[Samba] Issues with Joining an NT4 Domain
John H Terpstra
jht at samba.org
Tue Feb 4 20:20:09 GMT 2003
On Tue, 4 Feb 2003, Clint Martin wrote:
> Hello
>
> I'm having some dificulties joining my Samba 3.0alpha (and 2.2.7a)
> machine to my NT4 domain. Let me tell you what I'm attempting to
> accomplish. I want to setup the Samba system to authenticate to my NT
> domain so that I can use NTLM Proxy authentication with SQUID. Through
> reading the docs, I'm under the impression that in order to allow thre
> SQUID/Samba setup to auth on the domain, the NT PDC must show that the Samba
> machine is part of the domain.
>
> I've tried this with Samba 2.2.7a and the latest 3.0alpha with the same
> results. I'll include the commands I've used for the 3.0 tree, as this is
> what I've used most recently.
>
> My smb.conf:
>
> [global]
> security = DOMAIN
> domain logons = yes
^^^^^^^^^^^^^^^^^^^
This provides the NETLOGON service which only NT PDC's and BDC's can
provide. That is why it looks like a BDC. This is a NO-GO for a domain
member machine. You should get rid of this parameter.
> password server = QADOM
^^^^^
Set this to '*', ie:
password server = *
> workgroup = QADOM
> netbios name = clintbsd30a
> server string = FreeBSD with Samba 3.0
> encrypt passwords = yes
> preferred master = no
> domain master = no
> utmp = yes
> add user script = /usr/sbin/pw adduser %u
> delete user script = /usr/sbin/pw deleteuser %u
> pam password change = yes
>
>
> I join the domain like this:
>
> # ./net join -U Administrator
> [2003/02/04 08:07:32, 1] rpc_client/cli_netlogon.c:cli_nt_setup_creds(300)
> cli_nt_setup_creds: auth2 challenge failed NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/04 08:07:32, 1] libsmb/trust_passwd.c:just_change_the_password(42)
> just_change_the_password: unable to setup creds
> (NT_STATUS_NO_TRUST_SAM_ACCOUNT)!
> [2003/02/04 08:07:32, 1] utils/net_rpc.c:run_rpc_command(154)
> rpc command function failed! (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
> Joined domain QADOM.
It says it cerated the account on the domain - that is now automatic. But
first it failed to change the password because the account did not yet
exist - so it then creates it.
> This, I think, is the root of the issue.. how can I have
> NT_STATUS_NO_TRUST_SAM_ACCOUNT and still be joined to the domain?
See above.
> The machine shows up in the NT Domain Machine Management program as a NT
> Backup. I've also tried adding the Machine manually to the NT domain first,
> then useing the net command to join it.
See above comment in smb.conf area above.
> after fireing up nmbd and smbd, and attempting to access the machine from
> the PDC's network neighborhood, I get this error on the PDC: The SAM
> Database on the Windows NT server does not have a computer account for this
> workstation trust relationship.
Suggest you remove the "domain logons" parameter. Delete the computer
account from the NT4 domain, and do a fresh join.
- John T.
---
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list