Re: [Samba] Samba 2.2.8 is failing on change machine account password
Andrew Bartlett wrote: If you run 'smbpasswd -t' it should do it on demand. Hi, thank you for the information. It makes testing easier. But unfortunatlly I get the same error. I had performed several tests concerning the case sensitiv writing of the domainname, but I got no solution. (attached the matrix of values I have tested) I removed the samba host (printserver3) each time from the domain unsing the servermanager und added ist (with servermanger) First join with smbpasswd -j NTROBOTIC -r ROBPDC2 works second try with smbpasswd -t NTROBOTIC 2003/03/31 08:24:56 : change_trust_account_password: Failed to change password f or domain NTROBOTIC. fails. printserver3 is a test system only, so I can use it for testing until the end of the next week. If I can supply further testing/information, please let me know. Thank you Hansjörg smb.confsmbpasswd Servermanager Result NTROBOTIC NTROBOTIC NTROBOTIC n ntrobotic ntrobotic ntrobotic NTROBOTIC ntrobotic ntrobotic 17.03.2003 18:00 Uhr Netbios/smb.conf Workgroup/smb.conf Domain/smbpasswd PDC/smbpaswd Servermanager/del Servermanager/add dateResult --- NTROBOTIC NTROBOTICROBPDC2 Y Y 25.03 8:30 bad PRINTSERVER3 NTROBOTIC NTROBOTICROBPDC2 Y Y 25.03 16:30 bad printserver3 NTROBOTIC NTROBOTICROBPDC2 Y Y 26.03 10:30 bad printserver3 NTROBOTIC NTROBOTICrobpdc2 Y Y 26.03 15:30 bad PRINTSERVER3 NTROBOTIC NTROBOTICrobpdc2 Y Y 26.03 17:00 bad --- NTROBOTIC NTROBOTICrobpdc2 Y Y 26.03 17:50 bad --- ntrobotic NTROBOTICROBPDC2 Y Y 27.03 8:30 bad PRINTSERVER3 ntrobotic NTROBOTICROBPDC2 Y Y 27.03 16:30 printserver3 ntrobotic NTROBOTICROBPDC2 Y Y 27.03 10:30 -- NTROBOTIC NTROBOTICROBPDC2 Y Y (passwd server*) 27.03 10:30 bad printserver3 ntrobotic ntroboticrobpdc2 Y Y 27.03 15:30 Andrew Bartlett -- _ Dr. Hansjoerg Maurer | LAN- System-Manager | Deutsches Zentrum | DLR Oberpfaffenhofen f. Luft- und Raumfahrt e.V. | Institut f. Robotik | Postfach 1116 | Muenchner Strasse 20 82230 Wessling | 82234 Wessling Germany | | Tel: 08153/28-2431 | E-mail: [EMAIL PROTECTED] Fax: 08153/28-1134 | WWW: http://www.robotic.dlr.de/ __ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 2.2.8 is failing on change machine account password
Hi, I have the sampe problem with security=domain but it occurs with older samba versions to. (Solaris 8, NT4 PDC) I have tried serveral setting (upper/lowercase of Domainname (in workgroup and smbpasswd command), adding it via smbpasswd with/without creating the machine account at the NT4 domain before. It works for one week after adding the Samba server to the domain With machine password timeout = 900 you can decrease the time until the problem occurs from one week to eg. 15 min for testing purposes. It is not a real problem, it still works, but it produces strange messages (even on the NT PDC). Greetings Hansjörg /var/log/samba/log.rmts1-[2003/03/27 16:54:34, 0] rpc_client/cli_netlogon.c:cli_net_req_chal(246) /var/log/samba/log.rmts1-[2003/03/27 16:54:34, 0] rpc_client/cli_login.c:cli_nt_setup_creds(47) /var/log/samba/log.rmts1-[2003/03/27 16:54:34, 0] rpc_client/cli_trust.c:modify_trust_password(142) /var/log/samba/log.rmts1-[2003/03/27 16:54:34, 0] rpc_client/cli_trust.c:change_trust_account_password(248) /var/log/samba/log.rmts1: 2003/03/27 16:54:34 : change_trust_account_password: Failed to change password for domain NTROBOTIC. -- _ Dr. Hansjoerg Maurer | LAN- System-Manager | Deutsches Zentrum | DLR Oberpfaffenhofen f. Luft- und Raumfahrt e.V. | Institut f. Robotik | Postfach 1116 | Muenchner Strasse 20 82230 Wessling | 82234 Wessling Germany | | Tel: 08153/28-2431 | E-mail: [EMAIL PROTECTED] Fax: 08153/28-1134 | WWW: http://www.robotic.dlr.de/ __ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 2.2.8 is failing on change machine account password
On Fri, Mar 28, 2003 at 10:00:47PM +1100, Andrew Bartlett wrote: Andrew == Andrew Bartlett [EMAIL PROTECTED] writes: Andrew On Fri, 2003-03-28 at 19:44, Hansjoerg Maurer wrote: Andrew If you run 'smbpasswd -t' it should do it on demand. That doesn't seem to work smbpasswd -t AMERICASE 2003/03/28 07:40:32 : change_trust_account_password: Failed to change password for domain AMERICASE. I do have a debug level 10 log of the attempt but there really isn't much more information in it. I really do think this might be a bug. If anyone has been able to get this to work, I would appreciate hearing about it. If there are other steps I can take to help debug/fix this, I am willing to take those steps. Doesn't this present a potential security issue if the machine password never changes? [2003/03/27 15:33:15, 5, pid=25400] lib/util.c:(291) smb_bcc=0 [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(518) write_socket(10,39) [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(521) write_socket(10,39) wrote 39 [2003/03/27 15:34:15, 3, pid=25400] smbd/sec_ctx.c:(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/27 15:34:15, 5, pid=25400] smbd/uid.c:(217) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1137) timeout_processing: checking to see if machine account password need changing. [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1167) timeout_processing: machine account password last change time = (1046645657) Sun, 02 Mar 2003 17:54:17 EST. [2003/03/27 15:34:15, 0, pid=25400] rpc_client/cli_trust.c:(46) domain_client_validate: unable to fetch domain sid. [2003/03/27 15:34:15, 0, pid=25400] rpc_client/cli_trust.c:(46) domain_client_validate: unable to fetch domain sid. [2003/03/27 15:34:15, 0, pid=25400] rpc_client/cli_trust.c:(46) domain_client_validate: unable to fetch domain sid. [2003/03/27 15:34:15, 0, pid=25400] rpc_client/cli_trust.c:(248) 2003/03/27 15:34:15 : change_trust_account_password: Failed to change password for domain AMERICASE. [2003/03/27 15:34:20, 10, pid=25400] lib/util_sock.c:(559) got smb length of 35 [2003/03/27 15:34:20, 6, pid=25400] smbd/process.c:(845) got message type 0x0 of len 0x23 [2003/03/27 15:34:20, 3, pid=25400] smbd/process.c:(846) Transaction 15 of length 39 [2003/03/27 15:34:20, 5, pid=25400] lib/util.c:(275) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=18439 -- Eric M. Boehm /\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 2.2.8 is failing on change machine account password
On Fri, Mar 28, 2003 at 11:50:34PM +1100, Andrew Bartlett wrote: Andrew == Andrew Bartlett [EMAIL PROTECTED] writes: Andrew If you run 'smbpasswd -t' it should do it on demand. Eric That doesn't seem to work Andrew I didn't say it would work, just that it would be easier Andrew to debug :-) True enough :-( Eric Doesn't this present a potential security issue if the machine Eric password never changes? Andrew Small - basically if the 'bad guy' can figure out the Andrew password by cryptographic or network brute force before Andrew you change it, yes. If he is listening on the connection Andrew always anyway, then they will observe the password change. Andrew In short - keep it secret, and it's not too bad. [2003/03/27 15:33:15, 5, pid=25400] lib/util.c:(291) smb_bcc=0 [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(518) write_socket(10,39) [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(521) write_socket(10,39) wrote 39 [2003/03/27 15:34:15, 3, pid=25400] smbd/sec_ctx.c:(329) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/27 15:34:15, 5, pid=25400] smbd/uid.c:(217) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1137) timeout_processing: checking to see if machine account password need changing. [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1167) timeout_processing: machine account password last change time = (1046645657) Sun, 02 Mar 2003 17:54:17 EST. [2003/03/27 15:34:15, 0, pid=25400] rpc_client/cli_trust.c:(46) domain_client_validate: unable to fetch domain sid. Andrew This certainly looks like an issue. Andrew Have you tried rejoining the domain? No, I was hoping to avoid that as I don't control the domain and don't have domain admin rights. I have to open a ticket and have the machine account refreshed or deleted/recreated -- that can take time. I have several servers I have to upgrade and rejoining the domain would complicate the process and make it take longer. I don't believe it was necessary to rejoin for 2.2.5. However, if you think that rejoining the domain is the next logical step in debugging this, I'll give it a try. Would it be best to have the account refreshed or deleted/recreated? Alternatively, would it be better to try earlier 2.2.x versions and use smbpasswd -t in an attempt to find out which version broke it? -- Eric M. Boehm /\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba