[Samba] Issues with Joining an NT4 Domain

John H Terpstra jht at samba.org
Tue Feb 4 20:20:09 GMT 2003 

On Tue, 4 Feb 2003, Clint Martin wrote:

> Hello
>
>     I'm having some dificulties joining my Samba 3.0alpha (and 2.2.7a)
> machine to my NT4 domain.  Let me tell you what I'm attempting to
> accomplish.  I want to setup the Samba system to authenticate to my NT
> domain so that I can use NTLM Proxy authentication with SQUID.  Through
> reading the docs, I'm under the impression that in order to allow thre
> SQUID/Samba setup to auth on the domain, the NT PDC must show that the Samba
> machine is part of the domain.
>
> I've tried this with Samba 2.2.7a and the latest 3.0alpha with the same
> results. I'll include the commands I've used for the 3.0 tree, as this is
> what I've used most recently.
>
> My smb.conf:
>
> [global]
>         security = DOMAIN
>         domain logons = yes
          ^^^^^^^^^^^^^^^^^^^
This provides the NETLOGON service which only NT PDC's and BDC's can
provide. That is why it looks like a BDC. This is a NO-GO for a domain
member machine. You should get rid of this parameter.

>         password server = QADOM
                            ^^^^^

Set this to '*', ie:

	password server = *

>         workgroup = QADOM
>         netbios name = clintbsd30a
>         server string = FreeBSD with Samba 3.0
>         encrypt passwords = yes
>         preferred master = no
>         domain master = no
>         utmp = yes
>         add user script = /usr/sbin/pw adduser %u
>         delete user script = /usr/sbin/pw deleteuser %u
>         pam password change = yes
>
>
> I join the domain like this:
>
> # ./net join -U Administrator
> [2003/02/04 08:07:32, 1] rpc_client/cli_netlogon.c:cli_nt_setup_creds(300)
>   cli_nt_setup_creds: auth2 challenge failed NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/04 08:07:32, 1] libsmb/trust_passwd.c:just_change_the_password(42)
>   just_change_the_password: unable to setup creds
> (NT_STATUS_NO_TRUST_SAM_ACCOUNT)!
> [2003/02/04 08:07:32, 1] utils/net_rpc.c:run_rpc_command(154)
>   rpc command function failed! (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
> Joined domain QADOM.

It says it cerated the account on the domain - that is now automatic. But
first it failed to change the password because the account did not yet
exist - so it then creates it.

> This, I think, is the root of the issue.. how can I have
> NT_STATUS_NO_TRUST_SAM_ACCOUNT and still be joined to the domain?

See above.

> The machine shows up in the NT Domain Machine Management program as a NT
> Backup.  I've also tried adding the Machine manually to the NT domain first,
> then useing the net command to join it.

See above comment in smb.conf area above.

> after fireing up nmbd and smbd, and attempting to access the machine from
> the PDC's network neighborhood, I get this error on the PDC:  The SAM
> Database on the Windows NT server does not have a computer account for this
> workstation trust relationship.

Suggest you remove the "domain logons" parameter. Delete the computer
account from the NT4 domain, and do a fresh join.

- John T.
---
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list