XP/Vista -> samba/ldap domain join fails. what's the right values for samba* Attributes.

Frederic Beuserie fbeuserie at gmail.com
Sun Jan 13 02:41:24 GMT 2008 

Hello,

I'm trying to write by myself the "add machine script" with an ldap backend.

when I populate myself the ldap with posix user, extended with samba
attributes and values as these:

                mods.append( ( ldap.MOD_ADD, "objectClass",
["sambaSAMAccount"] ) )
                if parms["displayname"]:
                        mods.append( ( ldap.MOD_ADD, "displayName",
parms["displayname"] ))
                mods.append((ldap.MOD_REPLACE, "sambaSID", [nt_sid]))
                mods.append((ldap.MOD_REPLACE, "sambaPrimaryGroupSID",
[nt_pgroup_sid]))
                mods.append((ldap.MOD_REPLACE, "sambaAcctFlags", ["[W
        ]"] ) )
                mods.append((ldap.MOD_REPLACE, "sambaPwdCanChange", ["0"] ) )
                mods.append((ldap.MOD_REPLACE, "sambaPwdMustChange", ["0"] ) )
                mods.append((ldap.MOD_REPLACE, "sambaPwdLastSet", ["0"] ) )
                mods.append((ldap.MOD_REPLACE, "sambaNTPassword",
[str(nt_hash)] ))
                mods.append((ldap.MOD_REPLACE, "sambaLMPassword",
[str(lm_hash)] ))
                mods.append((ldap.MOD_REPLACE, "sambaLogonTime", ["0"] ))
                mods.append((ldap.MOD_REPLACE, "sambaLogoffTime",
["2147483647"] ))
                mods.append((ldap.MOD_REPLACE, "sambaKickoffTime",
["2147483647"] ))

I got an "An attached device is not functionning" on the windows side.

doing a second time the join, without changing anything else and the
join is successful.

from advice on IRC samba-technical, i've tried to let samba extend to
posix user by itself but then i 've

"the rpc server is not available" on the windows.

and like before, a second join is successull.

I've done a diff between the ldif after the (first) failed join and
the (second) success one:

--- toto        2008-01-13 03:04:13.000000000 +0100
+++ toto2       2008-01-13 03:04:19.000000000 +0100
@@ -20,10 +20,10 @@
 sambaSID: S-1-5-21-3847149557-3367490810-1895635752-1011
 displayName: XPPROFR$
 sambaAcctFlags: [W          ]
-sambaPwdCanChange: 1200188987
 sambaPwdMustChange: 2147483647
-sambaNTPassword: EC0627E86C60114858F9D338865C3D0B
-sambaPwdLastSet: 1200188987
-entryCSN: 20080113014947Z#000002#00#000000
+sambaPwdCanChange: 1200189826
+sambaNTPassword: 7843BE621C39D6426A828CD44E866C6B
+sambaPwdLastSet: 1200189826
+entryCSN: 20080113020346Z#000000#00#000000
 modifiersName: uid=sambaldap,ou=System Accounts,dc=evolunys,dc=priv
-modifyTimestamp: 20080113014947Z
+modifyTimestamp: 20080113020346Z

these attributes are changed;
sambaPwdLastSet
sambaPwdCanChange
sambaNTPassword

and the only one that trigger me is the NT password change.
[03:07] <fbe> smbldap-tools used to put unix timestamp. an old
functions lying there used to put the ntlm hash of the workstation
name ...
[03:10] <fbe>

in samba log everything is well (level 10) but this message:
"_samr_set_userinfo:  does not possess sufficient rights" that appear one times.

the strange think is that sometimes (perhaps 1 join each +-20 try) is
**successfull** on the **first** run

I've found some code snippets that used to put the workstation name NT
hash as the password or the unix timestamp as a password.
but nothing really clear on what to use...


and before you ask:
- nscd is down
- the ntlm hashes are correct because the same function is used to
reset both nt/lm hashes for user account and the nt account behaves
correctly, the new password is accepted by the netlogon
- i've tried to mimick the values used by "smbldap-useadd -m" but got
the same problem.

Any advice on what i'm doing wrong ?

thanks

frederic.

More information about the samba-technical mailing list