Nach Servercrash: creds_server_check failed

[morpheus2001]

Hi,

nach einem Servercrash können sich immer weniger Benutzer an meiner Samba Domain anmelden! In der /var/log/samba/log.smb und in der /var/log/daemon findet sich folgender Eintrag beim Versuch der Maschine 77, sich an der Domain anzumelden:

Code:

Jun 21 10:27:37 fileserver smbd[13888]: [2006/06/21 10:27:37, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(424) 
Jun 21 10:27:37 fileserver smbd[13888]:   _net_auth2: creds_server_check failed. Rejecting auth request from client K2LPC77 machine account K2LPC77$ 
Jun 21 10:27:37 fileserver smbd[13888]: [2006/06/21 10:27:37, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(424) 
Jun 21 10:27:37 fileserver smbd[13888]:   _net_auth2: creds_server_check failed. Rejecting auth request from client K2LPC77 machine account K2LPC77$

Der Benutzer (ndjeukouna) und der Maschinen Account (K2LPC77) kann ich mit pdbedit erreichen:

Code:

pdbedit -d5 ndjeukouna
INFO: Current debug levels:
  all: True/5
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter security = user
doing parameter enable privileges = yes
doing parameter share modes = yes
doing parameter encrypt passwords = true
doing parameter netbios name = fileserver
handle_netbios_name: set global_myname to: FILESERVER
doing parameter server string = Fileserver
doing parameter passdb backend = ldapsam:ldap://127.0.0.1/
doing parameter include = /etc/samba/ldap.conf
params.c:pm_process() - Processing configuration file "/etc/samba/ldap.conf"
doing parameter ldap passwd sync = no
doing parameter ldap admin dn = cn=samba,ou=DSA,dc=k2l,dc=com
doing parameter ldap suffix = dc=k2l,dc=com
doing parameter ldap group suffix = ou=Groups
doing parameter ldap user suffix = ou=Users
doing parameter ldap machine suffix = ou=Computers
doing parameter ldap ssl = no 
doing parameter ldap delete dn = Yes
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u"
doing parameter delete user script = /usr/sbin/smbldap-userdel "%u"
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter delete group script = /usr/sbin/smbldap-groupdel "%g"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
doing parameter delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
doing parameter passwd program = /usr/sbin/smbldap-passwd "%u"
doing parameter domain logons = yes
doing parameter workgroup = k2l.com
doing parameter os level = 65
doing parameter log level = 1 auth:4 
doing parameter local master = yes
doing parameter preferred master = yes
doing parameter domain master = yes
doing parameter wins support = yes
doing parameter hosts allow = 192.168.0.0/255.255.0.0
doing parameter interfaces = eth0
doing parameter map hidden = no
doing parameter map system = no
doing parameter map archive = no
doing parameter map readonly = no
doing parameter map read only = no
doing parameter store dos attributes = yes
doing parameter name resolve order = lmhosts host wins bcast
pm_process() returned Yes
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Trying to load: ldapsam:ldap://127.0.0.1/
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))]
smbldap_search_ext: base => [dc=k2l,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
smbldap_check_root_dse: LDAP Server does not support any supportedControl
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Netbios name list:-
my_netbios_names[0]="FILESERVER"
Trying to load: ldapsam:ldap://127.0.0.1/
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))]
smbldap_search_ext: base => [dc=k2l,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
smbldap_check_root_dse: LDAP Server does not support any supportedControl
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
smbldap_search_ext: base => [dc=k2l,dc=com], filter => [(&(uid=ndjeukouna)(objectclass=sambaSamAccount))], scope => [2]
init_sam_from_ldap: Entry found for user: ndjeukouna
ndjeukouna:1004:Jean Ndjeukouna

Code:

pdbedit -d5 k2lpc77$
INFO: Current debug levels:
  all: True/5
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter security = user
doing parameter enable privileges = yes
doing parameter share modes = yes
doing parameter encrypt passwords = true
doing parameter netbios name = fileserver
handle_netbios_name: set global_myname to: FILESERVER
doing parameter server string = Fileserver
doing parameter passdb backend = ldapsam:ldap://127.0.0.1/
doing parameter include = /etc/samba/ldap.conf
params.c:pm_process() - Processing configuration file "/etc/samba/ldap.conf"
doing parameter ldap passwd sync = no
doing parameter ldap admin dn = cn=samba,ou=DSA,dc=k2l,dc=com
doing parameter ldap suffix = dc=k2l,dc=com
doing parameter ldap group suffix = ou=Groups
doing parameter ldap user suffix = ou=Users
doing parameter ldap machine suffix = ou=Computers
doing parameter ldap ssl = no
doing parameter ldap delete dn = Yes
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u"
doing parameter delete user script = /usr/sbin/smbldap-userdel "%u"
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter delete group script = /usr/sbin/smbldap-groupdel "%g"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
doing parameter delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
doing parameter passwd program = /usr/sbin/smbldap-passwd "%u"
doing parameter domain logons = yes
doing parameter workgroup = k2l.com
doing parameter os level = 65
doing parameter log level = 1 auth:4
doing parameter local master = yes
doing parameter preferred master = yes
doing parameter domain master = yes
doing parameter wins support = yes
doing parameter hosts allow = 192.168.0.0/255.255.0.0
doing parameter interfaces = eth0
doing parameter map hidden = no
doing parameter map system = no
doing parameter map archive = no
doing parameter map readonly = no
doing parameter map read only = no
doing parameter store dos attributes = yes
doing parameter name resolve order = lmhosts host wins bcast
pm_process() returned Yes
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Substituting charset 'ISO-8859-15' for LOCALE
Trying to load: ldapsam:ldap://127.0.0.1/
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))]
smbldap_search_ext: base => [dc=k2l,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
smbldap_check_root_dse: LDAP Server does not support any supportedControl
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Netbios name list:-
my_netbios_names[0]="FILESERVER"
Trying to load: ldapsam:ldap://127.0.0.1/
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))]
smbldap_search_ext: base => [dc=k2l,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=K2L.COM))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
smbldap_check_root_dse: LDAP Server does not support any supportedControl
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
smbldap_search_ext: base => [dc=k2l,dc=com], filter => [(&(uid=k2lpc77$)(objectclass=sambaSamAccount))], scope => [2]
init_sam_from_ldap: Entry found for user: k2lpc77$
Home server: fileserver
Home server: fileserver
k2lpc77$:1006:K2LPC77$

Ich benutze die Samba Version 3.0.22. Nach einer Googel Recherche fand ich das "creds_server_check failed" - Problem als Known Bug in Version 3.0.21a. Jedoch lief das System vor dem Absturz.

Hoffe sehr auf Hilfe, da ich gerade etwas aufgeschmissen bin

Gruß
Daniel

[morpheus2001]

Weitere Recherchen ergaben:

- Bei manchen Maschinen Konten fehlt das sambaLMPassword.
- Die sambaLMPassword und sambaNTPassword Werte aus unseren Backups unterscheiden sich von den aktuellen.

Frage: Ändert Samba die sambaNTPassword und sambaLMPassword Werte gelegentlich? (Das Passwort sollte theoretisch nie ablaufen, weil die Trusted Workstations folgende USE FLags haben: "[WX ]". Das X bedeutet laut Samba Manual, dass die Passwörter nie ablaufen.

Ich habe jetzt ein Backup von den aktuellen LDAP Einträgen gemacht, alle Maschinenkonten gelöscht und die usprünglichen Maschinenkonten vom Backup in die LDAP Datenbank eingefügt. Hat leider nichts gebracht, Windows meckert immer noch am Domaincontroler und Samba sagt immer noch:

Code:

Jun 21 12:33:18 fileserver smbd[14452]: [2006/06/21 12:33:18, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(424)
Jun 21 12:33:18 fileserver smbd[14452]:   _net_auth2: creds_server_check failed. Rejecting auth request from client K2LPC16 machine account K2LPC16$

Was tun?

[emba]

sieht so aus, als hättest du einige passwortinformationen bzgl. der clients nach dem crash verloren. die clients ändern regelmässig (zeit ist OS-abhängig) ihr shared secret mit dem PDC. dies wird nie vom DC forciert, sondern immer vom client. stimmen die secrets nicht mehr überein (oder fehlt die information), so kann sich kein nutzer mehr an dieser workstation anmelden

greez

[morpheus2001]

Hi emba,

ja, so muss es gewesen sein. Ich habe an diesem Tag noch ein Backup der Secrets eingespielt. Danach funktionierte ein großteil wieder. 4 Clientrechner musste ich manuell wieder neu in der Domain aufnehmen, da die Frequenz des Backups die aktuellen Secrets nicht mehr erwischt haben.

Gut zu wissen, ich habe nun die Backups der Secrets verstärkt. Weiterhin werde ich ein BDC einrichten, der Ausfälle des PDC kompensieren kann.

Danke für die Hilfe,

Gruß
Daniel