Netlogon Failure - Samba as PDC on 10.3.8 Server

Question

Netlogon Failure - Samba as PDC on 10.3.8 Server

I have a G5 running OS X Server 10.3.8. The Samba service (3.0.5) running on it is the primary domain controller (PDC) for two Windows 2000 Servers and around 25 Windows XP desktops. These domain members are reporting a slew of errors in their System log. The following message appears every 4 hours:

Source: NETLOGON
Type: Error
Event ID: 3224

"Changing the machine account password for account JASONHEISER$ failed with the following error: A device attached to the system is not functioning."

This is a non-fatal error. However, this error (I think) eventually culminates into a more critical problem:

Source: Netlogon
Type: Error
Event ID: 3210

"Failed to authenticate with \\MRWINT, a Windows NT or Windows 2000 domain controller for domain CPI."

This is a fatal error. The computer can no longer authenticate itself to anything on the domain. The computer must then reboot.

It takes a while for this authentication failure to occur. Most of the XP workstations are shut down each night and never experience it. The Windows 2000 Servers, which are running 24/7, succumb to this error every 1-4 weeks. Since these two servers handle print services and our ERP software, this is a showstopping failure.

Help. Please.

Posted on Oct 12, 2005 3:17 PM

Reply

Answer 1

Coumie

Level 1

14 points

Oct 19, 2005 12:09 AM in response to Jason K. Heiser

I need help with this also.

This is something that I've had to deal with for some time. I believe this is coupled with an EventID 12 (w32time): The NTP server %1 isn't sync'd, time not set.

Have you tried at least disabling (on the W2K server) the automatic machine account password changes? To do so, set the DisablePasswordChange registry entry in the HKEY LOCALMACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey to a value of 1 and then restart the computer.

I think this is half the battle.

[edit:] I want to add: Is there anything to do on the os x server?

Reply

Answer 2

AK_Mike

Level 4

1,233 points

Oct 19, 2005 1:55 PM in response to Coumie

There should be nothing to change on the OS X server.

The way I understand the process the Windows machines are attempting to change the password to their machine account for security purposes. But since the account has no rights in the domain the attempt fails.

Using the reg hack you mentioned will take care of it.

The W32time errors are different. On XP it is a control panel setting in Date and Time. For 2000 you have to run the following from the cmd window. Without quotes.

"net time /setsntp:(your server IP)"

You can stop and start the w32time service with "net stop w32time" and "net start w32time"

I have never been able to get any Mac or Windows client to sync time with an OS X server by using the FQDN it always needs to be the IP.

Reply

Answer 3

Oct 19, 2005 9:14 PM in response to AK_Mike

I changed the Local Security Policy to disable machine account password changes, which does the same thing, I think. Errors of type 3224 have disappeared from the system log. I'm crossing my fingers that this will prevent the dreaded 3210 error from happening. We'll see. It's only been a handful of days since the change.

I can understand a machine account has no rights over the domain, but it should be able to change its own password. This is how things work with an NT4 PDC. What's the story here? Is there something I need to change in smb.conf?

Reply

Answer 4

AK_Mike

Level 4

1,233 points

Oct 20, 2005 10:45 AM in response to Jason K. Heiser

No, there is nothing to change. It is literally a case of "Apples" and oranges. 🙂

Samba only emulates an NT domain. If it were actually a Microsoft domain with all the attendant registry files and dll's the machine would be able to change the account password.

Reply