[Samba] Must you "net join" for the Samba machine to become a domain member?

Karnowski, David dkarnowski at etrade.com
Fri Jan 20 00:00:18 GMT 2006 

>> If it must "join" the domain why doesn't Samba try join the domain
>> automatically (if it's not already joined) using the credentials of
>> the first user who tries to map a drive?

> Probably because a normal user trying to map a drive isn't a Domain
> Admin, and generally only Domain Admins can add computers into domains.

> I think you misunderstand the purpose of joining a domain.  You don't
> join with specific credentials (e.g. a user mapping a drive), you use a
> domain admin's credentials to add Samba into the domain, which means
> from that point forward Samba is "allowed" to ask the domain to
> check passwords instead of doing so itself.  This is greatly
> simplified, but until Samba is a member of the domain you'll usually be
> prompted for a password.

>> It appears to me that I must "net join" the domain from the Samba
>> server for this to work. Is this correct? Are there alternatives?

> There's no need.  If I understand the process correctly, once you've
> added Samba to the domain (while logged in as a Domain Admin) Samba
> creates its own login name and password (a 'machine' account.)  From
> this point on Samba logs in with these credentials whenever it needs
> access to the domain - anything from getting a list of users to
> checking whether the supplied password is correct.

Thanks for your detailed response Adam.

The thing is that we already manually added the server to the domain
(i.e. created a "computer account" for the Samba machine in the domain
manually using the standard Windows GUI tools). The reason, in my case,
I believe I have to do a "net join" is to populate the "private/secrets.tdb"
with some ID of the domain I'm interested in. I noticed that when I
start the Samba daemons (without first doing a "net join") and then try to
map a drive that it automatically finds info on some of our domains ("WINPROD"
& "VTIDEV.CA") but not the one I'm interested in ("CORP"). Below is part of
the log when I try to map a drive without first doing the "net join". If I 
do the "net join" then the "private/secrets.tdb" gets populated for the
"CORP" domain and then the drive mapping works fine. So I guess my question
is: How does Samba automatically discover the info for some domains and not
others? Where is it getting this discovery from? And what can I do to make
it discover the domain I'm interested in ("CORP") without having to do a
"net join"?


[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127)
  trustdom_store: storing SID S-1-5-21-73586283-436374069-725345543 of domain WI
NPROD
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
  Adding cache entry with key = TDOM/WINPROD; value = S-1-5-21-73586283-43637406
9-725345543 and timeout = Thu Jan 19 18:58:35 2006
   (600 seconds ahead)
[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127)
  trustdom_store: storing SID S-1-5-21-968365403-1350775402-1971066577 of domain
 VTIDEV.CA
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
  Adding cache entry with key = TDOM/VTIDEV.CA; value = S-1-5-21-968365403-13507
75402-1971066577 and timeout = Thu Jan 19 18:58:35 2006
   (600 seconds ahead)
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
  Adding cache entry with key = TDOMCACHE/TIMESTAMP; value = 1137714515 and time
out = Thu Jan 19 18:58:35 2006
   (600 seconds ahead)
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/CORP couldn't be found
[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain CORP found.
...
[2006/01/19 18:48:36, 6] auth/auth_sam.c:check_samstrict_security(379)
  check_samstrict_security: CORP is not one of my local names (ROLE_DOMAIN_MEMBE
R)
...
[2006/01/19 18:48:36, 5] passdb/secrets.c:secrets_fetch_trust_account_password(2
88)
  secrets_fetch failed!
[2006/01/19 18:48:36, 0] auth/auth_domain.c:check_ntdomain_security(284)
  check_ntdomain_security: could not fetch trust account password for domain 'CO
RP'
[2006/01/19 18:48:36, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [dkarnows] FAILED with er
ror NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2006/01/19 18:48:36, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [dkarnows] -> [dkarnows] FAILED
with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO

More information about the samba mailing list