> further. >>> >>> I think it happens when >>> - the time to change the machine password has arrived >>> - the Win 7 machine is up, but no one is logged on (login box is shown on >>> the screen). >>> >>> To reproduce this, I reduced the machine password change interval to one >>> day >>> on a test computer, then let the login prompt sit there for a day or so - >>> and indeed I could not log in anymore because of a trust relationship >>> failure. I will try this a couple more times. >>> >>> I hope this helps to find a remedy. >>> >> Did you ever solve this issue? How did you change the "machine >> password change interval"? >> >> I just had a single windows 7 box fail trust relationship and I saw >> that the last modify time in ldap for that account was August 30, >> 2010. >> >> John > > Hi John! > > Just for information - > We too do use the DisableMachinePasswordChange option of the registry > because > the "Refuse Machine Password Change" option on the samba server is not > working with win 7, and > we do not have any problems with the expiring issue. > > As I wrote some threads before - I think the thrustship problem is related > to the "Reject machine account" > logs we see if a user logs on on a samba server ... the samba server refuses > it and according to that is not > doing the password change too. But thats just theory. > Thanks both of you. I will do this for all windows 7 boxes to avoid the issue for now. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
Am 04.10.2010 16:23 schrieb John Drescher: On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfuss wrote: There was an earlier thread about failing trust relationships between Windows 7 and Samba. Since we occasionally experience the same problem with Win 7 clients against a Samba 3.5.4 server, I investigated this a bit further. I think it happens when - the time to change the machine password has arrived - the Win 7 machine is up, but no one is logged on (login box is shown on the screen). To reproduce this, I reduced the machine password change interval to one day on a test computer, then let the login prompt sit there for a day or so - and indeed I could not log in anymore because of a trust relationship failure. I will try this a couple more times. I hope this helps to find a remedy. Did you ever solve this issue? How did you change the "machine password change interval"? I just had a single windows 7 box fail trust relationship and I saw that the last modify time in ldap for that account was August 30, 2010. John Hi John! Just for information - We too do use the DisableMachinePasswordChange option of the registry because the "Refuse Machine Password Change" option on the samba server is not working with win 7, and we do not have any problems with the expiring issue. As I wrote some threads before - I think the thrustship problem is related to the "Reject machine account" logs we see if a user logs on on a samba server ... the samba server refuses it and according to that is not doing the password change too. But thats just theory. regards Martin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
On 2010-10-04 16:23, John Drescher wrote: On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfuss wrote: There was an earlier thread about failing trust relationships between Windows 7 and Samba. Since we occasionally experience the same problem with Win 7 clients against a Samba 3.5.4 server, I investigated this a bit further. I think it happens when - the time to change the machine password has arrived - the Win 7 machine is up, but no one is logged on (login box is shown on the screen). To reproduce this, I reduced the machine password change interval to one day on a test computer, then let the login prompt sit there for a day or so - and indeed I could not log in anymore because of a trust relationship failure. I will try this a couple more times. I hope this helps to find a remedy. Did you ever solve this issue? How did you change the "machine password change interval"? I just had a single windows 7 box fail trust relationship and I saw that the last modify time in ldap for that account was August 30, 2010. John Our solution: We disabled the machine password change on all win7 clients by setting HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 We never had a single issue after that. The "machine password change interval" can be set in the client's registry with HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters MaximumPasswordAge = dword:n, n being a number of days. Default is 30. Instead "DisablePasswordChange = 1" we might have tried "MaximumPasswordAge = 100", a million days. Finally, we might have tried against an MS server HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters RefusePasswordChange = dword:1 Note that this is a server setting, not a client setting. In Samba, it should translate to "sambaRefuseMachinePwdChange = 1" in LDAP. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfuss wrote: > There was an earlier thread about failing trust relationships between > Windows 7 and Samba. Since we occasionally experience the same problem with > Win 7 clients against a Samba 3.5.4 server, I investigated this a bit > further. > > I think it happens when > - the time to change the machine password has arrived > - the Win 7 machine is up, but no one is logged on (login box is shown on > the screen). > > To reproduce this, I reduced the machine password change interval to one day > on a test computer, then let the login prompt sit there for a day or so - > and indeed I could not log in anymore because of a trust relationship > failure. I will try this a couple more times. > > I hope this helps to find a remedy. > Did you ever solve this issue? How did you change the "machine password change interval"? I just had a single windows 7 box fail trust relationship and I saw that the last modify time in ldap for that account was August 30, 2010. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 machine trust accounts expiring
There was an earlier thread about failing trust relationships between Windows 7 and Samba. Since we occasionally experience the same problem with Win 7 clients against a Samba 3.5.4 server, I investigated this a bit further. I think it happens when - the time to change the machine password has arrived - the Win 7 machine is up, but no one is logged on (login box is shown on the screen). To reproduce this, I reduced the machine password change interval to one day on a test computer, then let the login prompt sit there for a day or so - and indeed I could not log in anymore because of a trust relationship failure. I will try this a couple more times. I hope this helps to find a remedy. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
SNIP Have you applied any other registry patches beside those that I have applied? Well, yes, I have (erm...had) a reg patch to change DNS. This actually can cause some problems on Win7. However, with or without it, I had no expiration. Cheers, TMS III Predrag Gavrilovic Време: 19.05.2010. 14:57, t...@tms3.com пише: SNIP Windows 7 joins domain but trust relation fails after month or so with "netlogon_creds_server_check failed" error. Needless to say, XP and Vista work ok. Can anyone (please) confirm possibility of windows 7 joining samba domain and staying joined for more than a month. If so, what version of samba is working? Is samba 3.5 required, or other registry patches mentioned (as not needed) in wiki? Version samba34-3.4.5_1 on FreeBSD 8.0 and 7.2 with LDAP backend, 14 WAN connected nodes, no account expiration. Време: 16.12.2009. 06:06, Alex Ferrara пише: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$ I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account dn: uid=ac-2150$,ou=computers,dc=domain,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: ac-2150$ uid: ac-2150$ uidNumber: gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaDomainName: DOMAIN sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515 sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222 sambaNTPassword: DABA25E3910551C63347D399520C123D sambaAcctFlags: [WX ] sambaPwdLastSet: 1260776037 Any help would be appreciated. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
> Have you applied any other registry patches beside those that I have > applied? > I have not and I do not have any trust problems. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
Thank you all for prompt responses Have you applied any other registry patches beside those that I have applied? Predrag Gavrilovic Време: 19.05.2010. 14:57, t...@tms3.com пише: SNIP Windows 7 joins domain but trust relation fails after month or so with "netlogon_creds_server_check failed" error. Needless to say, XP and Vista work ok. Can anyone (please) confirm possibility of windows 7 joining samba domain and staying joined for more than a month. If so, what version of samba is working? Is samba 3.5 required, or other registry patches mentioned (as not needed) in wiki? Version samba34-3.4.5_1 on FreeBSD 8.0 and 7.2 with LDAP backend, 14 WAN connected nodes, no account expiration. Време: 16.12.2009. 06:06, Alex Ferrara пише: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$ I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account dn: uid=ac-2150$,ou=computers,dc=domain,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: ac-2150$ uid: ac-2150$ uidNumber: gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaDomainName: DOMAIN sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515 sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222 sambaNTPassword: DABA25E3910551C63347D399520C123D sambaAcctFlags: [WX ] sambaPwdLastSet: 1260776037 Any help would be appreciated. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
SNIP Windows 7 joins domain but trust relation fails after month or so with "netlogon_creds_server_check failed" error. Needless to say, XP and Vista work ok. Can anyone (please) confirm possibility of windows 7 joining samba domain and staying joined for more than a month. If so, what version of samba is working? Is samba 3.5 required, or other registry patches mentioned (as not needed) in wiki? Version samba34-3.4.5_1 on FreeBSD 8.0 and 7.2 with LDAP backend, 14 WAN connected nodes, no account expiration. Време: 16.12.2009. 06:06, Alex Ferrara пише: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$ I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account dn: uid=ac-2150$,ou=computers,dc=domain,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: ac-2150$ uid: ac-2150$ uidNumber: gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaDomainName: DOMAIN sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515 sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222 sambaNTPassword: DABA25E3910551C63347D399520C123D sambaAcctFlags: [WX ] sambaPwdLastSet: 1260776037 Any help would be appreciated. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
Predrag Gavrilovic writes: Windows 7 joins domain but trust relation fails after month or so with "netlogon_creds_server_check failed" error. Needless to say, XP and Vista work ok. Can anyone (please) confirm possibility of windows 7 joining samba domain and staying joined for more than a month. If so, what version of samba is working? Is samba 3.5 required, or other registry patches mentioned (as not needed) in wiki? We have been using samba 3.5.[12] and with those the Windows 7 trust relation stays intact. Regards, roel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
I also have this problem, running samba 3.4.7 from debian backports on Lenny. I have applied registry patches as suggested on samba wiki: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 Windows 7 joins domain but trust relation fails after month or so with "netlogon_creds_server_check failed" error. Needless to say, XP and Vista work ok. Can anyone (please) confirm possibility of windows 7 joining samba domain and staying joined for more than a month. If so, what version of samba is working? Is samba 3.5 required, or other registry patches mentioned (as not needed) in wiki? Време: 16.12.2009. 06:06, Alex Ferrara пише: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$ I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account dn: uid=ac-2150$,ou=computers,dc=domain,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: ac-2150$ uid: ac-2150$ uidNumber: gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaDomainName: DOMAIN sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515 sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222 sambaNTPassword: DABA25E3910551C63347D399520C123D sambaAcctFlags: [WX ] sambaPwdLastSet: 1260776037 Any help would be appreciated. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
Hi, I'm having the same problem with my Windows 7 machines (64 bit Enterprise) but not Vista. After exactly one month they complain that "The trust relationship between this workstation and the primary domain failed." and I have to rejoin the domain, which fixes it for another month. This happens with and without the "X" account flag set. I'm running samba 3.4.0-3ubuntu5 on ubuntu jaunty with tdbsam. When the trust relationship expires, the samba log says: rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client IX machine account IX$ Interestingly, even after rejoining the domain, when I log on as a domain user for the first time, it shows the above error once more and then logs on happily. I also found this line several times: smbd/service.c:1009(make_connection_snum) '/path/to/IX_' does not exist or permission denied when connecting to [tom] Error was No such file or directory I'm logging on to the machine "ix" as user "tom" and none of the machine accounts have home directories and so far none of them complained about it missing; except the Windows7 ones. If I create the directory and log in it says: smbd/service.c:1047(make_connection_snum) ix (130.95.136.139) connect to service tom initially as user tom (uid=1050, gid=1050) (pid 6387) smbd/service.c:1047(make_connection_snum) ix (130.95.136.139) connect to service tom initially as user IX$ (uid=1214, gid=200) (pid 6387) smbd/nttrans.c:2076(call_nt_transact_ioctl) call_nt_transact_ioctl(0x1401c4): Currently not implemented. and logs in happily. There are no files in the newly created directories. Alex: You mentioned that you wouldn't know until early this month if the update to 3.4.3 solve this problem; did it? Tom On Wed, Dec 16, 2009 at 13:06, Alex Ferrara wrote: > I think I have narrowed this down even further. > > I have been working through getting rid of error messages in the > logs, and I have updated Samba to 3.4.3. This might have fixed the > issue, and I won't know for some time, but I can still see the > following error appearing in the logs, which seems to line up with > the core issue of machine trust accounts expiring. > > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client AC-2150 machine account AC-2150$ > > I have noticed that the new Windows 7 machines say the password has > expired on the same date that is in "sambaPwdLastSet". I added the > "X" attribute in sambaAcctFlags in an attempt to stop the accounts > from expiring. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 machine trust accounts expiring
I think I have narrowed this down even further. I have been working through getting rid of error messages in the logs, and I have updated Samba to 3.4.3. This might have fixed the issue, and I won't know for some time, but I can still see the following error appearing in the logs, which seems to line up with the core issue of machine trust accounts expiring. rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$ I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account dn: uid=ac-2150$,ou=computers,dc=domain,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: ac-2150$ uid: ac-2150$ uidNumber: gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaDomainName: DOMAIN sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515 sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222 sambaNTPassword: DABA25E3910551C63347D399520C123D sambaAcctFlags: [WX ] sambaPwdLastSet: 1260776037 Any help would be appreciated. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba