Machine logon to Nethserver


(Ralph) #1

Hi,
I found a strange error message in the messages log after logging in to Nethserver. It says " _netr_ServerAuthenticate3: netlogon_creds_sernetlogon_creds_server_check failed. Rejecting auth request from client M1 machine account M1$".
But in fact the user is logged in with all his file sharing rights.
Any idea, what this message i about?

Ralph


(Alessio Fattorini) #2

Can you provide more details about the logon? I’d like to know what you’re hoping to achieve.


(Ralph) #3

I would like to know why the machine logon is rejected. In fact this win 7 client is a domain member. What creates this error message? Also the logon process takes a bit long what maybe has to do with it.
Does the NS PDC act as a wins server? Or is that obsolete?


(Bogdan Costin) #4

Rasi, are the clocks of the two systems synchronized ?.
Tip: Log on as local Admin then try to synchronize the time of the win 7 client to the time of NS and then try again the logon in domain,

BR
Bogdan


(Ralph) #5

Thanks for the tip. But the time of NS and win 7 client are in sync. Any other ideas?
By the way, the whole error message starts with “rpc_server/netogon/srv_netlogon_nt.c:976”. Does that give a clue?


(Bogdan Costin) #6

Hi Rasi, you can check the following and see if something is wrong.

Firewall is on on the win machine? (turn it off if it is)
Te win7 client takes the IP via dhcp with the correct DNS settings?
Also take a look on this join win clients to NS Domain maybe it help. Especially about the registry key.

BR
Bogdan


(Ralph) #7

Hi Bogdan,
the Howto “join win clients to NS Domain” says:
"After the NS is set up as AD, on this page the LDAP settings should be visible."
That is not the case here. NS is marked as PDC but no LDAP information. Has this changed or does something go wrong inside my NS?

Best,
Ralph


(Stefano) #8

does this text appear in your error logs?

there’s no trace at all in the whole internet of it… and it’s strange to find the word “sernet”

can you please post the output of

rpm -qa | grep samba

thank you


(Ralph) #9

Damned copy and paste! No, the correct error log says:
"rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
… smbd[28384]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WSx machine account WSx$"
This message appears whenever a user logs in from whichever machine (all being Windows 7 clients).

The output of “rpm -qa | grep samba” is:
samba-winbind-clients-3.6.23-20.el6.x86_64
nethserver-samba-1.5.4-1.ns6.noarch
samba-common-3.6.23-20.el6.x86_64
samba-client-3.6.23-20.el6.x86_64
samba-winbind-3.6.23-20.el6.x86_64
samba-3.6.23-20.el6.x86_64

Ralph


(Stefano) #10

please, give us as much details about the history of your lan setup… I mean: were the clients already joined to another domain before being joined to NS?

tell us everything please…

meanwhile, just for test (and if you haven’t did it already), take a client, un-join it from the domain and re-add it and try again

Thank you


(Bogdan Costin) #11

Hi Ralph,
The quote from the how-to is my personal note regarding the information that i suggested to be presented there.

I’ve put this at the beginning of the How-To:

Below I’ll describe the setup steps and also the personal notes of what I think it should be added as options/features. :smile:

I know it is not optimal and that How-to needs to be re-worked. but i did not have yet the time :frowning: …

But you are sustaining a point that I was making :smile:

PS. Maybe it will be of help to you to try and use other registry settings for your win clients.
See here: Unable to join windows 7 client to nethserver domain
And here: Windows 10 join nethserver

Also try what Stefano suggested. Add a new fresh client to that domain and see the results.

BR
Bogdan


(Stefano) #12

searching with google leads me to the conclusion that your machine account (the samba one) has a password that is expired…

this has nothing to do with the user password

try this one:

Windows 7 Registry changes to avoid a 30 days password change problem

Client-Registry:
[HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
“DisablePasswordChange”=dword:00000001

you’d have dword:00000000 now


(Ralph) #13

Yes, before we used Zentyal with Samba4 as ADS. Of course, all clients were joined to this server before.
When I take a client out of the NS domain by joing it to a fake workgroup and rejoin it afterwards, the problem remains.


(Stefano) #14

well… Windows can’t join a NT style domain after being part of a AD domain…

as you see, your users can login, but your setup isn’t working as expected.

this is not a NS issue but a windows’ one.

to make all thing work in the right way you’d reinstall all the clients from scratch.

BTW, to help us to help you, for the future, remember to tell us ALL the WHOLE story :smile:

remember we don’t know anything about your setup, your server, your clients, we can’t see what you see… so it’s up to you to be verbose since the beginning…


(Ralph) #15

sorry but no, I have not. Password change is disabled.


(Stefano) #16

it doesn’t matter, what you said above is just the explanation of the cause of your issue :smile:


(Ralph) #17

Are you planning to develop NS onwards to Samba 4 oder will it remain a Samba 3 PDC with NT domain?


(Stefano) #18

I’m not planning anything :smiley:

just search here, I read somewhere that samba4 is on the to-do list


(Alessio Fattorini) #19

Yes, thanks for asking
It’s already planned and will be hopefully ready in first quarter 2016