subject:"Re\: \[Samba\] Windows 7 and a Samba PDC\? Fixed by magic"

Re: [Samba] Windows 7 and a Samba PDC? Fixed by magic

2010-09-13 Thread Berni Elbourn

I don't believe this! Suddenly Domain users can login again. Roaming 
profiles, login scripts, mapped drives the lot.


I still see the same errors in the logs:

[2010/09/13 18:49:43,  0] 
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client W7 machine account W7$

snip
[2010/09/13 18:50:14,  1] smbd/vfs.c:932(check_reduced_name)
  reduce_name: couldn't get realpath for elbournb.V2/ntuser.ini
snip

Seems Windows 7 is a bit fragile. :-( And just to be sure I have removed 
and re-added the system to the domain  - still works. I could cry!


Berni

Berni Elbourn wrote:


Berni Elbourn wrote:


Berni Elbourn wrote:


Hi,

I would be extremely grateful if you could cast your eye over my
problem with getting Windows 7 PC back onto on a Samba domain?

I have the current version from lenny-backports:
2:3.4.8~dfsg-2~bpo50+1, the client is windows 7 Ultimate. logins and
profiles and nelogon scripts all seemed to work back in Feb 2010
using the instructions here:

http://wiki.samba.org/index.php/Windows7

However this week it seems the machine trust is now broken. Removing
and re-adding the windows 7 client to the domain claims to succeed on
the windows side but this error is logged in log.smbd:


snip


Is anyone here able to advise on my windows 7 tragedy?

I have switched over to the tdbsam backend and I have tried the various
group policy options with no improvement.

Network Security: Do not store LAN Manager hash value on next password
change from Enabled to Disabled
Network Security: LAN Manager authentication level change from Not
Defined to Send LM  NTLM responses
Network Security: Do not store LAN Manager hash value on next password
change from Enabled to Disabled
Network Security: LAN Manager authentication level change from Not
Defined to Send LM  NTLM responses
-Network Security: Minimum session...both clients and servr: NO Required
128b encryption
Computer|Admin.Templates|System|User Profiles|
-Do not check for user ownership of roaming profile: Enabled
-Delete cache copies of roaming profile: Enabled

I have tried these in smb.conf:

client ntlmv2 auth = yes
lanman auth = yes
ntlm auth = Yes

At this point I have exhausted google (and me).

Reseting those all back to default (respecting what the sanmba wiki
says) gives these errors when joining:

2010/09/13 14:55:28,  2] auth/auth.c:310(check_ntlm_password)
  check_ntlm_password:  authentication for user [root] - [root] -
[root] succeeded
[2010/09/13 14:55:28,  2] auth/token_util.c:450(create_local_nt_token)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
allocate gids?
[2010/09/13 14:55:28,  2] auth/token_util.c:474(create_local_nt_token)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2010/09/13 14:55:30,  2] rpc_server/srv_samr_nt.c:4118(_samr_LookupDomain)
  Returning domain sid for domain ECS -
S-1-5-21-1400426869-3020193132-3326178760
[2010/09/13 14:55:30,  2] auth/token_util.c:450(create_local_nt_token)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
allocate gids?
[2010/09/13 14:55:30,  2] auth/token_util.c:474(create_local_nt_token)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2010/09/13 14:55:30,  2]
libsmb/credentials.c:223(netlogon_creds_server_check)
  netlogon_creds_server_check: credentials check failed.
[2010/09/13 14:55:30,  0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client W7 machine account W7$
[2010/09/13 14:55:38,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [W7] - [W7] FAILED with
error NT_STATUS_NO_SUCH_USER

And these when logging in:

[2010/09/13 14:56:32,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/13 14:56:32,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/13 14:56:32,  2] auth/token_util.c:450(create_local_nt_token)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
allocate gids?
[2010/09/13 14:56:32,  2] auth/token_util.c:474(create_local_nt_token)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2010/09/13 14:56:32,  2]
libsmb/credentials.c:223(netlogon_creds_server_check)
  netlogon_creds_server_check: credentials check failed.
[2010/09/13 14:56:32,  0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client W7 machine account W7$
[2010/09/13 14:56:40,  1] auth/auth_util.c:577(make_server_info_sam)
  User W7$ in passdb, but getpwnam() fails!
[2010/09/13 14:56:40,  0] auth/auth_sam.c:355(check_sam_security)

Re: [Samba] Windows 7 and a Samba PDC? Fixed by magic

2010-09-13 Thread Martin Hochreiter


 Am 2010-09-13 20:31, schrieb Berni Elbourn:
I don't believe this! Suddenly Domain users can login again. Roaming 
profiles, login scripts, mapped drives the lot.


I still see the same errors in the logs:

[2010/09/13 18:49:43,  0] 
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client W7 machine account W7$

snip
[2010/09/13 18:50:14,  1] smbd/vfs.c:932(check_reduced_name)
  reduce_name: couldn't get realpath for elbournb.V2/ntuser.ini
snip

Seems Windows 7 is a bit fragile. :-( And just to be sure I have 
removed and re-added the system to the domain  - still works. I could 
cry!


Berni


Hello Berni!

The netr_ServerAuthenticate3 message does not affect a domain users 
login (i am searching for a solution concerning the machine

reject problem.
When you have followed the samba - windows 7 - wiki (the registry 
entries) then windows 7 domain users should have no problem

logging on and (if correctly configured) accessing the servers share.

Some thoughts to your problem:
I learned that sometimes windows 7 is loosing this settings.

HKLM\System\CCS\Services\Netlogon\Parameters
   DWORD  RequireSignOrSeal = 1
   DWORD  RequireStrongKey = 1


especially the RequireStrongKey and that leads to a loss of the trustship.

Additionally windows 7 is acting very strange when using roaming profiles.
We have XX machines where user x can logon without any problems with its 
roaming profile

and then suddenly 1 or 2 machines refusing the profile.
(you see in the samba log, that win7 is completely fetching the files of 
the profile and then
it decides not to use them and refuses the profile) - you can solve that 
be completely discarding
the users information on that machine (deleting the cached profile 
files, deleting everything in
the registry with the username of the user AND delete everything with 
the users full SID in it)


regards
Martin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 7 and a Samba PDC? Fixed by magic

Re: [Samba] Windows 7 and a Samba PDC? Fixed by magic

2 matches

Site Navigation

Mail list logo

Footer information