[Samba] password change problem and no logon servers available
Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz [global] #!!! Authentifizierung des PDC in der Domäne workgroup = ASTA netbios name = samba domain logons = yes domain master = yes local master = yes server string = %h PDC (%v) comment = %h PDC (%v) #!!! Sichere, dass der PDC aufjedenfall von den Rechnern als praerer PDC verwend et wird. preferred master = yes os level = 20 #!!! Zeitsynchronisation (Synchronisiere die Computerzeit mit dem SAMBA-PDC) time server = yes #!!! Einschränkung des Netzwerkzugriffs interfaces = 192.168.100.253 bind interfaces only = yes #!!! Authentifizierung von Benutzern und Rechnern gegen den PDC security = user #!!! Folgende zwei Einstellungen stehen in Konflikt zueinander obey pam restrictions = yes encrypt passwords = yes admin users = root,admin #!!! Konfiguration des LDAP-Zugriffs passdb backend = ldapsam:ldap://127.0.0.1 ldap suffix = dc=asta,dc=lan ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap admin dn = cn=admin,dc=asta,dc=lan ldap passwd sync = yes ldap idmap suffix = ou=Idmap ldap ssl = no ldap delete dn = no ldap passwd sync = yes # Die IDMAP-Einstellungen sollten mit denen in Krefeld übereinstimmen, so dass SAMBA funktioniert. # Zweck der IDMAP-Einstellungen ist die Darstellung der Windows-SIDs als UNIX-ID s idmap uid = 1-2 idmap gid = 1-2 #!!! UNIX-Passwörter ändern unix password sync = yes passwd program = /usr/bin/passwd %u #!!! Default-Einstellungen für neue SAMBA-Benutzer template shell = /bin/false template homedir = /home/%U #!!! Windows-Anmeldung logon drive = h: logon script = netlogon.bat #!!! Tuning und systemspezifische Einstellungen #socket options = TCP_NODELAY # #kernel oplocks = no #posix locking = no socket options = TCP_NODELAY kernel oplocks = yes posix locking = yes # kernel oplocks = yes # #WINS-Namen nicht via DNS auflF6sen # dns proxy = no #Tuning aus Blog getwd cache = yes lpq cache = 30 oplocks = yes #!!! Debug-Logging #log level = 2 auth:3 smb:3 #log file = /var/log/samba/%U.log #max log size = 1000 #!!! Sonstiges hide files = /desktop.ini/profile.V2/$RECYCLE.BIN/ #!!! Zur Authentifizierung benoetigte Shares [netlogon] comment = Network Logon Service path = /home/samba/netlogon browseable = no public = yes [profiles] comment = User Profiles create mask = 0700 directory mask = 0700 writeable = yes browsable = no [homes] comment = Home Directory %U create mask = 0755 directory mask = 0755 writeable = yes browsable = no #!!! Das AStA-Share aus Krefeld [asta] comment = asta path = /home/samba/asta/ browsable = yes writeable = yes hide unreadable = yes hide special files = yes create mask = 0775 directory mask = 0775 #!!! Die Home-Verzeichnisse ausoenchengladbach [gladbach] comment = asta path = /mnt/mg browsable = yes writeable = yes hide unreadable = yes hide special files = yes create mask = 0775 directory mask = 0775 [backup] comment = asta path = /home/samba/backup browsable = yes writeable = yes hide unreadable = yes hide special files = yes create mask = 0775 directory mask = 0775 guest ok = yes guest only = yes guest
Re: [Samba] password change problem and no logon servers available
we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? I do not have any of these bugs on my samba3 based network at work. I believe my PDC and BDCs are samba-3.5.X and I am using the last released openldap 2.3.X release on all 3 ldap servers. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. pdbedit -Lv username should show you if the X flag is set for the user- if the X flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote: Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
1. Only one PDC per subnetwork (physically another town) 2. I don't know if I'm using WINS but I don't think so. 3. Yes, there are some registry settings you have to apply to Windows 7 to make it compatible with SAMBA 3.6 4. Yes but I don't get the temporary session message :) 5. The X-flag isn't set. # ASTA, asta.lan dn: sambaDomainName=ASTA,dc=asta,dc=lan objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: ASTA sambaSID: S-1-5-21-3963991337-2686100338-2601203207 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaLogonToChgPwd: 0 sambaMinPwdAge: 0 sambaForceLogoff: -1 sambaMinPwdLength: 4 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 gidNumber: 1049 sambaNextRid: 1028 uidNumber: 1209 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. pdbedit -Lv username should show you if the X flag is set for the user- if the X flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote: Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
3. If you were able to join domain and log in to your PC, then your registry settings should not be an issue. I meant do you have this problem with XP and Win 7 or only Win 7? On 08/08/12 12:05, Florian Scholz wrote: 1. Only one PDC per subnetwork (physically another town) 2. I don't know if I'm using WINS but I don't think so. 3. Yes, there are some registry settings you have to apply to Windows 7 to make it compatible with SAMBA 3.6 4. Yes but I don't get the temporary session message :) 5. The X-flag isn't set. # ASTA, asta.lan dn: sambaDomainName=ASTA,dc=asta,dc=lan objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: ASTA sambaSID: S-1-5-21-3963991337-2686100338-2601203207 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaLogonToChgPwd: 0 sambaMinPwdAge: 0 sambaForceLogoff: -1 sambaMinPwdLength: 4 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 gidNumber: 1049 sambaNextRid: 1028 uidNumber: 1209 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. pdbedit -Lv username should show you if the X flag is set for the user- if the X flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote: Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
I would look at the windows event log. It may be of help. Also nbtstat -a should show you the IP addresses for the domain , DC's and master browser. I found with both Samba and NT4 domains that using WINS helped- it shouldn't cause new problems at least. On 08/08/12 12:17, Florian Scholz wrote: I'm not using XP anymore.. and I meant that I applied the http://wiki.samba.org/index.php/Windows7 stuff before adding the computers to the domain 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com 3. If you were able to join domain and log in to your PC, then your registry settings should not be an issue. I meant do you have this problem with XP and Win 7 or only Win 7? On 08/08/12 12:05, Florian Scholz wrote: 1. Only one PDC per subnetwork (physically another town) 2. I don't know if I'm using WINS but I don't think so. 3. Yes, there are some registry settings you have to apply to Windows 7 to make it compatible with SAMBA 3.6 4. Yes but I don't get the temporary session message :) 5. The X-flag isn't set. # ASTA, asta.lan dn: sambaDomainName=ASTA,dc=asta,dc=lan objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: ASTA sambaSID: S-1-5-21-3963991337-2686100338-2601203207 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaLogonToChgPwd: 0 sambaMinPwdAge: 0 sambaForceLogoff: -1 sambaMinPwdLength: 4 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 gidNumber: 1049 sambaNextRid: 1028 uidNumber: 1209 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. pdbedit -Lv username should show you if the X flag is set for the user- if the X flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote: Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
