[Samba] Unable to join samba server to a NT4 style domain
Van Sickler, Jim
vansickj-eodc at kaman.com
Fri Apr 15 16:57:04 GMT 2005
Ash,
Can you check the value of the
restrictanonymous registry key on your
NT4 server - I think if it's set higher
than 0 or 1 you'll be prevented from
joining the Domain. Set it to 0, let the
Samba box join, and set it back to the
previous level. You'll find the
setting in 3 places with regedit; 2 are
editable, and the 3rd is the current
setting.
Also, I'm using the smbusers file to
map *nix-Windows users, because I'm not
running winbindd (it's an OpenBSD box).
I've got an entry of:
root=administrator
You might try adding that file/entry
to see if it helps.
I guess the --long doesn't display
anything, or you have to tell it to
debug in order for it to work...
If you're not using a WINS server,
I'd add this to your smb.conf:
name resolve order = lmhosts host bcast
I'm not sure if your lmhosts entry for the
NT4 server is gnsi_server1 or gnsi_server1<0x20>
I think it should be the former.
Jim
> -----Original Message-----
> From: Ashutosh Kamdar [mailto:akamdar at gnsi.com]
> Sent: Friday, April 15, 2005 9:20 AM
> To: Van Sickler, Jim; 'Ashutosh Kamdar'; samba at lists.samba.org
> Subject: Re: [Samba] Unable to join samba server to a NT4 style domain
>
>
> Jim,
>
> I tried something as per your suggestion:
>
> # ./net rpc join -S NTSERVER -d 3 -l -U administrator%'xxxxx'
>
> This gave me the output listed below. Hopefully, this will
> help shed some light on the problem. Do you know what does
> status NT_STATUS_ACCESS_DENIED mean?
>
> Thanks,
>
> Ash
>
> ---------------------8<--------------------
>
> [2005/04/15 12:09:30, 3] param/loadparm.c:lp_load(3907)
> lp_load: refreshing parameters
> [2005/04/15 12:09:30, 3] param/loadparm.c:init_globals(1321)
> Initialising global parameters
> [2005/04/15 12:09:30, 3] param/params.c:pm_process(573)
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/lib/smb.conf"
> [2005/04/15 12:09:30, 3] param/loadparm.c:do_section(3409)
> Processing section "[global]"
> [2005/04/15 12:09:30, 2] lib/interface.c:add_interface(81)
> added interface ip=192.168.2.37 bcast=192.168.2.255
> nmask=255.255.255.0
> [2005/04/15 12:09:30, 3] libsmb/namequery.c:resolve_lmhosts(855)
> resolve_lmhosts: Attempting lmhosts lookup for name
> gnsi_server1<0x20>
> [2005/04/15 12:09:30, 3] libsmb/namequery.c:resolve_wins(752)
> resolve_wins: Attempting wins lookup for name gnsi_server1<0x20>
> [2005/04/15 12:09:30, 3] libsmb/namequery.c:resolve_wins(755)
> resolve_wins: WINS server resolution selected and no WINS
> servers listed.
> [2005/04/15 12:09:30, 3] libsmb/namequery.c:resolve_hosts(917)
> resolve_hosts: Attempting host lookup for name gnsi_server1<0x20>
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_start_connection(1406)
> Connecting to host=gnsi_server1
> [2005/04/15 12:09:30, 3] lib/util_sock.c:open_socket_out(752)
> Connecting to 192.168.2.11 at port 445
> [2005/04/15 12:09:30, 1] libsmb/cliconnect.c:cli_full_connection(1506)
> failed tcon_X with NT_STATUS_ACCESS_DENIED
> [2005/04/15 12:09:30, 1] utils/net.c:connect_to_ipc_anonymous(207)
> Cannot connect to server (anonymously). Error was
> NT_STATUS_ACCESS_DENIED
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_start_connection(1406)
> Connecting to host=gnsi_server1
> [2005/04/15 12:09:30, 3] lib/util_sock.c:open_socket_out(752)
> Connecting to 192.168.2.11 at port 445
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(708)
> Doing spnego session setup (blob length=110)
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(733)
> got OID=1 2 840 48018 1 2 2
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(733)
> got OID=1 2 840 113554 1 2 2
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(733)
> got OID=1 2 840 113554 1 2 2 3
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(733)
> got OID=1 3 6 1 4 1 311 2 2 10
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(740)
> got principal=gnsi_server1$@GNSI.COM
> [2005/04/15 12:09:30, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
> Got challenge flags:
> [2005/04/15 12:09:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x62890215
> [2005/04/15 12:09:30, 3]
> libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
> NTLMSSP: Set final flags:
> [2005/04/15 12:09:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> [2005/04/15 12:09:30, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2005/04/15 12:09:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> [2005/04/15 12:09:30, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
> lsa_io_sec_qos: length c does not match size 8
> [2005/04/15 12:09:30, 3]
> libsmb/cliconnect.c:cli_start_connection(1406)
> Connecting to host=gnsi_server1
> [2005/04/15 12:09:30, 3] lib/util_sock.c:open_socket_out(752)
> Connecting to 192.168.2.11 at port 445
> [2005/04/15 12:09:30, 1] libsmb/cliconnect.c:cli_full_connection(1506)
> failed tcon_X with NT_STATUS_ACCESS_DENIED
> [2005/04/15 12:09:30, 1] utils/net.c:connect_to_ipc_anonymous(207)
> Cannot connect to server (anonymously). Error was
> NT_STATUS_ACCESS_DENIED
> Unable to join domain GLOBALNET.
> [2005/04/15 12:09:30, 2] utils/net.c:main(897)
> return code = 1
>
>
> -----------------------------8<-------------------
>
>
>
> ------Original Message-----
> -From: Van Sickler, Jim [mailto:vansickj-eodc at kaman.com]
> -Sent: Thursday, April 14, 2005 09:42 PM
> -To: ''Ashutosh Kamdar'', samba at lists.samba.org
> -Subject: RE: [Samba] Unable to join samba server to a NT4
> style domain
> -
> -Ash,
> -
> -net help rpc shows the following for the --long option:
> -
> --l or --long Display full information
> -
> -In what I've found from googling and
> -the Samba-Guide (thanks, John!),
> -it looks like net rpc join will create the
> -Domain machine account when you run it; if
> -MYSERVER already exists, you'll be prevented
> -from creating a duplicate entry.
> -
> -Try deleting MYSERVER from the Domain.
> -
> -then run your original command...
> -
> -./net rpc join -U administrator%'xxxxxxxx'
> -
> -or ./net rpc join -S NT4SERVER -U administrator%'xxxxxxxx'
> -
> -and see what happens.
> -
> -If this works, it reinforces this comment from my earlier link:
> -
> -This process joins the server to the domain
> -without having to create the machine trust
> -account on the PDC beforehand.
> -
> -and is a change from Samba 2.x, which required
> -the creation of the machine trust account
> -on the PDC before running "smbpasswd -j DOM -r DOMPDC".
> -
> -John: if this is true, can Chap 7 be amended to
> -reflect the change?
> -
> -Jim
> -
> -> -----Original Message-----
> -> From: Ashutosh Kamdar [mailto:akamdar at gnsi.com]
> -> Sent: Thursday, April 14, 2005 2:25 PM
> -> To: Van Sickler, Jim; 'Ashutosh Kamdar'; samba at lists.samba.org
> -> Subject: Re: [Samba] Unable to join samba server to a NT4
> style domain
> ->
> ->
> -> Jim,
> ->
> -> I have Samba shut down while executing the net rpc join
> -> commands, as the HOW-TO says.
> ->
> -> On trying the following,
> ->
> -> # ./net rpc join -S NTSERVER
> -> Password:
> ->
> -> This is the response I get,
> ->
> -> Could not connect to server NTSERVER
> -> The username or password was not correct.
> ->
> -> The password used was that of the administrator authorized to
> -> add machines to the domain. Is there any other
> -> username/password I should be using?
> ->
> -> On trying this,
> ->
> -> net join -S NT4SERVER -U administrator%'xxxxxxxx' -W
> -> MYWORKGROUP --long
> ->
> -> This is the response I get,
> ->
> -> Unable to join domain <domain-name>.
> ->
> -> BTW, what does the switch --long do?
> ->
> -> I have followed the exact steps in the document you have
> -> pointed out and the HOW-TOs. Thanks for pointing that out
> -> this particular chapter.
> ->
> -> Regards,
> ->
> -> Ash
> ->
> -> ------Original Message-----
> -> -From: Van Sickler, Jim [mailto:vansickj-eodc at kaman.com]
> -> -Sent: Thursday, April 14, 2005 08:30 PM
> -> -To: ''Ashutosh Kamdar'', samba at lists.samba.org
> -> -Subject: RE: [Samba] Unable to join samba server to a NT4
> -> style domain
> -> -
> -> -Ash,
> -> -
> -> -Do you have Samba shut down while you're
> -> -running net rpc join? The daemons
> -> -shouldn't be running, AFAIK.
> -> -
> -> -Make sure they're down, and try your earlier
> -> -net rpc join commands...
> -> -
> -> -If that doesn't work, try just:
> -> - net rpc join -S NT4SERVER
> -> -
> -> -Maybe try deleting MYSERVER from the domain,
> -> -then
> -> -net join -S NT4SERVER -U administrator%'xxxxxxxx' -W
> -> MYWORKGROUP --long
> -> -
> -> -See
> -> -http://aosda.net/docs/samba/3.0/Samba-HOWTO-Collection/domain
> -> -member.html#id
> -> -2522086
> -> -
> -> -
> -> -Jim
> -> -
> -> -
> -> -> -----Original Message-----
> -> -> From: Ashutosh Kamdar [mailto:akamdar at gnsi.com]
> -> -> Sent: Thursday, April 14, 2005 12:50 PM
> -> -> To: Van Sickler, Jim; 'Ashutosh Kamdar'; samba at lists.samba.org
> -> -> Subject: Re: [Samba] Unable to join samba server to a NT4
> -> style domain
> -> ->
> -> ->
> -> -> Jim,
> -> ->
> -> -> Yes, the NTSERVER is a PDC. Do you know of a way to see any
> -> -> kind of logs on the net join rpc command?
> -> ->
> -> -> -Ash
> -> ->
> -> -> ------Original Message-----
> -> -> -From: Van Sickler, Jim [mailto:vansickj-eodc at kaman.com]
> -> -> -Sent: Thursday, April 14, 2005 07:40 PM
> -> -> -To: ''Ashutosh Kamdar'', samba at lists.samba.org
> -> -> -Subject: RE: [Samba] Unable to join samba server to a NT4
> -> -> style domain
> -> -> -
> -> -> -Ash,
> -> -> -
> -> -> -Is NT4SERVER the PDC?
> -> -> -If not, use -S PDC instead of -S NT4SERVER
> -> -> -
> -> -> -Jim
> -> -> -
> -> -> -> -----Original Message-----
> -> -> -> From: Ashutosh Kamdar [mailto:akamdar at gnsi.com]
> -> -> -> Sent: Thursday, April 14, 2005 12:24 PM
> -> -> -> To: Van Sickler, Jim; 'Ashutosh Kamdar';
> samba at lists.samba.org
> -> -> -> Subject: Re: [Samba] Unable to join samba server to a NT4
> -> -> style domain
> -> -> ->
> -> -> ->
> -> -> -> Jim,
> -> -> ->
> -> -> -> For all of the four commands you have mentioned, I get the
> -> -> -> same response:
> -> -> ->
> -> -> -> Unable to join domain <domain-name>.
> -> -> ->
> -> -> -> There are no error messages or explanation with it, just the
> -> -> -> plain text.
> -> -> ->
> -> -> -> Regards,
> -> -> ->
> -> -> -> Ash
> -> -> ->
> -> -> -> ------Original Message-----
> -> -> -> -From: Van Sickler, Jim [mailto:vansickj-eodc at kaman.com]
> -> -> -> -Sent: Thursday, April 14, 2005 07:15 PM
> -> -> -> -To: ''Ashutosh Kamdar'', samba at lists.samba.org
> -> -> -> -Subject: RE: [Samba] Unable to join samba server to a NT4
> -> -> -> style domain
> -> -> -> -
> -> -> -> -Ash,
> -> -> -> -
> -> -> -> -try one of the following:
> -> -> -> -
> -> -> -> -./net rpc join -S NT4SERVER -U administrator
> -> -> -> -
> -> -> -> -./net rpc join -S NT4SERVER -U administrator%'xxxxxxxx'
> -> -> -> -
> -> -> -> -./net rpc join -W MYWORKGROUP -U administrator
> -> -> -> -
> -> -> -> -./net rpc join -W MYWORKGROUP -U administrator%'xxxxxxxx'
> -> -> -> -
> -> -> -> -Jim
> -> -> -> -
> -> -> -> -> -----Original Message-----
> -> -> -> -> From: Ashutosh Kamdar [mailto:akamdar at gnsi.com]
> -> -> -> -> Sent: Thursday, April 14, 2005 11:48 AM
> -> -> -> -> To: Van Sickler, Jim; samba at lists.samba.org
> -> -> -> -> Subject: Re: [Samba] Unable to join samba server to a NT4
> -> -> -> style domain
> -> -> -> ->
> -> -> -> ->
> -> -> -> -> Jim,
> -> -> -> ->
> -> -> -> -> -Try adding the Samba server to the NT4 Domain first.
> -> -> -> -> Response: The samba server has already been added to
> -> -> the NT domain.
> -> -> -> ->
> -> -> -> -> -Is the NT4 server also a WINS server?
> -> -> -> -> -If so, add that info to the smb.conf
> -> -> -> -> -
> -> -> -> -> -wins server = xxx.xxx.xxx.xxx
> -> -> -> -> -name resolve order = wins lmhosts host bcast
> -> -> -> -> -
> -> -> -> -> -Put the NT4 server info into /etc/lmhosts
> -> -> -> -> -and /etc/hosts
> -> -> -> -> -xxx.xxx.xxx.xxx NT4SERVER
> -> -> -> ->
> -> -> -> -> Response: The NT server is not functioning as a
> WINS server.
> -> -> -> -> The /etc/hosts and /etc/lmhosts already have the
> entry for
> -> -> -> -> the NT server. The server can also resolve the
> NTSERVER_NAME
> -> -> -> -> using DNS.
> -> -> -> ->
> -> -> -> -> I also used rpcclient to see if there any connection
> -> -> -> -> problems, and it was able to connect just fine to the
> -> -> -> -> NTSERVER. Thorougly confused.
> -> -> -> ->
> -> -> -> -> Any other ideas?
> -> -> -> ->
> -> -> -> -> Thanks for your response,
> -> -> -> ->
> -> -> -> -> Ash
> -> -> -> ->
> -> -> -> -> -
> -> -> -> -> -> -----Original Message-----
> -> -> -> -> -> From: Ashutosh Kamdar [mailto:akamdar at gnsi.com]
> -> -> -> -> -> Sent: Thursday, April 14, 2005 12:58 AM
> -> -> -> -> -> To: samba at lists.samba.org
> -> -> -> -> -> Subject: [Samba] Unable to join samba server to a NT4
> -> -> -> style domain
> -> -> -> -> ->
> -> -> -> -> ->
> -> -> -> -> -> Hello,
> -> -> -> -> ->
> -> -> -> -> -> I have installed Samba version 3.0.13 on a
> -> Solaris 9 machine
> -> -> -> -> -> and am trying to add it to an existing NT domain
> -> as a member
> -> -> -> -> -> server. I have followed the instructions in
> -> Chapter 2 of the
> -> -> -> -> -> Samba HOW-TO collection for adding a samba server as
> -> -> a Domain
> -> -> -> -> -> member. The problem is that when i use the net
> rpc join
> -> -> -> -> -> command to join the domain, I get the following error:
> -> -> -> -> ->
> -> -> -> -> -> # ./net rpc join -U administrator%'xxxxxxxx'
> -> -> -> -> ->
> -> -> -> -> -> Unable to find a suitable server
> -> -> -> -> ->
> -> -> -> -> -> Unable to find a suitable server
> -> -> -> -> ->
> -> -> -> -> -> Specifying the domain name with a -w switch or the
> -> -> PDC doesnt
> -> -> -> -> -> seem to help.
> -> -> -> -> ->
> -> -> -> -> -> Is there a way for me to see a detailed version
> -> of the error
> -> -> -> -> -> message or some log file where this is dumped to? I am
> -> -> -> -> -> posting the smb.conf for reference. Please help
> -> me resolve
> -> -> -> -> -> this error.
> -> -> -> -> ->
> -> -> -> -> -> Thanks,
> -> -> -> -> ->
> -> -> -> -> -> Ash
> -> -> -> -> ->
> -> -> -> -> ->
> -> -> -> ->
> -> -> ->
> -> ->
> ->
> ----------------------------------8<----------------------------------
> -> -> -> -> -> smb.conf
> -> -> -> -> ->
> -> -> -> -> -> [global]
> -> -> -> -> -> dns proxy = no
> -> -> -> -> -> debug timestamp = yes
> -> -> -> -> -> encrypt passwords = yes
> -> -> -> -> -> idmap gid = 15000-20000
> -> -> -> -> -> socket options = TCP_NODELAY
> -> -> -> -> -> max log size = 1024
> -> -> -> -> -> password server = *
> -> -> -> -> -> idmap uid = 15000-20000
> -> -> -> -> -> debug level = 3
> -> -> -> -> -> security = domain
> -> -> -> -> -> server string = Samba Server
> -> -> -> -> -> workgroup = MYWORKGROUP
> -> -> -> -> -> log level = 3
> -> -> -> -> -> log file = /usr/local/samba/var/log.%m
> -> -> -> -> -> netbios name = MYSERVER
> -> -> -> -> -> load printers = yes
> -> -> -> -> -> os level = 33
> -> -> -> -> -> default = share
> -> -> -> -> -> [homes]
> -> -> -> -> -> comment = Home Directories
> -> -> -> -> -> valid users = %S
> -> -> -> -> -> browseable = no
> -> -> -> -> -> writable = yes
> -> -> -> -> ->
> -> -> -> -> -> [printers]
> -> -> -> -> -> comment = All Printers
> -> -> -> -> -> path = /usr/spool/samba
> -> -> -> -> -> browseable = no
> -> -> -> -> -> guest ok = no
> -> -> -> -> -> writable = no
> -> -> -> -> -> printable = yes
> -> -> -> -> ->
> -> -> -> -> -> [share]
> -> -> -> -> -> path = /share
> -> -> -> -> -> comment = Solaris share
> -> -> -> -> -> valid users = @Accounts
> -> -> -> -> -> guest ok = Yes
> -> -> -> -> -> read only = No
> -> -> -> -> ->
> -> -> -> -> ->
> -> -> -> ->
> -> -> ->
> -> ->
> ->
> ----------------------------------8<----------------------------------
> -> -> -> -> ->
> -> -> -> -> ->
> -> -> -> -> ->
> -> -> -> -> -> --
> -> -> -> -> -> To unsubscribe from this list go to the following URL
> -> -> -> and read the
> -> -> -> -> -> instructions:
> -https://lists.samba.org/mailman/listinfo/samba
> --> -> -> ->
> --> -> -> -
> --> -> ->
> --> -> ->
> --> -> -
> --> ->
> --> ->
> --> -
> -->
> -->
> --
> -
> -
>
>
More information about the samba
mailing list